v0.1.11 - Editor

2026-06-03 00:17:12 +12:00
parent f5a588d631
commit cf968e802b
23 changed files with 2165 additions and 655 deletions
@@ -11,6 +11,7 @@ from app.api.access import router as access_router
 from app.core.access import (
    INTERNAL_USER_SUBJECT,
    get_user_permissions,
+    permissions_to_module_map,
    require_all_permissions,
    require_any_permission,
    require_permission,
@@ -72,9 +73,17 @@ def test_admin_role_permissions_match_spec():
    assert granted == set(ROLE_DEFINITIONS["Admin"]["permissions"])
    assert "manage_users" in granted
    assert "manage_permissions" in granted
-    # Admin spec deliberately excludes edit_products / edit_mixes.
-    assert "edit_products" not in granted
-    assert "edit_mixes" not in granted
+    assert "edit_products" in granted
+    assert "edit_mixes" in granted
+    assert "view_scenarios" in granted
+    assert "edit_scenarios" in granted
+    assert "manage_client_access" in granted
+
+    modules = permissions_to_module_map(granted)
+    assert modules["products"] == "edit"
+    assert modules["mix_master"] == "edit"
+    assert modules["scenarios"] == "edit"
+    assert modules["client_access"] == "manage"


 def test_operations_role_is_mix_calculator_and_throughput_only():
@@ -108,6 +117,30 @@ def test_full_access_role_can_edit_operational_data_but_not_users():
    assert "manage_permissions" not in granted


+def test_lean_role_has_unrestricted_workspace_permissions():
+    db = _build_session()
+    seed_access(db)
+
+    lean_role = db.query(Role).filter_by(name="lean").one()
+    user = User(email="lean@example.com", name="Lean User", role_id=lean_role.id, is_active=True)
+    db.add(user)
+    db.flush()
+
+    granted = get_user_permissions(user)
+    assert granted == set(ROLE_DEFINITIONS["lean"]["permissions"])
+    assert {key for key, _ in PERMISSION_DEFINITIONS} == granted
+
+    modules = permissions_to_module_map(granted)
+    assert modules["dashboard"] == "view"
+    assert modules["raw_materials"] == "edit"
+    assert modules["mix_master"] == "edit"
+    assert modules["mix_calculator"] == "edit"
+    assert modules["products"] == "edit"
+    assert modules["operations_throughput"] == "edit"
+    assert modules["scenarios"] == "edit"
+    assert modules["client_access"] == "manage"
+
+
 def test_inactive_user_has_no_permissions():
    db = _build_session()
    seed_access(db)