From 58d882d36dc4d8a3cb52a29491b3228c912464db Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 4 Jun 2026 23:39:09 +0200 Subject: [PATCH] test(api/v2): assert team max_permission + etag reflects permission --- pkg/webtests/huma_team_test.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/pkg/webtests/huma_team_test.go b/pkg/webtests/huma_team_test.go index 8ab97028b..2a677f827 100644 --- a/pkg/webtests/huma_team_test.go +++ b/pkg/webtests/huma_team_test.go @@ -181,6 +181,7 @@ func TestHumaTeam(t *testing.T) { // v1's TestTeam_ReadOne also asserts the description and created_by. assert.Contains(t, rec.Body.String(), `"description":"Lorem Ipsum"`) assert.Contains(t, rec.Body.String(), `"created_by"`) + assert.Contains(t, rec.Body.String(), `"max_permission":`) assert.NotEmpty(t, rec.Result().Header.Get("ETag")) }) // v1's TestTeam_ReadOne/{invalid id, nonexisting} expects @@ -388,3 +389,19 @@ func TestHumaTeam_ETagReturns304(t *testing.T) { e.ServeHTTP(rec, req) require.Equal(t, http.StatusNotModified, rec.Code, "body: %s", rec.Body.String()) } + +func TestHumaTeam_ETagReflectsPermission(t *testing.T) { + // Team 1: user1 is an admin (max_permission 2), user2 a non-admin member (0). + // Same team, so the per-caller ETag must differ — else a 304 serves stale perms. + e, err := setupTestEnv() + require.NoError(t, err) + + admin := humaRequest(t, e, http.MethodGet, "/api/v2/teams/1", "", humaTokenFor(t, &testuser1), "") + require.Equal(t, http.StatusOK, admin.Code, "body: %s", admin.Body.String()) + member := humaRequest(t, e, http.MethodGet, "/api/v2/teams/1", "", humaTokenFor(t, &testuser2), "") + require.Equal(t, http.StatusOK, member.Code, "body: %s", member.Body.String()) + + assert.NotEmpty(t, admin.Header().Get("ETag")) + assert.NotEqual(t, admin.Header().Get("ETag"), member.Header().Get("ETag"), + "same team, different caller permission must produce different ETags") +}