marcel/familienarchiv
1
0
Fork 0
Code Issues 108 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(geschichten): show blog writers' own drafts on the Geschichten overview (#807) (#813)
Some checks failed
CI / Unit & Component Tests (push) Failing after 3m48s
Details
CI / OCR Service Tests (push) Successful in 22s
Details
CI / Backend Unit Tests (push) Successful in 5m24s
Details
CI / fail2ban Regex (push) Successful in 53s
Details
CI / Semgrep Security Scan (push) Successful in 23s
Details
CI / Compose Bucket Idempotency (push) Successful in 1m9s
Details

Browse Source
This commit was merged in pull request #813.
This commit is contained in:
marcel
2026-06-12 19:46:03 +02:00
parent b33d0eb850
commit 38a6d6b0fc
14 changed files with 316 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
backend/src/test/java/org/raddatz/familienarchiv/geschichte/GeschichteServiceTest.java
View File

@@ -2,6 +2,7 @@ package org.raddatz.familienarchiv.geschichte;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.DisplayName;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.InjectMocks;
@@ -35,6 +36,7 @@ import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyLong;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.ArgumentMatchers.isNull;
import static org.mockito.Mockito.lenient;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
@@ -228,21 +230,7 @@ class GeschichteServiceTest {
geschichteService.list(null, List.of(), null, 50);
verify(geschichteRepository).findSummaries(any(), any(), any(), anyLong(), any());
}
@Test
void list_passes_null_status_through_for_BLOG_WRITER_so_drafts_are_visible() {
authenticateAs(writer, Permission.BLOG_WRITE);
GeschichteSummary s1 = mock(GeschichteSummary.class);
GeschichteSummary s2 = mock(GeschichteSummary.class);
when(geschichteRepository.findSummaries(any(), any(), any(), anyLong(), any()))
.thenReturn(List.of(s1, s2));
List<GeschichteSummary> out = geschichteService.list(null, List.of(), null, 50);
assertThat(out).hasSize(2);
verify(geschichteRepository).findSummaries(any(), any(), any(), anyLong(), any());
verify(geschichteRepository).findSummaries(eq(GeschichteStatus.PUBLISHED), isNull(), any(), anyLong(), any());
}
@Test
@@ -308,6 +296,33 @@ class GeschichteServiceTest {
assertThat(out).hasSizeLessThanOrEqualTo(200);
}
@Test
@DisplayName("security: null status for blog writer returns PUBLISHED, never leaks drafts")
void list_with_blog_writer_and_null_status_returns_PUBLISHED_not_all_drafts() {
authenticateAs(writer, Permission.BLOG_WRITE);
when(geschichteRepository.findSummaries(any(), any(), any(), anyLong(), any()))
.thenReturn(List.of());
geschichteService.list(null, List.of(), null, 50);
verify(geschichteRepository).findSummaries(
eq(GeschichteStatus.PUBLISHED), isNull(), any(), anyLong(), any());
}
@Test
@DisplayName("security: DRAFT status scopes to current user only")
void list_with_DRAFT_status_scopes_to_current_user_not_all_authors() {
authenticateAs(writer, Permission.BLOG_WRITE);
when(userService.findByEmail(writer.getEmail())).thenReturn(writer);
when(geschichteRepository.findSummaries(any(), any(), any(), anyLong(), any()))
.thenReturn(List.of());
geschichteService.list(GeschichteStatus.DRAFT, List.of(), null, 50);
verify(geschichteRepository).findSummaries(
eq(GeschichteStatus.DRAFT), eq(writer.getId()), any(), anyLong(), any());
}
// ─── create ──────────────────────────────────────────────────────────────
@Test