Add comprehensive tests for default role assignment
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
3b5b5044fb
commit
21b63cbe86
GPG key ID:
1020A035E5DD0824
2 changed files with 301 additions and 0 deletions
|
|
@ -121,4 +121,136 @@ defmodule Mv.SeedsTest do
|
|||
assert :suspended in all_cycle_statuses, "At least one cycle should be suspended"
|
||||
end
|
||||
end
|
||||
|
||||
describe "Authorization roles (from seeds)" do
|
||||
test "creates all 5 authorization roles with correct permission sets" do
|
||||
# Run seeds once for this test
|
||||
Code.eval_file("priv/repo/seeds.exs")
|
||||
{:ok, roles} = Ash.read(Mv.Authorization.Role)
|
||||
|
||||
assert length(roles) >= 5, "Should have at least 5 roles"
|
||||
|
||||
# Check each role
|
||||
role_configs = [
|
||||
{"Mitglied", "own_data", true},
|
||||
{"Vorstand", "read_only", false},
|
||||
{"Kassenwart", "normal_user", false},
|
||||
{"Buchhaltung", "read_only", false},
|
||||
{"Admin", "admin", false}
|
||||
]
|
||||
|
||||
Enum.each(role_configs, fn {name, perm_set, is_system} ->
|
||||
role = Enum.find(roles, &(&1.name == name))
|
||||
assert role, "Role #{name} should exist"
|
||||
assert role.permission_set_name == perm_set
|
||||
assert role.is_system_role == is_system
|
||||
end)
|
||||
end
|
||||
|
||||
test "Mitglied role is marked as system role" do
|
||||
Code.eval_file("priv/repo/seeds.exs")
|
||||
|
||||
{:ok, mitglied} =
|
||||
Mv.Authorization.Role
|
||||
|> Ash.Query.filter(name == "Mitglied")
|
||||
|> Ash.read_one()
|
||||
|
||||
assert mitglied.is_system_role == true
|
||||
end
|
||||
|
||||
test "all roles have valid permission_set_names" do
|
||||
Code.eval_file("priv/repo/seeds.exs")
|
||||
|
||||
{:ok, roles} = Ash.read(Mv.Authorization.Role)
|
||||
|
||||
valid_sets =
|
||||
Mv.Authorization.PermissionSets.all_permission_sets()
|
||||
|> Enum.map(&Atom.to_string/1)
|
||||
|
||||
Enum.each(roles, fn role ->
|
||||
assert role.permission_set_name in valid_sets,
|
||||
"Role #{role.name} has invalid permission_set_name: #{role.permission_set_name}"
|
||||
end)
|
||||
end
|
||||
|
||||
test "assigns Admin role to ADMIN_EMAIL user" do
|
||||
Code.eval_file("priv/repo/seeds.exs")
|
||||
|
||||
admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
|
||||
|
||||
{:ok, admin_user} =
|
||||
Mv.Accounts.User
|
||||
|> Ash.Query.filter(email == ^admin_email)
|
||||
|> Ash.read_one(domain: Mv.Accounts, authorize?: false)
|
||||
|
||||
assert admin_user != nil, "Admin user should exist after seeds run"
|
||||
|
||||
{:ok, admin_user_with_role} =
|
||||
Ash.load(admin_user, :role, domain: Mv.Accounts, authorize?: false)
|
||||
|
||||
assert admin_user_with_role.role != nil, "Admin user should have a role assigned"
|
||||
assert admin_user_with_role.role.name == "Admin"
|
||||
assert admin_user_with_role.role.permission_set_name == "admin"
|
||||
end
|
||||
end
|
||||
|
||||
describe "Authorization role assignment" do
|
||||
test "does not change role of users who already have a role" do
|
||||
# Seeds once (creates Admin with Admin role)
|
||||
Code.eval_file("priv/repo/seeds.exs")
|
||||
|
||||
admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
|
||||
|
||||
{:ok, admin_user} =
|
||||
Mv.Accounts.User
|
||||
|> Ash.Query.filter(email == ^admin_email)
|
||||
|> Ash.read_one(domain: Mv.Accounts, authorize?: false)
|
||||
|
||||
assert admin_user != nil, "Admin user should exist after seeds run"
|
||||
|
||||
{:ok, admin_user_with_role} =
|
||||
Ash.load(admin_user, :role, domain: Mv.Accounts, authorize?: false)
|
||||
|
||||
assert admin_user_with_role.role != nil, "Admin user should have a role assigned"
|
||||
original_role_id = admin_user_with_role.role_id
|
||||
assert admin_user_with_role.role.name == "Admin"
|
||||
|
||||
# Seeds again
|
||||
Code.eval_file("priv/repo/seeds.exs")
|
||||
|
||||
# Admin reloaded
|
||||
{:ok, admin_reloaded} =
|
||||
Mv.Accounts.User
|
||||
|> Ash.Query.filter(email == ^admin_email)
|
||||
|> Ash.read_one(domain: Mv.Accounts, authorize?: false)
|
||||
|
||||
assert admin_reloaded != nil, "Admin user should still exist after re-running seeds"
|
||||
|
||||
{:ok, admin_reloaded_with_role} =
|
||||
Ash.load(admin_reloaded, :role, domain: Mv.Accounts, authorize?: false)
|
||||
|
||||
assert admin_reloaded_with_role.role != nil,
|
||||
"Admin user should still have a role after re-running seeds"
|
||||
|
||||
assert admin_reloaded_with_role.role_id == original_role_id
|
||||
assert admin_reloaded_with_role.role.name == "Admin"
|
||||
end
|
||||
|
||||
test "role creation is idempotent" do
|
||||
Code.eval_file("priv/repo/seeds.exs")
|
||||
{:ok, roles_1} = Ash.read(Mv.Authorization.Role)
|
||||
|
||||
Code.eval_file("priv/repo/seeds.exs")
|
||||
{:ok, roles_2} = Ash.read(Mv.Authorization.Role)
|
||||
|
||||
assert length(roles_1) == length(roles_2),
|
||||
"Role count should remain same after re-running seeds"
|
||||
|
||||
# Each role should appear exactly once
|
||||
role_names = Enum.map(roles_2, & &1.name)
|
||||
|
||||
assert length(role_names) == length(Enum.uniq(role_names)),
|
||||
"Each role name should appear exactly once"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue