test(tag): explicitly stub the subtree rollup query in getTagTree tests (#698 )

Address review nit: the older getTagTree tests relied on Mockito's default empty-list return for findSubtreeDocumentCountsPerTag. Stub it explicitly so the two-query contract is self-documenting. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
test(admin-tags): pin merge/delete previews to the direct count (#698 )
2026-05-31 12:57:41 +02:00 · 2026-05-31 12:57:41 +02:00 · 2026-05-31 12:57:41 +02:00 · 2026-05-31 12:57:41 +02:00 · 2026-05-31 12:57:41 +02:00 · 2026-05-31 12:57:41 +02:00
3 changed files with 34 additions and 1 deletions
--- a/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java
@@ -297,6 +297,13 @@ class DocumentControllerTest {
                .andExpect(status().isForbidden());
    }

+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void createDocument_returns403_forReaderOnly() throws Exception {
+        mockMvc.perform(multipart("/api/documents").with(csrf()))
+                .andExpect(status().isForbidden());
+    }
+
    @Test
    @WithMockUser(authorities = "WRITE_ALL")
    void createDocument_returns200_whenHasWritePermission() throws Exception {
@@ -414,6 +421,13 @@ class DocumentControllerTest {
                .andExpect(status().isForbidden());
    }

+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void quickUpload_returns403_forReaderOnly() throws Exception {
+        mockMvc.perform(multipart("/api/documents/quick-upload").with(csrf()))
+                .andExpect(status().isForbidden());
+    }
+
    @Test
    @WithMockUser(authorities = "WRITE_ALL")
    void quickUpload_returns200_withValidPdfFile() throws Exception {
--- a/frontend/src/routes/+layout.svelte
+++ b/frontend/src/routes/+layout.svelte
@@ -43,6 +43,8 @@ const isAdmin = $derived(
 	data?.user?.groups?.some((g: { permissions: string[] }) => g.permissions.includes('ADMIN'))
 );

+const canUpload = $derived(Boolean(data?.user && data.canWrite));
+
 // Set after client-side hydration completes. Used by E2E tests to know the
 // page is interactive (event handlers registered) before they interact with it.
 let hydrated = $state(false);
@@ -75,7 +77,7 @@ const userInitials = $derived.by(() => {

 					<!-- Right Side -->
 					<div class="flex items-center gap-3">
-						{#if data?.user}
+						{#if canUpload}
 							<a
 								href="/documents/new"
 								aria-label={m.upload_action()}
--- a/frontend/src/routes/layout.svelte.spec.ts
+++ b/frontend/src/routes/layout.svelte.spec.ts
@@ -83,6 +83,23 @@ describe('Layout – upload link', () => {
 		const link = page.getByRole('link', { name: /Hochladen|Upload|Subir/i });
 		await expect.element(link).toHaveAttribute('href', '/documents/new');
 	});
+
+	it('is hidden for a user without WRITE_ALL', async () => {
+		render(Layout, { data: makeData({ canWrite: false }), children: emptySnippet });
+		await expect
+			.element(page.getByRole('link', { name: /Hochladen|Upload|Subir/i }))
+			.not.toBeInTheDocument();
+	});
+
+	it('is hidden for an ANNOTATE_ALL-only user (gate is lack of WRITE_ALL, not READ_ALL)', async () => {
+		render(Layout, {
+			data: makeData({ canWrite: false, canAnnotate: true }),
+			children: emptySnippet
+		});
+		await expect
+			.element(page.getByRole('link', { name: /Hochladen|Upload|Subir/i }))
+			.not.toBeInTheDocument();
+	});
 });

 // ─── Dropdown ─────────────────────────────────────────────────────────────────
Author	SHA1	Message	Date
Marcel	a76999c3d4	test(tag): explicitly stub the subtree rollup query in getTagTree tests (#698 ) Some checks failed CI / Unit & Component Tests (pull_request) Successful in 3m19s Details CI / OCR Service Tests (pull_request) Successful in 19s Details CI / Backend Unit Tests (pull_request) Successful in 3m22s Details CI / fail2ban Regex (pull_request) Successful in 43s Details CI / Semgrep Security Scan (pull_request) Successful in 20s Details CI / Compose Bucket Idempotency (pull_request) Has been cancelled Details CI / Unit & Component Tests (push) Successful in 3m18s Details CI / OCR Service Tests (push) Successful in 21s Details CI / Backend Unit Tests (push) Successful in 3m25s Details CI / fail2ban Regex (push) Successful in 43s Details CI / Semgrep Security Scan (push) Successful in 20s Details CI / Compose Bucket Idempotency (push) Successful in 29s Details Address review nit: the older getTagTree tests relied on Mockito's default empty-list return for findSubtreeDocumentCountsPerTag. Stub it explicitly so the two-query contract is self-documenting. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 12:57:41 +02:00
Marcel	6d4aa8bd5c	test(admin-tags): pin merge/delete previews to the direct count (#698 ) Characterization tests for AC#8: the merge preview and the delete-impact warning describe direct-document operations, so they must report the tag's direct documentCount, never a subtree rollup. Both tests pass a stray subtreeDocumentCount and assert it does not leak into the preview, so a future change can't silently desync a destructive-action preview. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 12:57:41 +02:00
Marcel	1fc74f8892	test(tag): add subtreeDocumentCount to admin tree fixtures (#698 ) TagTreeNodeDTO now requires subtreeDocumentCount, so the admin sidebar test fixtures (TagTreeNode, TagsListPanel) need the field to type-check. The admin sidebar still renders the direct documentCount — these fixtures only gain the new field, no behaviour change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 12:57:41 +02:00
Marcel	29ea27319a	feat(themen): show the subtree rollup count on reader surfaces (#698 ) The /themen page (box header, child rows, aria-labels) and the dashboard ThemenWidget now display subtreeDocumentCount instead of the direct documentCount, so a topic's number reflects its whole sub-topic tree and matches what /documents?tag=X actually returns. A parent with 0 direct documents but documents under its children now shows a non-zero total. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 12:57:41 +02:00
Marcel	16f1fe7616	feat(themen): key reader tag visibility on the subtree rollup (#698 ) Regenerate the TagTreeNodeDTO type with subtreeDocumentCount and switch hasAnyDocuments to read it directly — the backend rollup already includes all descendants, so the recursive children walk is no longer needed. Reader surfaces now hide a topic only when its whole subtree is empty. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 12:57:41 +02:00
Marcel	5ea47d4ec7	docs(tag): document the dual document counts on the tag tree (#698 ) Record that getTagTree returns both documentCount (direct, read by admin surfaces) and subtreeDocumentCount (rollup, read by the reader surfaces), matching the corrected getTagTree JavaDoc. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 12:57:41 +02:00
Marcel	2f1538754e	test(tag): validate subtree rollup CTE against real Postgres (#698 ) Cover AC#1-4 (leaf=direct, distinct overlap counted once, full descendant depth), REQ-THEMEN-05 (empty subtree absent), REQ-THEMEN-06 (cycle terminates via the 50-level guard) and AC#7 (rollup equals distinct documents found by the real tag-search expansion — count↔destination parity). Testcontainers postgres:16-alpine since the recursive CTE + COUNT(DISTINCT) needs real PG. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 12:57:41 +02:00
Marcel	138bf446e4	feat(tag): add subtree document-count rollup to tag tree (#698 ) Add subtreeDocumentCount to TagTreeNodeDTO, populated by a new recursive-CTE aggregate query that builds a tag closure and counts distinct documents per ancestor subtree. The direct documentCount is unchanged; getTagTree now maps both counts onto each node from two aggregate queries (no N+1). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>	2026-05-31 12:57:41 +02:00
Marcel	944370dcfd	refactor(layout): extract canUpload derived for the upload-button gate (#696 ) All checks were successful CI / Unit & Component Tests (pull_request) Successful in 3m18s Details CI / OCR Service Tests (pull_request) Successful in 21s Details CI / Backend Unit Tests (pull_request) Successful in 3m27s Details CI / fail2ban Regex (pull_request) Successful in 43s Details CI / Semgrep Security Scan (pull_request) Successful in 19s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m2s Details CI / Unit & Component Tests (push) Successful in 3m18s Details CI / OCR Service Tests (push) Successful in 19s Details CI / Backend Unit Tests (push) Successful in 3m19s Details CI / fail2ban Regex (push) Successful in 43s Details CI / Semgrep Security Scan (push) Successful in 19s Details CI / Compose Bucket Idempotency (push) Successful in 1m1s Details Move the inline {#if data?.user && data.canWrite} condition into a named $derived, matching the existing isAdmin / isAuthPage derivations in the same file. No behaviour change — the 11 layout specs stay green. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-31 11:22:09 +02:00
Marcel	5edefdd082	test(document): document READ_ALL -> 403 on document write endpoints (#696 ) Some checks failed CI / Unit & Component Tests (pull_request) Failing after 2m36s Details CI / OCR Service Tests (pull_request) Successful in 21s Details CI / Backend Unit Tests (pull_request) Successful in 3m25s Details CI / fail2ban Regex (pull_request) Successful in 43s Details CI / Semgrep Security Scan (pull_request) Successful in 20s Details CI / Compose Bucket Idempotency (pull_request) Successful in 1m1s Details Hiding the header upload button is UI polish; the real control is endpoint authz. Add explicit READ_ALL-only 403 boundary tests for POST /api/documents and POST /api/documents/quick-upload, matching the reader-only convention already used elsewhere in this suite. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-31 11:11:17 +02:00
Marcel	97274beba0	test(layout): lock upload-button gate against ANNOTATE_ALL-only users (#696 ) Documents that the gate keys on lack of WRITE_ALL, not on being READ_ALL: an ANNOTATE_ALL-only user (canWrite=false) must still not see the upload link. The writer-sees-it contract is already covered by the existing upload-link tests. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-31 11:08:51 +02:00
Marcel	c3652f5b57	fix(ui): hide header upload button from non-writers (#696 ) The header "Hochladen" link was gated only on {#if data?.user}, so a reader without WRITE_ALL saw it, clicked it, and got bounced by the server-side redirect in documents/new — confusing friction on the main read journey. Gate it on data.canWrite (already on the layout data). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-31 11:07:35 +02:00