local-it/mitgliederverwaltung
2
3
Fork 0
Code Issues 66 Pull requests 6 Projects 3 Releases Packages 1 Activity Actions

fix: failing test due to merge
Some checks failed
continuous-integration/drone/push Build is failing
Details
continuous-integration/drone/promote/production Build is passing
Details

Browse source
This commit is contained in:
Simon 2026-02-03 16:30:59 +01:00
parent 03f27a5938
commit e4671e816b
Signed by: simon
GPG key ID: 40E7A58C4AA1EDB2
3 changed files with 37 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

11
test/mv_web/live/group_live/show_add_remove_members_test.exs
View file

@ -12,6 +12,13 @@ defmodule MvWeb.GroupLive.ShowAddRemoveMembersTest do
alias Mv.Fixtures alias Mv.Fixtures
describe "Add Member button visibility" do describe "Add Member button visibility" do
@tag role: :read_only
test "read_only user can access group show page (page permission)", %{conn: conn} do
group = Fixtures.group_fixture()
conn = get(conn, "/groups/#{group.slug}")
assert conn.status == 200
end
test "Add Member button is visible for users with :update permission", %{conn: conn} do test "Add Member button is visible for users with :update permission", %{conn: conn} do
group = Fixtures.group_fixture() group = Fixtures.group_fixture()
@ -20,7 +27,7 @@ defmodule MvWeb.GroupLive.ShowAddRemoveMembersTest do
assert html =~ gettext("Add Member") or html =~ "Add Member" assert html =~ gettext("Add Member") or html =~ "Add Member"
end end
@tag role: :member @tag role: :read_only
test "Add Member button is NOT visible for users without :update permission", %{conn: conn} do test "Add Member button is NOT visible for users without :update permission", %{conn: conn} do
group = Fixtures.group_fixture() group = Fixtures.group_fixture()
@ -61,7 +68,7 @@ defmodule MvWeb.GroupLive.ShowAddRemoveMembersTest do
html =~ ~r/hero-trash|hero-x-mark/ html =~ ~r/hero-trash|hero-x-mark/
end end
@tag role: :member @tag role: :read_only
test "Remove button is NOT visible for users without :update permission", %{conn: conn} do test "Remove button is NOT visible for users without :update permission", %{conn: conn} do
group = Fixtures.group_fixture() group = Fixtures.group_fixture()
member = Fixtures.member_fixture(%{first_name: "Bob", last_name: "Jones"}) member = Fixtures.member_fixture(%{first_name: "Bob", last_name: "Jones"})

32
test/mv_web/live/group_live/show_authorization_test.exs
View file

@ -56,7 +56,7 @@ defmodule MvWeb.GroupLive.ShowAuthorizationTest do
assert html =~ "Alice" assert html =~ "Alice"
end end
@tag role: :member @tag role: :read_only
test "unauthorized user cannot add member (server-side check)", %{conn: conn} do test "unauthorized user cannot add member (server-side check)", %{conn: conn} do
system_actor = Mv.Helpers.SystemActor.get_system_actor() system_actor = Mv.Helpers.SystemActor.get_system_actor()
group = Fixtures.group_fixture() group = Fixtures.group_fixture()
@ -113,7 +113,7 @@ defmodule MvWeb.GroupLive.ShowAuthorizationTest do
refute html =~ "Charlie" refute html =~ "Charlie"
end end
@tag role: :member @tag role: :read_only
test "unauthorized user cannot remove member (server-side check)", %{conn: conn} do test "unauthorized user cannot remove member (server-side check)", %{conn: conn} do
system_actor = Mv.Helpers.SystemActor.get_system_actor() system_actor = Mv.Helpers.SystemActor.get_system_actor()
group = Fixtures.group_fixture() group = Fixtures.group_fixture()
@ -180,7 +180,7 @@ defmodule MvWeb.GroupLive.ShowAuthorizationTest do
assert html =~ "Add Member" || html =~ "Remove" assert html =~ "Add Member" || html =~ "Remove"
end end
@tag role: :member @tag role: :read_only
test "Add Member button is hidden for read-only users", %{conn: conn} do test "Add Member button is hidden for read-only users", %{conn: conn} do
_system_actor = Mv.Helpers.SystemActor.get_system_actor() _system_actor = Mv.Helpers.SystemActor.get_system_actor()
group = Fixtures.group_fixture() group = Fixtures.group_fixture()
@ -191,7 +191,7 @@ defmodule MvWeb.GroupLive.ShowAuthorizationTest do
refute html =~ "Add Member" refute html =~ "Add Member"
end end
@tag role: :member @tag role: :read_only
test "Remove button is hidden for read-only users", %{conn: conn} do test "Remove button is hidden for read-only users", %{conn: conn} do
system_actor = Mv.Helpers.SystemActor.get_system_actor() system_actor = Mv.Helpers.SystemActor.get_system_actor()
group = Fixtures.group_fixture() group = Fixtures.group_fixture()
@ -216,7 +216,7 @@ defmodule MvWeb.GroupLive.ShowAuthorizationTest do
refute html =~ "hero-trash" or html =~ ~r/<button[^>]*remove_member/ refute html =~ "hero-trash" or html =~ ~r/<button[^>]*remove_member/
end end
@tag role: :member @tag role: :read_only
test "modal cannot be opened for unauthorized users", %{conn: conn} do test "modal cannot be opened for unauthorized users", %{conn: conn} do
group = Fixtures.group_fixture() group = Fixtures.group_fixture()
@ -228,6 +228,28 @@ defmodule MvWeb.GroupLive.ShowAuthorizationTest do
end end
end end
describe "member (own_data) page access" do
# Members have no page permission for /groups or /groups/:slug; they are redirected.
# This tests that limited access for the member role is enforced.
@tag role: :member
test "member is redirected when accessing group show page", %{conn: conn} do
group = Fixtures.group_fixture()
result = live(conn, "/groups/#{group.slug}")
assert {:error, {:redirect, %{to: path, flash: %{"error" => _}}}} = result
assert path =~ ~r|^/users/[^/]+$|
end
@tag role: :member
test "member is redirected when accessing groups index", %{conn: conn} do
result = live(conn, "/groups")
assert {:error, {:redirect, %{to: path, flash: %{"error" => _}}}} = result
assert path =~ ~r|^/users/[^/]+$|
end
end
describe "security edge cases" do describe "security edge cases" do
test "slug injection attempts are prevented", %{conn: conn} do test "slug injection attempts are prevented", %{conn: conn} do
# Try to inject malicious content in slug # Try to inject malicious content in slug

1
test/support/conn_case.ex
View file

@ -178,6 +178,7 @@ defmodule MvWeb.ConnCase do
:read_only -> :read_only ->
# Vorstand/Buchhaltung: can read members, groups; cannot edit or access admin/settings # Vorstand/Buchhaltung: can read members, groups; cannot edit or access admin/settings
read_only_user = Mv.Fixtures.user_with_role_fixture("read_only") read_only_user = Mv.Fixtures.user_with_role_fixture("read_only")
read_only_user = Mv.Authorization.Actor.ensure_loaded(read_only_user)
authenticated_conn = conn_with_password_user(conn, read_only_user) authenticated_conn = conn_with_password_user(conn, read_only_user)
{authenticated_conn, read_only_user} {authenticated_conn, read_only_user}