Replace the FE-computed authorization anti-pattern in BriefStore.editable (derived from the unverified X-Role header) with server-computed decision flags, mirroring the existing HerregistratieDecisionsDto pattern: - Backend: Authz.cs is the single authorization helper — the SAME check (Authz.CanActOn) both gates BriefStore.Review's mutations and computes the BriefDecisionsDto flags shipped on every brief response, so emit and enforce can never drift. New GET /me returns coarse, role-derived capabilities (PRD-0002 SS6). - Every brief endpoint (including send, previously ungated on HttpContext) now returns a fresh BriefViewDto so decisions never go stale after a mutation. - FE: brief.store.ts reads canEdit/canApprove/canReject/canSend off the loaded decisions instead of computing them from currentRole(); the brief.machine carries decisions through every status transition. - New shared/domain/capability.ts + shared/application/access.store.ts + shared/infrastructure/me.adapter.ts: the general capability-spine infrastructure (AccessStore.can(), capabilityGuard) for future routes. Deviates from the original WP-18 draft by NOT renaming auth/domain's Session to a Principal union — ADR-0002 explicitly defers that refactor until a second actor exists, and the brief workflow's drafter/approver identity turned out to be a separate axis from the SSP login session entirely. See docs/backlog/WP-18-abac-capability-spine.md for the full as-built record. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
192 lines
8.0 KiB
C#
192 lines
8.0 KiB
C#
using System.Net;
|
|
using System.Net.Http.Json;
|
|
using BigRegister.Api.Contracts;
|
|
using BigRegister.Api.Data;
|
|
using Microsoft.AspNetCore.Mvc.Testing;
|
|
|
|
namespace BigRegister.Tests;
|
|
|
|
/// <summary>
|
|
/// The brief is a single process-global demo entity, so each test resets it first
|
|
/// (tests within a class run sequentially in xUnit). Role is the dev-only X-Role
|
|
/// header: absent = drafter, "approver" = a different identity.
|
|
/// </summary>
|
|
public class BriefEndpointTests(WebApplicationFactory<Program> factory) : IClassFixture<WebApplicationFactory<Program>>
|
|
{
|
|
private readonly HttpClient _client = factory.CreateClient();
|
|
|
|
private static LetterBlockDto FreeText(string id) =>
|
|
new("freeText", id, new RichTextBlockDto(new[] { new ParagraphDto(new[] { new RichTextNodeDto("text", Text: "inhoud") }) }));
|
|
|
|
// Fill every REQUIRED section with a block so submit is allowed.
|
|
private static SaveBriefRequest FilledFrom(BriefDto brief)
|
|
{
|
|
var i = 0;
|
|
var sections = brief.Sections
|
|
.Select(s => new LetterSectionDto(s.SectionKey, s.Title, s.Required, s.Required ? new[] { FreeText($"local-{++i}") } : s.Blocks))
|
|
.ToList();
|
|
return new SaveBriefRequest(sections);
|
|
}
|
|
|
|
private async Task<BriefDto> Get()
|
|
{
|
|
BriefStore.Reset();
|
|
var view = await _client.GetFromJsonAsync<BriefViewDto>("/api/v1/brief");
|
|
return view!.Brief;
|
|
}
|
|
|
|
private HttpRequestMessage Post(string path, string? role = null, object? body = null)
|
|
{
|
|
var req = new HttpRequestMessage(HttpMethod.Post, path);
|
|
if (role is not null) req.Headers.Add("X-Role", role);
|
|
if (body is not null) req.Content = JsonContent.Create(body);
|
|
return req;
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Get_creates_a_draft_from_the_template_with_scoped_passages()
|
|
{
|
|
var brief = await Get();
|
|
Assert.Equal("draft", brief.Status.Tag);
|
|
Assert.Equal(new[] { "aanhef", "kern", "slot" }, brief.Sections.Select(s => s.SectionKey));
|
|
// aanhef + slot are locked, predefined and prefilled; only kern is editable + empty.
|
|
var aanhef = brief.Sections.Single(s => s.SectionKey == "aanhef");
|
|
Assert.True(aanhef.Locked);
|
|
Assert.NotEmpty(aanhef.Blocks);
|
|
Assert.True(brief.Sections.Single(s => s.SectionKey == "slot").Locked);
|
|
var kern = brief.Sections.Single(s => s.SectionKey == "kern");
|
|
Assert.False(kern.Locked);
|
|
Assert.Empty(kern.Blocks);
|
|
|
|
var view = await _client.GetFromJsonAsync<BriefViewDto>("/api/v1/brief");
|
|
// global passages + the arts-scoped one; no other-beroep passages leak in.
|
|
Assert.Contains(view!.AvailablePassages, p => p.PassageId == "p-kern-arts");
|
|
Assert.All(view.AvailablePassages, p => Assert.True(p.Scope == "global" || p.Beroep == "arts"));
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Save_is_drafter_only()
|
|
{
|
|
var brief = await Get();
|
|
var save = FilledFrom(brief);
|
|
|
|
var approver = Post("/api/v1/brief", role: "approver");
|
|
approver.Method = HttpMethod.Put;
|
|
approver.Content = JsonContent.Create(save);
|
|
Assert.Equal(HttpStatusCode.Forbidden, (await _client.SendAsync(approver)).StatusCode);
|
|
|
|
Assert.Equal(HttpStatusCode.OK, (await _client.PutAsJsonAsync("/api/v1/brief", save)).StatusCode);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Submit_blocks_on_empty_required_section_then_succeeds_when_filled()
|
|
{
|
|
await Get();
|
|
// Nothing filled yet → required sections empty → 409.
|
|
Assert.Equal(HttpStatusCode.Conflict, (await _client.SendAsync(Post("/api/v1/brief/submit"))).StatusCode);
|
|
|
|
var brief = (await _client.GetFromJsonAsync<BriefViewDto>("/api/v1/brief"))!.Brief;
|
|
await _client.PutAsJsonAsync("/api/v1/brief", FilledFrom(brief));
|
|
|
|
var res = await _client.SendAsync(Post("/api/v1/brief/submit"));
|
|
res.EnsureSuccessStatusCode();
|
|
var submitted = await res.Content.ReadFromJsonAsync<BriefViewDto>();
|
|
Assert.Equal("submitted", submitted!.Brief.Status.Tag);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Drafter_cannot_approve_own_letter_but_a_different_reviewer_can()
|
|
{
|
|
var brief = await Get();
|
|
await _client.PutAsJsonAsync("/api/v1/brief", FilledFrom(brief));
|
|
await _client.SendAsync(Post("/api/v1/brief/submit"));
|
|
|
|
// drafter role approving own letter → 403
|
|
Assert.Equal(HttpStatusCode.Forbidden, (await _client.SendAsync(Post("/api/v1/brief/approve"))).StatusCode);
|
|
|
|
var res = await _client.SendAsync(Post("/api/v1/brief/approve", role: "approver"));
|
|
res.EnsureSuccessStatusCode();
|
|
Assert.Equal("approved", (await res.Content.ReadFromJsonAsync<BriefViewDto>())!.Brief.Status.Tag);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Reject_returns_comments_and_editing_reopens_to_draft()
|
|
{
|
|
var brief = await Get();
|
|
await _client.PutAsJsonAsync("/api/v1/brief", FilledFrom(brief));
|
|
await _client.SendAsync(Post("/api/v1/brief/submit"));
|
|
|
|
var rejected = await (await _client.SendAsync(
|
|
Post("/api/v1/brief/reject", role: "approver", body: new RejectBriefRequest("Graag aanvullen.")))).Content.ReadFromJsonAsync<BriefViewDto>();
|
|
Assert.Equal("rejected", rejected!.Brief.Status.Tag);
|
|
Assert.Equal("Graag aanvullen.", rejected.Brief.Status.Comments);
|
|
|
|
// A drafter save on a rejected letter reopens it to draft.
|
|
var reopened = await (await _client.PutAsJsonAsync("/api/v1/brief", FilledFrom(brief))).Content.ReadFromJsonAsync<BriefViewDto>();
|
|
Assert.Equal("draft", reopened!.Brief.Status.Tag);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Send_only_from_approved()
|
|
{
|
|
var brief = await Get();
|
|
await _client.PutAsJsonAsync("/api/v1/brief", FilledFrom(brief));
|
|
await _client.SendAsync(Post("/api/v1/brief/submit"));
|
|
|
|
// submitted (not approved) → send 409
|
|
Assert.Equal(HttpStatusCode.Conflict, (await _client.SendAsync(Post("/api/v1/brief/send"))).StatusCode);
|
|
|
|
await _client.SendAsync(Post("/api/v1/brief/approve", role: "approver"));
|
|
var res = await _client.SendAsync(Post("/api/v1/brief/send"));
|
|
res.EnsureSuccessStatusCode();
|
|
Assert.Equal("sent", (await res.Content.ReadFromJsonAsync<BriefViewDto>())!.Brief.Status.Tag);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Decisions_on_the_view_mirror_the_acting_principal_and_live_status()
|
|
{
|
|
var brief = await Get();
|
|
var view = await _client.GetFromJsonAsync<BriefViewDto>("/api/v1/brief");
|
|
Assert.True(view!.Decisions.CanEdit); // default (no X-Role) = drafter, draft status
|
|
Assert.False(view.Decisions.CanApprove);
|
|
|
|
await _client.PutAsJsonAsync("/api/v1/brief", FilledFrom(brief));
|
|
await _client.SendAsync(Post("/api/v1/brief/submit"));
|
|
|
|
var asApprover = await _client.SendAsync(
|
|
new HttpRequestMessage(HttpMethod.Get, "/api/v1/brief") { Headers = { { "X-Role", "approver" } } });
|
|
var approverView = await asApprover.Content.ReadFromJsonAsync<BriefViewDto>();
|
|
Assert.True(approverView!.Decisions.CanApprove);
|
|
Assert.False(approverView.Decisions.CanEdit); // approver never edits
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Me_returns_no_capabilities_for_drafter_and_the_brief_set_for_approver()
|
|
{
|
|
var asDrafter = await _client.GetFromJsonAsync<MeDto>("/api/v1/me");
|
|
Assert.Empty(asDrafter!.Capabilities);
|
|
|
|
var res = await _client.SendAsync(new HttpRequestMessage(HttpMethod.Get, "/api/v1/me") { Headers = { { "X-Role", "approver" } } });
|
|
var asApprover = await res.Content.ReadFromJsonAsync<MeDto>();
|
|
Assert.Equal(new[] { "brief:approve", "brief:reject", "brief:send" }, asApprover!.Capabilities);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Reset_recreates_a_fresh_draft_with_locked_prefilled_sections()
|
|
{
|
|
var brief = await Get();
|
|
// Advance out of draft so the reset back to draft is observable.
|
|
await _client.PutAsJsonAsync("/api/v1/brief", FilledFrom(brief));
|
|
await _client.SendAsync(Post("/api/v1/brief/submit"));
|
|
|
|
var res = await _client.SendAsync(Post("/api/v1/brief/reset"));
|
|
res.EnsureSuccessStatusCode();
|
|
var view = await res.Content.ReadFromJsonAsync<BriefViewDto>();
|
|
Assert.Equal("draft", view!.Brief.Status.Tag);
|
|
var aanhef = view.Brief.Sections.Single(s => s.SectionKey == "aanhef");
|
|
Assert.True(aanhef.Locked);
|
|
Assert.NotEmpty(aanhef.Blocks);
|
|
Assert.Empty(view.Brief.Sections.Single(s => s.SectionKey == "kern").Blocks);
|
|
}
|
|
}
|