chore: resolve merge conflicts with main

Kept our version of accessibility.spec.ts (color-contrast rule enabled, exclusion comment removed) over main's disabled version — the contrast fixes in this branch make the exclusion unnecessary. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 19:51:32 +01:00
parent e28cd03953 e7829312e8
commit 16101240f1
25 changed files with 1083 additions and 10 deletions
--- a/frontend/src/routes/admin/+page.svelte
+++ b/frontend/src/routes/admin/+page.svelte
@@ -11,6 +11,10 @@ let { data, form } = $props();
 let activeTab = $state('users');
 </script>

+<svelte:head>
+	<title>{m.page_title_admin()}</title>
+</svelte:head>
+
 <div class="mx-auto max-w-7xl px-4 py-8 font-sans sm:px-6 lg:px-8">
 	<div class="mb-8 flex flex-col gap-4 sm:flex-row sm:items-center sm:justify-between">
 		<h1 class="font-serif text-3xl text-ink">{m.admin_heading()}</h1>
--- a/frontend/src/routes/admin/page.server.spec.ts
+++ b/frontend/src/routes/admin/page.server.spec.ts
@@ -0,0 +1,77 @@
+import { describe, expect, it, vi, beforeEach } from 'vitest';
+import { load } from './+page.server';
+
+vi.mock('$lib/api.server', () => ({ createApiClient: vi.fn() }));
+
+import { createApiClient } from '$lib/api.server';
+
+const adminUser = { groups: [{ permissions: ['ADMIN'] }] };
+const readOnlyUser = { groups: [{ permissions: ['READ_ALL'] }] };
+
+function mockApiReturning(users: unknown[], groups: unknown[], tags: unknown[]) {
+	vi.mocked(createApiClient).mockReturnValue({
+		GET: vi
+			.fn()
+			.mockResolvedValueOnce({ response: { ok: true }, data: users })
+			.mockResolvedValueOnce({ response: { ok: true }, data: groups })
+			.mockResolvedValueOnce({ response: { ok: true }, data: tags })
+	} as ReturnType<typeof createApiClient>);
+}
+
+beforeEach(() => vi.clearAllMocks());
+
+// ─── permission check ─────────────────────────────────────────────────────────
+
+describe('admin load — permission check', () => {
+	it('throws 403 when user has no ADMIN permission', async () => {
+		await expect(
+			load({ fetch: vi.fn() as unknown as typeof fetch, locals: { user: readOnlyUser } })
+		).rejects.toMatchObject({ status: 403 });
+	});
+
+	it('throws 403 when user is undefined', async () => {
+		await expect(
+			load({ fetch: vi.fn() as unknown as typeof fetch, locals: { user: undefined } })
+		).rejects.toMatchObject({ status: 403 });
+	});
+
+	it('throws 403 when user has no groups', async () => {
+		await expect(
+			load({ fetch: vi.fn() as unknown as typeof fetch, locals: { user: { groups: [] } } })
+		).rejects.toMatchObject({ status: 403 });
+	});
+});
+
+// ─── happy path ───────────────────────────────────────────────────────────────
+
+describe('admin load — happy path', () => {
+	it('returns users, groups, and tags for an admin user', async () => {
+		mockApiReturning(
+			[{ id: 'u1', username: 'alice' }],
+			[{ id: 'g1', name: 'Editors' }],
+			[{ id: 't1', name: 'Familie' }]
+		);
+
+		const result = await load({
+			fetch: vi.fn() as unknown as typeof fetch,
+			locals: { user: adminUser }
+		});
+
+		expect(result.users).toHaveLength(1);
+		expect(result.groups).toHaveLength(1);
+		expect(result.tags).toHaveLength(1);
+	});
+
+	it('returns empty arrays when API returns no data', async () => {
+		mockApiReturning([], [], []);
+
+		const result = await load({
+			fetch: vi.fn() as unknown as typeof fetch,
+			locals: { user: adminUser }
+		});
+
+		expect(result.users).toEqual([]);
+		expect(result.groups).toEqual([]);
+		expect(result.tags).toEqual([]);
+	});
+});