From 2fc11630b4eeb247b06b442322a8c9f3fe51f37c Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 4 Jun 2026 23:40:31 +0200 Subject: [PATCH] test(api/v2): assert task comment max_permission and per-caller ETag Assert the read-one body carries max_permission, and add TestHumaTaskComment_ETagReflectsPermission proving two users with different permission on a comment's parent task (project 9: owner user6 vs read-share user1, comment 6 on task 18) receive different ETags. --- pkg/webtests/huma_task_comment_test.go | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pkg/webtests/huma_task_comment_test.go b/pkg/webtests/huma_task_comment_test.go index 3edd097c6..8be45ad32 100644 --- a/pkg/webtests/huma_task_comment_test.go +++ b/pkg/webtests/huma_task_comment_test.go @@ -107,6 +107,7 @@ func TestHumaTaskComment(t *testing.T) { require.NoError(t, err) assert.Contains(t, rec.Body.String(), `Lorem Ipsum Dolor Sit Amet`) assert.Contains(t, rec.Body.String(), `"id":1`) + assert.Contains(t, rec.Body.String(), `"max_permission":`) assert.NotEmpty(t, rec.Result().Header.Get("ETag")) }) t.Run("Nonexisting", func(t *testing.T) { @@ -371,3 +372,21 @@ func TestHumaTaskComment(t *testing.T) { }) }) } + +func TestHumaTaskComment_ETagReflectsPermission(t *testing.T) { + // Comment 6 is on task 18 in project 9: user6 owns the project (admin) while + // user1 has only a read share (users_projects #3). max_permission is folded + // into the ETag, so the same comment must yield different ETags per caller — + // else a 304 would serve a stale permission level. + e, err := setupTestEnv() + require.NoError(t, err) + + owner := humaRequest(t, e, http.MethodGet, "/api/v2/tasks/18/comments/6", "", humaTokenFor(t, &testuser6), "") + require.Equal(t, http.StatusOK, owner.Code, "body: %s", owner.Body.String()) + reader := humaRequest(t, e, http.MethodGet, "/api/v2/tasks/18/comments/6", "", humaTokenFor(t, &testuser1), "") + require.Equal(t, http.StatusOK, reader.Code, "body: %s", reader.Body.String()) + + assert.NotEmpty(t, owner.Header().Get("ETag")) + assert.NotEqual(t, owner.Header().Get("ETag"), reader.Header().Get("ETag"), + "same comment, different caller permission must produce different ETags") +}