marcel/familienarchiv
1
0
Fork 0
Code Issues 105 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
09d8fb5f9525b70b340e0a4f32c0f24ed6b32db2
familienarchiv/frontend/src/routes/admin/users/new/page.svelte.spec.ts
Marcel 8fc360a596 fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER) 
Fixes IDOR: the endpoint was publicly accessible to any authenticated user.
Now requires ADMIN_USER permission, matching all other user management endpoints.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 01:09:40 +02:00

62 lines
2.5 KiB
TypeScript
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
import { afterEach, describe, expect, it, vi } from 'vitest';
import { cleanup, render } from 'vitest-browser-svelte';
import { page } from 'vitest/browser';
import Page from './+page.svelte';
vi.mock('$app/forms', () => ({ enhance: () => () => {} }));
const groups = [
{ id: 'g1', name: 'Editoren', permissions: ['WRITE_ALL'] },
{ id: 'g2', name: 'Admins', permissions: ['ADMIN'] }
];
const baseData = { user: undefined, canWrite: true, canAnnotate: false, groups };
afterEach(cleanup);
// ─── Rendering ────────────────────────────────────────────────────────────────
describe('Admin new user page rendering', () => {
it('renders the page heading', async () => {
render(Page, { data: baseData, form: null });
await expect.element(page.getByText(/Neuen Benutzer anlegen/i)).toBeInTheDocument();
});
it('renders the login input', async () => {
render(Page, { data: baseData, form: null });
await expect.element(page.getByRole('textbox', { name: /Login/i })).toBeInTheDocument();
});
it('renders group checkboxes for each available group', async () => {
render(Page, { data: baseData, form: null });
await expect.element(page.getByText('Editoren')).toBeInTheDocument();
await expect.element(page.getByText('Admins')).toBeInTheDocument();
});
it('cancel link points to /admin/users', async () => {
render(Page, { data: baseData, form: null });
await expect
.element(page.getByRole('link', { name: /Abbrechen/i }))
.toHaveAttribute('href', '/admin/users');
});
it('renders the create button', async () => {
render(Page, { data: baseData, form: null });
await expect.element(page.getByRole('button', { name: /Erstellen/i })).toBeInTheDocument();
});
});
// ─── Error display ────────────────────────────────────────────────────────────
describe('Admin new user page error display', () => {
it('shows the error message when form has an error', async () => {
render(Page, { data: baseData, form: { error: 'Ein Fehler ist aufgetreten.' } });
await expect.element(page.getByText('Ein Fehler ist aufgetreten.')).toBeInTheDocument();
});
it('does not show error section when form is null', async () => {
render(Page, { data: baseData, form: null });
await expect.element(page.getByText('Ein Fehler ist aufgetreten.')).not.toBeInTheDocument();
});
});
Reference in New Issue View Git Blame Copy Permalink