Citali/cms.fellies.org
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(mvp0): complete remaining i18n, RBAC, and CRUD coverage

Browse Source
This commit is contained in:
Citali
2026-02-11 12:06:27 +01:00
parent 8390689c8d
commit 3b130568e9
8 changed files with 238 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
packages/content/src/rbac.test.ts
View File

@@ -28,4 +28,31 @@ describe("rbac model", () => {
expect(permissionMatrix.editor.length).toBeGreaterThan(0)
expect(permissionMatrix.manager.length).toBeGreaterThan(0)
})
it("prevents privilege escalation for non-admin roles", () => {
expect(hasPermission("editor", "users:manage_roles", "global")).toBe(false)
expect(hasPermission("manager", "users:manage_roles", "global")).toBe(false)
expect(hasPermission("editor", "dashboard:read", "global")).toBe(true)
})
it("keeps role policy regressions visible for critical permissions", () => {
const criticalChecks: Array<{
role: "owner" | "support" | "admin" | "manager" | "editor"
permission: Parameters<typeof hasPermission>[1]
scope: Parameters<typeof hasPermission>[2]
allowed: boolean
}> = [
{ role: "owner", permission: "users:manage_roles", scope: "global", allowed: true },
{ role: "support", permission: "users:manage_roles", scope: "global", allowed: true },
{ role: "admin", permission: "banner:write", scope: "global", allowed: true },
{ role: "manager", permission: "users:write", scope: "global", allowed: false },
{ role: "manager", permission: "users:write", scope: "team", allowed: true },
{ role: "editor", permission: "news:publish", scope: "team", allowed: false },
{ role: "editor", permission: "news:publish", scope: "own", allowed: true },
]
for (const check of criticalChecks) {
expect(hasPermission(check.role, check.permission, check.scope)).toBe(check.allowed)
}
})
})