feat(routes): add server-side WRITE_ALL guard on write-only routes

Block direct URL navigation to /persons/new, /documents/new, /documents/:id/edit for users without WRITE_ALL permission. E2E tests verify admin user retains access to all write routes. Closes #17 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 09:47:52 +01:00
parent fde75f3fcf
commit fa4bfb8e5c
4 changed files with 46 additions and 4 deletions
--- a/frontend/e2e/permissions.spec.ts
+++ b/frontend/e2e/permissions.spec.ts
@@ -0,0 +1,31 @@
+import { test, expect } from '@playwright/test';
+
+test.describe('Write permissions — admin user', () => {
+	test('admin user sees Neues Dokument link on home page', async ({ page }) => {
+		await page.goto('/');
+		await expect(page.getByRole('link', { name: /Neues Dokument/i })).toBeVisible();
+	});
+
+	test('admin user sees Neue Person link on persons page', async ({ page }) => {
+		await page.goto('/persons');
+		await expect(page.getByRole('link', { name: /Neue Person/i })).toBeVisible();
+	});
+
+	test('admin user can navigate to /persons/new', async ({ page }) => {
+		await page.goto('/persons/new');
+		await expect(page).toHaveURL('/persons/new');
+		await expect(page.getByLabel('Vorname')).toBeVisible();
+	});
+
+	test('admin user can navigate to /documents/new', async ({ page }) => {
+		await page.goto('/documents/new');
+		await expect(page).toHaveURL('/documents/new');
+	});
+
+	test('admin user sees edit button on person detail page', async ({ page }) => {
+		await page.goto('/persons');
+		const firstPerson = page.locator('a[href^="/persons/"]:not([href="/persons/new"])').first();
+		await firstPerson.click();
+		await expect(page.getByRole('button', { name: /Bearbeiten/i })).toBeVisible();
+	});
+});