2026-05-10 09:46:07 +12:00
|
|
|
import { describe, expect, it } from 'vitest';
|
|
|
|
|
|
2026-06-03 00:17:12 +12:00
|
|
|
import { canAccessRoute, canOpenEditor, getDefaultRouteForRole, getWorkspaceRole } from './workspace-access';
|
2026-05-10 09:46:07 +12:00
|
|
|
|
|
|
|
|
describe('workspace access policy', () => {
|
|
|
|
|
const operationsSession = {
|
|
|
|
|
role: 'internal',
|
|
|
|
|
role_name: 'Operations',
|
|
|
|
|
permissions: ['view_mix_calculator', 'use_mix_calculator', 'save_mix_calculator_session'],
|
|
|
|
|
name: 'Ops User',
|
|
|
|
|
email: 'ops@example.com',
|
|
|
|
|
token: 'token'
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const adminSession = {
|
|
|
|
|
role: 'internal',
|
|
|
|
|
role_name: 'Admin',
|
|
|
|
|
permissions: ['view_dashboard', 'view_mix_calculator', 'use_mix_calculator'],
|
|
|
|
|
name: 'Admin User',
|
|
|
|
|
email: 'admin@example.com',
|
|
|
|
|
token: 'token'
|
|
|
|
|
};
|
|
|
|
|
|
2026-06-03 00:17:12 +12:00
|
|
|
const fullAccessSession = {
|
|
|
|
|
role: 'internal',
|
|
|
|
|
role_name: 'Full Access',
|
|
|
|
|
permissions: ['edit_products', 'edit_mixes'],
|
|
|
|
|
name: 'Full User',
|
|
|
|
|
email: 'full@example.com',
|
|
|
|
|
token: 'token'
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const leanSession = {
|
|
|
|
|
role: 'internal',
|
|
|
|
|
role_name: 'lean',
|
|
|
|
|
permissions: [
|
|
|
|
|
'view_dashboard',
|
|
|
|
|
'edit_products',
|
|
|
|
|
'edit_mixes',
|
|
|
|
|
'edit_scenarios',
|
|
|
|
|
'manage_client_access',
|
|
|
|
|
'view_settings'
|
|
|
|
|
],
|
|
|
|
|
module_permissions: {
|
|
|
|
|
dashboard: 'view',
|
|
|
|
|
products: 'edit',
|
|
|
|
|
mix_master: 'edit',
|
|
|
|
|
scenarios: 'edit',
|
|
|
|
|
client_access: 'manage'
|
|
|
|
|
},
|
|
|
|
|
name: 'Lean User',
|
|
|
|
|
email: 'lean@example.com',
|
|
|
|
|
token: 'token'
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const ownerSession = {
|
|
|
|
|
role: 'client',
|
|
|
|
|
client_role: 'superadmin',
|
|
|
|
|
module_permissions: {
|
|
|
|
|
products: 'edit',
|
|
|
|
|
mix_master: 'edit',
|
|
|
|
|
client_access: 'manage'
|
|
|
|
|
},
|
|
|
|
|
name: 'Owner User',
|
|
|
|
|
email: 'owner@example.com',
|
|
|
|
|
token: 'token'
|
|
|
|
|
};
|
|
|
|
|
|
2026-05-10 09:46:07 +12:00
|
|
|
it('classifies operations users and sends them to mix calculator by default', () => {
|
|
|
|
|
expect(getWorkspaceRole(operationsSession)).toBe('operations');
|
2026-05-31 20:19:44 +12:00
|
|
|
expect(getDefaultRouteForRole(operationsSession)).toBe('/mix-calculator');
|
2026-05-10 09:46:07 +12:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('prevents operations users from opening the dashboard route', () => {
|
|
|
|
|
expect(canAccessRoute(operationsSession, '/')).toBe(false);
|
|
|
|
|
expect(canAccessRoute(operationsSession, '/mix-calculator')).toBe(true);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('keeps dashboard access for admins', () => {
|
|
|
|
|
expect(getWorkspaceRole(adminSession)).toBe('admin');
|
|
|
|
|
expect(canAccessRoute(adminSession, '/')).toBe(true);
|
|
|
|
|
});
|
2026-06-03 00:17:12 +12:00
|
|
|
|
|
|
|
|
it('treats lean users as owner-level internal admins', () => {
|
|
|
|
|
expect(getWorkspaceRole(leanSession)).toBe('admin');
|
|
|
|
|
expect(canOpenEditor(leanSession)).toBe(true);
|
|
|
|
|
expect(canAccessRoute(leanSession, '/scenarios')).toBe(true);
|
|
|
|
|
expect(canAccessRoute(leanSession, '/client-access')).toBe(true);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('limits editor access to internal admin sessions', () => {
|
|
|
|
|
expect(canOpenEditor(adminSession)).toBe(true);
|
|
|
|
|
expect(canOpenEditor(ownerSession)).toBe(false);
|
|
|
|
|
expect(canOpenEditor(fullAccessSession)).toBe(false);
|
|
|
|
|
expect(canAccessRoute(ownerSession, '/editor')).toBe(false);
|
|
|
|
|
expect(canAccessRoute(fullAccessSession, '/editor')).toBe(false);
|
|
|
|
|
});
|
2026-05-10 09:46:07 +12:00
|
|
|
});
|
