guard permission fix

This commit is contained in:
2026-03-12 13:01:06 +01:00
parent 39a113c5fc
commit 17a72af5f2
6 changed files with 226 additions and 1 deletions

View File

@@ -164,6 +164,60 @@ class DepartmentAuthorizationPolicyTest extends TestCase
$this->assertDeniedDecision($decision, 403, 'permission_denied');
}
public function testEditContextExposesDeleteCapabilityWhenDeletePermissionIsGranted(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
5 => [PermissionService::DEPARTMENTS_VIEW, PermissionService::DEPARTMENTS_DELETE],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway->expects($this->once())
->method('canAccess')
->with('departments', 17, 5)
->willReturn(true);
$scopeGateway->expects($this->once())
->method('getUserTenantIds')
->with(5)
->willReturn([2]);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_CONTEXT, [
'actor_user_id' => 5,
'target_department_id' => 17,
]);
$capabilities = $decision->attribute('capabilities', []);
$this->assertTrue($decision->isAllowed());
$this->assertTrue((bool) ($capabilities['can_delete_department'] ?? false));
}
public function testEditContextExposesDeleteCapabilityAsFalseWithoutDeletePermission(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
5 => [PermissionService::DEPARTMENTS_VIEW],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway->expects($this->once())
->method('canAccess')
->with('departments', 17, 5)
->willReturn(true);
$scopeGateway->expects($this->once())
->method('getUserTenantIds')
->with(5)
->willReturn([2]);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_CONTEXT, [
'actor_user_id' => 5,
'target_department_id' => 17,
]);
$capabilities = $decision->attribute('capabilities', []);
$this->assertTrue($decision->isAllowed());
$this->assertFalse((bool) ($capabilities['can_delete_department'] ?? true));
}
public function testEditSubmitRequiresDepartmentsUpdatePermission(): void
{
$permissionGateway = $this->permissionGatewayAllowing([