0a0ec016d8
Backend: - auth/permissions.go: full permission matrix with RequirePermission/RequireRole middleware, CanEditCase, CanDeleteDocument helpers - auth/context.go: add user role to request context - auth/middleware.go: resolve role alongside tenant in auth flow - auth/tenant_resolver.go: verify membership + resolve role for X-Tenant-ID - handlers/case_assignments.go: CRUD for case-level user assignments - handlers/tenant_handler.go: UpdateMemberRole, GetMe (/api/me) endpoints - handlers/documents.go: permission-based delete (own vs all) - router/router.go: permission-wrapped routes for all endpoints - services/case_assignment_service.go: assign/unassign with tenant validation - services/tenant_service.go: UpdateMemberRole with owner protection - models/case_assignment.go: CaseAssignment model Database: - user_tenants.role: CHECK constraint (owner/partner/associate/paralegal/secretary) - case_assignments table: case_id, user_id, role (lead/team/viewer) - Migrated existing admin->partner, member->associate Frontend: - usePermissions hook: fetches /api/me, provides can() helper - TeamSettings: 5-role dropdown, role change, permission-gated invite - CaseAssignments: new component for case-level team management - Sidebar: conditionally hides AI/Settings based on permissions - Cases page: hides "Neue Akte" button for non-authorized roles - Case detail: new "Mitarbeiter" tab for assignment management
133 lines
3.4 KiB
Go
133 lines
3.4 KiB
Go
package auth
|
|
|
|
import (
|
|
"context"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
type mockTenantLookup struct {
|
|
tenantID *uuid.UUID
|
|
role string
|
|
err error
|
|
}
|
|
|
|
func (m *mockTenantLookup) FirstTenantForUser(ctx context.Context, userID uuid.UUID) (*uuid.UUID, error) {
|
|
return m.tenantID, m.err
|
|
}
|
|
|
|
func (m *mockTenantLookup) GetUserRole(ctx context.Context, userID, tenantID uuid.UUID) (string, error) {
|
|
if m.role != "" {
|
|
return m.role, m.err
|
|
}
|
|
return "associate", m.err
|
|
}
|
|
|
|
func TestTenantResolver_FromHeader(t *testing.T) {
|
|
tenantID := uuid.New()
|
|
tr := NewTenantResolver(&mockTenantLookup{role: "partner"})
|
|
|
|
var gotTenantID uuid.UUID
|
|
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
id, ok := TenantFromContext(r.Context())
|
|
if !ok {
|
|
t.Fatal("tenant ID not in context")
|
|
}
|
|
gotTenantID = id
|
|
w.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
r := httptest.NewRequest("GET", "/api/cases", nil)
|
|
r.Header.Set("X-Tenant-ID", tenantID.String())
|
|
r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
|
|
w := httptest.NewRecorder()
|
|
|
|
tr.Resolve(next).ServeHTTP(w, r)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200, got %d", w.Code)
|
|
}
|
|
if gotTenantID != tenantID {
|
|
t.Errorf("expected tenant %s, got %s", tenantID, gotTenantID)
|
|
}
|
|
}
|
|
|
|
func TestTenantResolver_DefaultsToFirst(t *testing.T) {
|
|
tenantID := uuid.New()
|
|
tr := NewTenantResolver(&mockTenantLookup{tenantID: &tenantID})
|
|
|
|
var gotTenantID uuid.UUID
|
|
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
id, _ := TenantFromContext(r.Context())
|
|
gotTenantID = id
|
|
w.WriteHeader(http.StatusOK)
|
|
})
|
|
|
|
r := httptest.NewRequest("GET", "/api/cases", nil)
|
|
r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
|
|
w := httptest.NewRecorder()
|
|
|
|
tr.Resolve(next).ServeHTTP(w, r)
|
|
|
|
if w.Code != http.StatusOK {
|
|
t.Fatalf("expected 200, got %d", w.Code)
|
|
}
|
|
if gotTenantID != tenantID {
|
|
t.Errorf("expected tenant %s, got %s", tenantID, gotTenantID)
|
|
}
|
|
}
|
|
|
|
func TestTenantResolver_NoUser(t *testing.T) {
|
|
tr := NewTenantResolver(&mockTenantLookup{})
|
|
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next should not be called")
|
|
})
|
|
|
|
r := httptest.NewRequest("GET", "/api/cases", nil)
|
|
w := httptest.NewRecorder()
|
|
|
|
tr.Resolve(next).ServeHTTP(w, r)
|
|
|
|
if w.Code != http.StatusUnauthorized {
|
|
t.Errorf("expected 401, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestTenantResolver_InvalidHeader(t *testing.T) {
|
|
tr := NewTenantResolver(&mockTenantLookup{})
|
|
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next should not be called")
|
|
})
|
|
|
|
r := httptest.NewRequest("GET", "/api/cases", nil)
|
|
r.Header.Set("X-Tenant-ID", "not-a-uuid")
|
|
r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
|
|
w := httptest.NewRecorder()
|
|
|
|
tr.Resolve(next).ServeHTTP(w, r)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Errorf("expected 400, got %d", w.Code)
|
|
}
|
|
}
|
|
|
|
func TestTenantResolver_NoTenantForUser(t *testing.T) {
|
|
tr := NewTenantResolver(&mockTenantLookup{tenantID: nil})
|
|
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
t.Fatal("next should not be called")
|
|
})
|
|
|
|
r := httptest.NewRequest("GET", "/api/cases", nil)
|
|
r = r.WithContext(ContextWithUserID(r.Context(), uuid.New()))
|
|
w := httptest.NewRecorder()
|
|
|
|
tr.Resolve(next).ServeHTTP(w, r)
|
|
|
|
if w.Code != http.StatusBadRequest {
|
|
t.Errorf("expected 400, got %d", w.Code)
|
|
}
|
|
}
|