43 lines
1.3 KiB
Rust
43 lines
1.3 KiB
Rust
use domain::entities::{Permission, PermissionAction, ResourceType, Role};
|
|
use domain::entities::permission::{admin_permissions, viewer_permissions};
|
|
use domain::services::permission_service::PermissionChecker;
|
|
|
|
#[test]
|
|
fn viewer_can_read() {
|
|
let role = Role::new("viewer", viewer_permissions(), true);
|
|
assert!(PermissionChecker::has_permission(
|
|
&[role],
|
|
PermissionAction::ReadAsset,
|
|
ResourceType::Asset,
|
|
));
|
|
}
|
|
|
|
#[test]
|
|
fn viewer_cannot_delete() {
|
|
let role = Role::new("viewer", viewer_permissions(), true);
|
|
assert!(!PermissionChecker::has_permission(
|
|
&[role],
|
|
PermissionAction::DeleteAsset,
|
|
ResourceType::Asset,
|
|
));
|
|
}
|
|
|
|
#[test]
|
|
fn roles_additive() {
|
|
let r1 = Role::new("r1", [Permission::new(PermissionAction::ReadAsset, ResourceType::Global)].into(), false);
|
|
let r2 = Role::new("r2", [Permission::new(PermissionAction::WriteMetadata, ResourceType::Global)].into(), false);
|
|
let eff = PermissionChecker::effective_permissions(&[r1, r2]);
|
|
assert_eq!(eff.len(), 2);
|
|
}
|
|
|
|
#[test]
|
|
fn global_covers_specific() {
|
|
let role = Role::new("admin", admin_permissions(), true);
|
|
// Global ReadAsset should cover Asset-scoped check
|
|
assert!(PermissionChecker::has_permission(
|
|
&[role],
|
|
PermissionAction::ReadAsset,
|
|
ResourceType::Album,
|
|
));
|
|
}
|