Commit Graph

1 Commits

Author SHA1 Message Date
riyadhafraa 4470ceba5e Task #159: Block non-admin users from changing role permissions (tests)
## Original task
The existing role-permission tests cover the system-role guard,
unknown-permission 404, and the admin happy paths for
PUT/POST/DELETE /api/roles/:id/permissions, but they never
exercised the requireAdmin middleware with a real non-admin
session. A silent regression of requireAdmin on these routes
would let regular users edit role permissions undetected.

## What changed
Added a new test file:
  artifacts/api-server/tests/role-permissions-non-admin.test.mjs

It mirrors the style of role-permissions-assign.test.mjs:
- Creates an admin user (used only to seed a target role with
  two known permissions).
- Creates a regular user with no role assignments.
- For each of PUT, POST, and DELETE on
  /api/roles/:id/permissions, logs in as the regular user and
  asserts the response status is 403.
- After every rejected call, asserts the role's permission set
  in role_permissions is byte-for-byte unchanged.
- For POST it deliberately picks a permission the role does NOT
  already have, so any regression would change the row count.
- Cleans up created users, roles, role_permissions, and
  role_permission_audit rows in after().

## Verification
`pnpm --filter @workspace/api-server test` — all 192 tests pass,
including the 3 new ones.

## Deviations
None. Scope kept tight to the task description.

## Follow-up
Proposed #226: parallel non-admin 403 coverage for
POST/PATCH/DELETE /api/roles (CRUD), which today have no
non-admin rejection tests either.

Replit-Task-Id: 87446596-45f9-4241-acd6-299888b4feb4
2026-04-30 17:36:40 +00:00