pelagia-portal/App/tests/unit/permissions.test.ts

import { describe, it, expect } from "vitest";
import { hasPermission, requirePermission } from "@/lib/permissions";

describe("Permissions", () => {
  describe("hasPermission", () => {
    // ── Original cases ─────────────────────────────────────────────────────

    it("TECHNICAL can create POs", () => {
      expect(hasPermission("TECHNICAL", "create_po")).toBe(true);
    });

    it("TECHNICAL cannot approve POs", () => {
      expect(hasPermission("TECHNICAL", "approve_po")).toBe(false);
    });

    it("MANAGER can approve POs", () => {
      expect(hasPermission("MANAGER", "approve_po")).toBe(true);
    });

    // MANAGER was intentionally granted process_payment in commit e1340b9
    // ("chore(perm): manager permissions fix 2").
    it("MANAGER can process payment", () => {
      expect(hasPermission("MANAGER", "process_payment")).toBe(true);
    });

    it("ACCOUNTS can process payment", () => {
      expect(hasPermission("ACCOUNTS", "process_payment")).toBe(true);
    });

    it("SUPERUSER has all operational permissions", () => {
      expect(hasPermission("SUPERUSER", "create_po")).toBe(true);
      expect(hasPermission("SUPERUSER", "approve_po")).toBe(true);
      expect(hasPermission("SUPERUSER", "process_payment")).toBe(true);
      expect(hasPermission("SUPERUSER", "confirm_receipt")).toBe(true);
    });

    it("ADMIN can manage users", () => {
      expect(hasPermission("ADMIN", "manage_users")).toBe(true);
    });

    it("AUDITOR has read-only access", () => {
      expect(hasPermission("AUDITOR", "view_all_pos")).toBe(true);
      expect(hasPermission("AUDITOR", "approve_po")).toBe(false);
      expect(hasPermission("AUDITOR", "create_po")).toBe(false);
    });

    // ── New permissions: MANAGER and ACCOUNTS expansions ──────────────────

    it("MANAGER can create POs", () => {
      expect(hasPermission("MANAGER", "create_po")).toBe(true);
    });

    it("MANAGER can submit POs", () => {
      expect(hasPermission("MANAGER", "submit_po")).toBe(true);
    });

    it("MANAGER can manage vendors", () => {
      expect(hasPermission("MANAGER", "manage_vendors")).toBe(true);
    });

    it("ACCOUNTS can manage vendors", () => {
      expect(hasPermission("ACCOUNTS", "manage_vendors")).toBe(true);
    });

    it("ACCOUNTS cannot create POs", () => {
      expect(hasPermission("ACCOUNTS", "create_po")).toBe(false);
    });

    it("ACCOUNTS cannot approve POs", () => {
      expect(hasPermission("ACCOUNTS", "approve_po")).toBe(false);
    });

    it("TECHNICAL cannot manage vendors", () => {
      expect(hasPermission("TECHNICAL", "manage_vendors")).toBe(false);
    });

    it("MANNING cannot manage vendors", () => {
      expect(hasPermission("MANNING", "manage_vendors")).toBe(false);
    });

    it("AUDITOR cannot create, submit, or approve POs", () => {
      expect(hasPermission("AUDITOR", "create_po")).toBe(false);
      expect(hasPermission("AUDITOR", "submit_po")).toBe(false);
      expect(hasPermission("AUDITOR", "approve_po")).toBe(false);
    });

    it("AUDITOR cannot manage vendors or products", () => {
      expect(hasPermission("AUDITOR", "manage_vendors")).toBe(false);
      expect(hasPermission("AUDITOR", "manage_products")).toBe(false);
    });

    it("ADMIN cannot approve or process payments", () => {
      expect(hasPermission("ADMIN", "approve_po")).toBe(false);
      expect(hasPermission("ADMIN", "process_payment")).toBe(false);
    });

    it("SUPERUSER does not have manage_vendors (admin-only permission)", () => {
      expect(hasPermission("SUPERUSER", "manage_vendors")).toBe(false);
    });
  });

  describe("requirePermission", () => {
    it("does not throw when permission is granted", () => {
      expect(() => requirePermission("MANAGER", "approve_po")).not.toThrow();
    });

    it("throws when permission is denied", () => {
      expect(() => requirePermission("TECHNICAL", "approve_po")).toThrow();
    });

    it("throws with a message containing the role name", () => {
      expect(() => requirePermission("ACCOUNTS", "approve_po")).toThrow(/ACCOUNTS/);
    });
  });
});