284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
43 lines
3.1 KiB
TypeScript
43 lines
3.1 KiB
TypeScript
import { readFileSync } from 'node:fs';
|
|
import path from 'node:path';
|
|
import { describe, expect, it } from 'vitest';
|
|
|
|
const readSource = (relativePath: string) =>
|
|
readFileSync(path.resolve(__dirname, relativePath), 'utf8');
|
|
|
|
describe('time/delegation narrowing sweep contracts', () => {
|
|
const delegationSource = readSource('../src/actions/timeEntryDelegationAuth.ts');
|
|
const timeSheetSource = readSource('../src/actions/timeSheetActions.ts');
|
|
|
|
it('T024: delegation guards keep time_entry kernel semantics and do not allow approve/read_all bypasses', () => {
|
|
expect(delegationSource).toContain("type: 'time_entry'");
|
|
expect(delegationSource).toContain("action: 'read'");
|
|
expect(delegationSource).toContain("action: 'approve'");
|
|
expect(delegationSource).toContain('async function resolveBundleRulesOrThrow(');
|
|
expect(delegationSource).toContain('new BuiltinAuthorizationKernelProvider()');
|
|
expect(delegationSource).not.toContain('function buildTimesheetNotSelfApproverGuard(');
|
|
expect(delegationSource).not.toContain("code: 'timesheet_not_self_approver_denied'");
|
|
expect(delegationSource).toContain('const managedUserIds = canReadAll ? [] : await resolveManagedSubjectUserIds(db, tenant, actor);');
|
|
expect(delegationSource).toContain("resolveBundleRulesOrThrow(db, input, 'Permission denied: Cannot access other users time sheets')");
|
|
expect(delegationSource).toContain("resolveBundleRulesOrThrow(db, input, 'Permission denied: Cannot approve time submissions')");
|
|
expect(delegationSource).toContain("throw new Error('Permission denied: Cannot access other users time sheets')");
|
|
});
|
|
|
|
it('T024: time sheet approval/comment/change flows enforce delegation checks against target subject ownership', () => {
|
|
expect(timeSheetSource).toContain('export const addCommentToTimeSheet = withAuth(async');
|
|
expect(timeSheetSource).toContain('if (!isOwner) {');
|
|
expect(timeSheetSource).toContain('await assertCanActOnBehalf(user, tenant, timeSheet.user_id, db);');
|
|
expect(timeSheetSource).toContain('export const fetchTimeSheetComments = withAuth(async');
|
|
expect(timeSheetSource).toContain(".first<{ user_id: string; first_name: string; last_name: string; email: string }>()");
|
|
expect(timeSheetSource).toContain('await assertCanActOnBehalf(user, tenant, timeSheet.user_id, db);');
|
|
expect(timeSheetSource).toContain('export const requestChangesForTimeSheet = withAuth(async');
|
|
expect(timeSheetSource).toContain("if (approverId !== user.user_id) {");
|
|
expect(timeSheetSource).toContain("throw new Error('Permission denied: Invalid approver');");
|
|
expect(timeSheetSource).toContain('await assertCanActOnBehalf(user, tenant, timeSheet.user_id, trx);');
|
|
expect(timeSheetSource).toContain('export const approveTimeSheet = withAuth(async');
|
|
expect(timeSheetSource).toContain('await assertCanApproveSubject(user, tenant, timeSheet.user_id, trx);');
|
|
expect(timeSheetSource).toContain('export const reverseTimeSheetApproval = withAuth(async');
|
|
expect(timeSheetSource).toContain('await assertCanActOnBehalf(user, tenant, timeSheet.user_id, trx);');
|
|
});
|
|
});
|