pelagia-portal/App/tests/unit/permissions.test.ts

import { describe, it, expect, vi, afterEach } from "vitest";
import {
  hasPermission,
  requirePermission,
  isSubmitterRole,
  submitterCanViewAll,
  canViewAllPos,
} from "@/lib/permissions";

describe("Permissions", () => {
  describe("hasPermission", () => {
    // ── Original cases ─────────────────────────────────────────────────────

    it("TECHNICAL can create POs", () => {
      expect(hasPermission("TECHNICAL", "create_po")).toBe(true);
    });

    it("TECHNICAL cannot approve POs", () => {
      expect(hasPermission("TECHNICAL", "approve_po")).toBe(false);
    });

    it("MANAGER can approve POs", () => {
      expect(hasPermission("MANAGER", "approve_po")).toBe(true);
    });

    // MANAGER was intentionally granted process_payment in commit e1340b9
    // ("chore(perm): manager permissions fix 2").
    it("MANAGER can process payment", () => {
      expect(hasPermission("MANAGER", "process_payment")).toBe(true);
    });

    it("ACCOUNTS can process payment", () => {
      expect(hasPermission("ACCOUNTS", "process_payment")).toBe(true);
    });

    it("SUPERUSER has all operational permissions", () => {
      expect(hasPermission("SUPERUSER", "create_po")).toBe(true);
      expect(hasPermission("SUPERUSER", "approve_po")).toBe(true);
      expect(hasPermission("SUPERUSER", "process_payment")).toBe(true);
      expect(hasPermission("SUPERUSER", "confirm_receipt")).toBe(true);
    });

    it("ADMIN can manage users", () => {
      expect(hasPermission("ADMIN", "manage_users")).toBe(true);
    });

    it("AUDITOR has read-only access", () => {
      expect(hasPermission("AUDITOR", "view_all_pos")).toBe(true);
      expect(hasPermission("AUDITOR", "approve_po")).toBe(false);
      expect(hasPermission("AUDITOR", "create_po")).toBe(false);
    });

    // ── New permissions: MANAGER and ACCOUNTS expansions ──────────────────

    it("MANAGER can create POs", () => {
      expect(hasPermission("MANAGER", "create_po")).toBe(true);
    });

    it("MANAGER can submit POs", () => {
      expect(hasPermission("MANAGER", "submit_po")).toBe(true);
    });

    it("MANAGER can manage vendors", () => {
      expect(hasPermission("MANAGER", "manage_vendors")).toBe(true);
    });

    it("ACCOUNTS can manage vendors", () => {
      expect(hasPermission("ACCOUNTS", "manage_vendors")).toBe(true);
    });

    it("ACCOUNTS cannot create POs", () => {
      expect(hasPermission("ACCOUNTS", "create_po")).toBe(false);
    });

    it("ACCOUNTS cannot approve POs", () => {
      expect(hasPermission("ACCOUNTS", "approve_po")).toBe(false);
    });

    it("TECHNICAL cannot manage vendors", () => {
      expect(hasPermission("TECHNICAL", "manage_vendors")).toBe(false);
    });

    it("MANNING cannot manage vendors", () => {
      expect(hasPermission("MANNING", "manage_vendors")).toBe(false);
    });

    it("AUDITOR cannot create, submit, or approve POs", () => {
      expect(hasPermission("AUDITOR", "create_po")).toBe(false);
      expect(hasPermission("AUDITOR", "submit_po")).toBe(false);
      expect(hasPermission("AUDITOR", "approve_po")).toBe(false);
    });

    it("AUDITOR cannot manage vendors or products", () => {
      expect(hasPermission("AUDITOR", "manage_vendors")).toBe(false);
      expect(hasPermission("AUDITOR", "manage_products")).toBe(false);
    });

    it("ADMIN cannot approve or process payments", () => {
      expect(hasPermission("ADMIN", "approve_po")).toBe(false);
      expect(hasPermission("ADMIN", "process_payment")).toBe(false);
    });

    it("SUPERUSER does not have manage_vendors (admin-only permission)", () => {
      expect(hasPermission("SUPERUSER", "manage_vendors")).toBe(false);
    });
  });

  // ── Submitter view-all (feature-flagged) ──────────────────────────────────
  describe("isSubmitterRole", () => {
    it("is true for the two submitter roles", () => {
      expect(isSubmitterRole("TECHNICAL")).toBe(true);
      expect(isSubmitterRole("MANNING")).toBe(true);
    });

    it("is false for every other role", () => {
      for (const role of ["ACCOUNTS", "MANAGER", "SUPERUSER", "AUDITOR", "ADMIN"] as const) {
        expect(isSubmitterRole(role)).toBe(false);
      }
    });
  });

  describe("canViewAllPos / submitterCanViewAll — flag OFF (default)", () => {
    it("submitters cannot view all POs", () => {
      expect(canViewAllPos("TECHNICAL")).toBe(false);
      expect(canViewAllPos("MANNING")).toBe(false);
      expect(submitterCanViewAll("TECHNICAL")).toBe(false);
    });

    it("view_all_pos holders can still view all POs", () => {
      for (const role of ["ACCOUNTS", "MANAGER", "SUPERUSER", "AUDITOR", "ADMIN"] as const) {
        expect(canViewAllPos(role)).toBe(true);
      }
    });
  });

  describe("canViewAllPos / submitterCanViewAll — flag ON", () => {
    afterEach(() => {
      vi.unstubAllEnvs();
      vi.resetModules();
    });

    it("submitters gain view-all when NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED=true", async () => {
      vi.resetModules();
      vi.stubEnv("NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED", "true");
      const perms = await import("@/lib/permissions");

      expect(perms.submitterCanViewAll("TECHNICAL")).toBe(true);
      expect(perms.submitterCanViewAll("MANNING")).toBe(true);
      expect(perms.canViewAllPos("TECHNICAL")).toBe(true);
      expect(perms.canViewAllPos("MANNING")).toBe(true);
    });

    it("does not widen non-submitter roles, and is read-only (no approve/edit)", async () => {
      vi.resetModules();
      vi.stubEnv("NEXT_PUBLIC_SUBMITTER_VIEW_ALL_ENABLED", "true");
      const perms = await import("@/lib/permissions");

      expect(perms.submitterCanViewAll("MANAGER")).toBe(false);
      expect(perms.canViewAllPos("ACCOUNTS")).toBe(true); // unchanged
      // The flag grants read access only — no approval or edit rights.
      expect(perms.hasPermission("TECHNICAL", "approve_po")).toBe(false);
      expect(perms.hasPermission("TECHNICAL", "view_all_pos")).toBe(false);
    });
  });

  describe("requirePermission", () => {
    it("does not throw when permission is granted", () => {
      expect(() => requirePermission("MANAGER", "approve_po")).not.toThrow();
    });

    it("throws when permission is denied", () => {
      expect(() => requirePermission("TECHNICAL", "approve_po")).toThrow();
    });

    it("throws with a message containing the role name", () => {
      expect(() => requirePermission("ACCOUNTS", "approve_po")).toThrow(/ACCOUNTS/);
    });
  });
});