From be225fd4d3125df2339f72b25ef39437fdbf7200 Mon Sep 17 00:00:00 2001 From: kolaente Date: Tue, 21 Apr 2026 11:45:11 +0200 Subject: [PATCH] test(e2e): cover team READ permission boundary --- frontend/tests/e2e/sharing/team.spec.ts | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/frontend/tests/e2e/sharing/team.spec.ts b/frontend/tests/e2e/sharing/team.spec.ts index 19bfbcee8..cc20648d6 100644 --- a/frontend/tests/e2e/sharing/team.spec.ts +++ b/frontend/tests/e2e/sharing/team.spec.ts @@ -1,7 +1,10 @@ import {test, expect} from '../../support/fixtures' import {TeamFactory} from '../../factories/team' import {TeamMemberFactory} from '../../factories/team_member' +import {TeamProjectFactory} from '../../factories/team_project' import {UserFactory} from '../../factories/user' +import {createProjects} from '../project/prepareProjects' +import {login, setupApiUrl} from '../../support/authenticateUser' test.describe('Team', () => { test('Creates a new team', async ({authenticatedPage: page}) => { @@ -100,3 +103,25 @@ test.describe('Team', () => { await expect(page.locator('.global-notification')).toContainText('Success') }) }) + +test.describe('Team permission tiers on shared projects', () => { + // These tests log in as the second user (the team member), so we can't use + // the `authenticatedPage` fixture which auto-logs in as user 1. + test.beforeEach(async ({page}) => { + await setupApiUrl(page) + }) + + test('READ: team member cannot add tasks on a shared project', async ({page, apiContext}) => { + const [, member] = await UserFactory.create(2) + await createProjects(1) + await TeamFactory.create(1, {id: 1, created_by_id: 1}, false) + await TeamMemberFactory.create(1, {team_id: 1, user_id: member.id, admin: false}, false) + await TeamProjectFactory.create(1, {team_id: 1, project_id: 1, permission: 0}, false) + + await login(page, apiContext, member) + await page.goto('/projects/1/1') + + await expect(page.locator('.project-title')).toContainText('First Project') + await expect(page.locator('input.input[placeholder="Add a task…"]')).not.toBeVisible() + }) +})