feat(brief): WP-18 — ABAC capability spine (PRD-0002 phase P1)
Replace the FE-computed authorization anti-pattern in BriefStore.editable (derived from the unverified X-Role header) with server-computed decision flags, mirroring the existing HerregistratieDecisionsDto pattern: - Backend: Authz.cs is the single authorization helper — the SAME check (Authz.CanActOn) both gates BriefStore.Review's mutations and computes the BriefDecisionsDto flags shipped on every brief response, so emit and enforce can never drift. New GET /me returns coarse, role-derived capabilities (PRD-0002 SS6). - Every brief endpoint (including send, previously ungated on HttpContext) now returns a fresh BriefViewDto so decisions never go stale after a mutation. - FE: brief.store.ts reads canEdit/canApprove/canReject/canSend off the loaded decisions instead of computing them from currentRole(); the brief.machine carries decisions through every status transition. - New shared/domain/capability.ts + shared/application/access.store.ts + shared/infrastructure/me.adapter.ts: the general capability-spine infrastructure (AccessStore.can(), capabilityGuard) for future routes. Deviates from the original WP-18 draft by NOT renaming auth/domain's Session to a Principal union — ADR-0002 explicitly defers that refactor until a second actor exists, and the brief workflow's drafter/approver identity turned out to be a separate axis from the SSP login session entirely. See docs/backlog/WP-18-abac-capability-spine.md for the full as-built record. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
This commit is contained in:
68
backend/tests/BigRegister.Tests/AuthzTests.cs
Normal file
68
backend/tests/BigRegister.Tests/AuthzTests.cs
Normal file
@@ -0,0 +1,68 @@
|
||||
using BigRegister.Domain.Authorization;
|
||||
using Xunit;
|
||||
|
||||
namespace BigRegister.Tests;
|
||||
|
||||
/// <summary>
|
||||
/// Unit tests for the single authorization helper (PRD-0002 phase P1) that both
|
||||
/// computes the brief screen's decision flags and gates the mutation endpoints.
|
||||
/// </summary>
|
||||
public class AuthzTests
|
||||
{
|
||||
private static readonly Principal Drafter = new(PrincipalRole.Drafter);
|
||||
private static readonly Principal Approver = new(PrincipalRole.Approver);
|
||||
private const string DrafterId = "demo-drafter";
|
||||
|
||||
[Fact]
|
||||
public void Drafter_may_not_approve_or_reject_even_when_submitted()
|
||||
{
|
||||
Assert.False(Authz.CanActOn(BriefAction.Approve, Drafter, DrafterId));
|
||||
Assert.False(Authz.CanActOn(BriefAction.Reject, Drafter, DrafterId));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Approver_may_approve_and_reject_a_different_drafters_letter()
|
||||
{
|
||||
Assert.True(Authz.CanActOn(BriefAction.Approve, Approver, DrafterId));
|
||||
Assert.True(Authz.CanActOn(BriefAction.Reject, Approver, DrafterId));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Send_is_not_role_gated()
|
||||
{
|
||||
Assert.True(Authz.CanActOn(BriefAction.Send, Drafter, DrafterId));
|
||||
Assert.True(Authz.CanActOn(BriefAction.Send, Approver, DrafterId));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData("draft")]
|
||||
[InlineData("rejected")]
|
||||
public void Decisions_CanEdit_true_for_drafter_in_editable_statuses(string status)
|
||||
{
|
||||
Assert.True(Authz.Decisions(Drafter, status, DrafterId).CanEdit);
|
||||
Assert.False(Authz.Decisions(Approver, status, DrafterId).CanEdit);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Decisions_CanApprove_requires_submitted_status_and_approver_role()
|
||||
{
|
||||
Assert.True(Authz.Decisions(Approver, "submitted", DrafterId).CanApprove);
|
||||
Assert.False(Authz.Decisions(Approver, "draft", DrafterId).CanApprove);
|
||||
Assert.False(Authz.Decisions(Drafter, "submitted", DrafterId).CanApprove);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Decisions_CanSend_requires_approved_status_only()
|
||||
{
|
||||
Assert.True(Authz.Decisions(Drafter, "approved", DrafterId).CanSend);
|
||||
Assert.True(Authz.Decisions(Approver, "approved", DrafterId).CanSend);
|
||||
Assert.False(Authz.Decisions(Approver, "submitted", DrafterId).CanSend);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void RoleCapabilities_are_empty_for_drafter_and_the_three_brief_capabilities_for_approver()
|
||||
{
|
||||
Assert.Empty(Authz.RoleCapabilities(Drafter));
|
||||
Assert.Equal(new[] { "brief:approve", "brief:reject", "brief:send" }, Authz.RoleCapabilities(Approver));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user