vikunja/pkg/webtests/huma_admin_test.go

101 lines
3.8 KiB
Go

// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package webtests
import (
"net/http"
"testing"
"code.vikunja.io/api/pkg/db"
"code.vikunja.io/api/pkg/license"
"code.vikunja.io/api/pkg/user"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
)
// TestHumaAdminProjects exercises the v2 admin gate via GET /api/v2/admin/projects.
// It mirrors v1's TestAdmin_ListProjects but additionally asserts that the same
// two-stage gate (license feature + instance admin) v1 uses on /admin carries
// through to the Huma-backed /api/v2/admin group, returning 404 (not 403) on
// failure. The RFC 9457 error body is asserted once globally in
// TestHuma_ErrorShapeIsRFC9457, so here we only assert the status codes.
func TestHumaAdminProjects(t *testing.T) {
t.Run("non-admin user gets 404", func(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
license.SetForTests([]license.Feature{license.FeatureAdminPanel})
defer license.ResetForTests()
s := db.NewSession()
defer s.Close()
u, err := user.GetUserByID(s, 1)
require.NoError(t, err)
require.False(t, u.IsAdmin, "fixture precondition: user1 is not an admin")
res := adminReq(t, e, http.MethodGet, "/api/v2/admin/projects", u, "")
assert.Equal(t, http.StatusNotFound, res.Code)
})
t.Run("admin without the feature gets 404", func(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
// A valid license that lacks the admin panel feature still gates the
// route. Match the sibling subtests' set/defer-reset pattern so the
// license state never bleeds into other tests.
license.SetForTests([]license.Feature{})
defer license.ResetForTests()
admin := promoteToAdmin(t, 1)
res := adminReq(t, e, http.MethodGet, "/api/v2/admin/projects", admin, "")
assert.Equal(t, http.StatusNotFound, res.Code)
})
t.Run("admin with the feature sees every project", func(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
license.SetForTests([]license.Feature{license.FeatureAdminPanel})
defer license.ResetForTests()
admin := promoteToAdmin(t, 1)
res := adminReq(t, e, http.MethodGet, "/api/v2/admin/projects", admin, "")
require.Equal(t, http.StatusOK, res.Code, res.Body.String())
body := res.Body.String()
// v2 wraps lists in the Paginated envelope.
assert.Contains(t, body, `"items":`)
assert.Contains(t, body, `"total":`)
// Project 6 is owned by user6, not shared with user1 — the admin list
// surfaces it regardless of ownership.
assert.Contains(t, body, `"id":6`)
// Project 22 is archived; the admin list includes archived projects.
assert.Contains(t, body, `"id":22`)
})
t.Run("unauthenticated caller gets 401", func(t *testing.T) {
e, err := setupTestEnv()
require.NoError(t, err)
license.SetForTests([]license.Feature{license.FeatureAdminPanel})
defer license.ResetForTests()
// The token middleware rejects with 401 before the gate runs, matching v1.
res := adminReq(t, e, http.MethodGet, "/api/v2/admin/projects", nil, "")
assert.Equal(t, http.StatusUnauthorized, res.Code)
})
}