Tests: read_only/normal_user /users/:id, Ash.read! actor, Authorization own/other

- Integration: read_only and normal_user GET /users/:id (own) and edit/show/edit return 200 - Integration: read_only GET /users/:id (other) redirects - Plug test: use group_fixture in setup instead of Ash.read!() without actor - Authorization: tests for own/other profile and reserved 'new'
2026-01-30 10:22:34 +01:00 · 2026-01-30 10:22:34 +01:00 · faee780aab
commit faee780aab
parent a1fe36b7f2
2 changed files with 106 additions and 6 deletions
--- a/test/mv_web/authorization_test.exs
+++ b/test/mv_web/authorization_test.exs
@ -183,6 +183,39 @@ defmodule MvWeb.AuthorizationTest do
      assert Authorization.can_access_page?(read_only_user, "/members/123/edit") == false
    end

+    test "read_only can access own profile /users/:id only" do
+      read_only_user = %{
+        id: "read-only-123",
+        role: %{permission_set_name: "read_only"}
+      }
+
+      assert Authorization.can_access_page?(read_only_user, "/users/read-only-123") == true
+      assert Authorization.can_access_page?(read_only_user, "/users/read-only-123/edit") == true
+      assert Authorization.can_access_page?(read_only_user, "/users/other-id") == false
+      assert Authorization.can_access_page?(read_only_user, "/users/other-id/edit") == false
+    end
+
+    test "normal_user can access own profile /users/:id only" do
+      normal_user = %{
+        id: "normal-456",
+        role: %{permission_set_name: "normal_user"}
+      }
+
+      assert Authorization.can_access_page?(normal_user, "/users/normal-456") == true
+      assert Authorization.can_access_page?(normal_user, "/users/normal-456/edit") == true
+      assert Authorization.can_access_page?(normal_user, "/users/other-id") == false
+    end
+
+    test "reserved segment 'new' is not matched by :id" do
+      read_only_user = %{
+        id: "read-only-123",
+        role: %{permission_set_name: "read_only"}
+      }
+
+      assert Authorization.can_access_page?(read_only_user, "/members/new") == false
+      assert Authorization.can_access_page?(read_only_user, "/groups/new") == false
+    end
+
    test "returns false for nil user" do
      assert Authorization.can_access_page?(nil, "/members") == false
      assert Authorization.can_access_page?(nil, "/admin/roles") == false