20cceefbe1
Some checks failed
CI / Backend Unit Tests (pull_request) Failing after 3m23s
CI / Unit & Component Tests (pull_request) Failing after 3m23s
CI / OCR Service Tests (pull_request) Successful in 37s
CI / Unit & Component Tests (push) Failing after 3m36s
CI / OCR Service Tests (push) Successful in 35s
CI / Backend Unit Tests (push) Failing after 3m27s
Adds docs/audits/e2e-coverage-report.md mapping all 12 critical journeys to their test files. Fills the 6 coverage gaps with new e2e tests: - J1: Register via invite code (auth.spec.ts) - J3: Edit document tags via TagInput (documents.spec.ts) - J4: Create brand-new tag via TagInput (documents.spec.ts) - J5: Add SPOUSE_OF relationship on person edit page (persons.spec.ts) - J6: Multi-filter search (text + date, text + tagId) (documents.spec.ts) - J10: Notification bell opens dropdown (notification-deep-link.spec.ts) - J11: Non-admin blocked from /admin/* (permissions.spec.ts) - J12: Mass import trigger shows status (admin.spec.ts) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
103 lines
4.4 KiB
TypeScript
103 lines
4.4 KiB
TypeScript
import { test, expect } from '@playwright/test';
|
|
import { login } from './helpers/auth';
|
|
|
|
/**
|
|
* Permission E2E tests.
|
|
*
|
|
* Two describe blocks form the full story:
|
|
* 1. Admin user — can see all write controls.
|
|
* 2. Read-only user ("reader", seeded in DataInitializer with READ_ALL only) —
|
|
* can browse content but sees no write controls anywhere.
|
|
*/
|
|
|
|
test.describe('Write permissions — admin user', () => {
|
|
test('admin user sees Neues Dokument link on home page', async ({ page }) => {
|
|
await page.goto('/');
|
|
await expect(page.getByRole('link', { name: /Neues Dokument/i })).toBeVisible();
|
|
});
|
|
|
|
test('admin user sees Neue Person link on persons page', async ({ page }) => {
|
|
await page.goto('/persons');
|
|
await expect(page.getByRole('link', { name: /Neue Person/i })).toBeVisible();
|
|
});
|
|
|
|
test('admin user can navigate to /persons/new', async ({ page }) => {
|
|
await page.goto('/persons/new');
|
|
await expect(page).toHaveURL('/persons/new');
|
|
await expect(page.getByLabel('Vorname')).toBeVisible();
|
|
});
|
|
|
|
test('admin user can navigate to /documents/new', async ({ page }) => {
|
|
await page.goto('/documents/new');
|
|
await expect(page).toHaveURL('/documents/new');
|
|
});
|
|
|
|
test('admin user sees edit button on person detail page', async ({ page }) => {
|
|
await page.goto('/persons');
|
|
const firstPerson = page.locator('a[href^="/persons/"]:not([href="/persons/new"])').first();
|
|
await firstPerson.click();
|
|
await expect(page.getByRole('button', { name: /Bearbeiten/i })).toBeVisible();
|
|
});
|
|
});
|
|
|
|
// ── Read-only user journey ─────────────────────────────────────────────────────
|
|
//
|
|
// The "reader" user is seeded by DataInitializer (e2e profile) with READ_ALL only.
|
|
// They can browse documents and persons but must not see any mutation controls.
|
|
|
|
test.describe('Read-only user — no write controls visible', () => {
|
|
// Fresh session — no shared admin cookies
|
|
test.use({ storageState: { cookies: [], origins: [] } });
|
|
|
|
test.beforeEach(async ({ page }) => {
|
|
await login(page, 'reader', 'reader123');
|
|
});
|
|
|
|
test('read-only user is redirected to home after login', async ({ page }) => {
|
|
await expect(page).toHaveURL('/');
|
|
await page.screenshot({ path: 'test-results/e2e/permissions-reader-home.png' });
|
|
});
|
|
|
|
test('home page does not show the "Neues Dokument" link', async ({ page }) => {
|
|
await expect(page.getByRole('link', { name: /Neues Dokument/i })).not.toBeVisible();
|
|
await page.screenshot({ path: 'test-results/e2e/permissions-reader-no-new-doc.png' });
|
|
});
|
|
|
|
test('persons page does not show the "Neue Person" link', async ({ page }) => {
|
|
await page.goto('/persons');
|
|
await expect(page.getByRole('link', { name: /Neue Person/i })).not.toBeVisible();
|
|
await page.screenshot({ path: 'test-results/e2e/permissions-reader-no-new-person.png' });
|
|
});
|
|
|
|
test('person detail page does not show the edit button', async ({ page }) => {
|
|
await page.goto('/persons');
|
|
const firstPerson = page.locator('a[href^="/persons/"]:not([href="/persons/new"])').first();
|
|
await firstPerson.click();
|
|
await page.waitForSelector('[data-hydrated]');
|
|
await expect(page.getByRole('button', { name: /Bearbeiten/i })).not.toBeVisible();
|
|
await page.screenshot({ path: 'test-results/e2e/permissions-reader-no-edit.png' });
|
|
});
|
|
|
|
test('navigating directly to /documents/new redirects away', async ({ page }) => {
|
|
await page.goto('/documents/new');
|
|
// Read-only user should not be able to access the new document form
|
|
await expect(page).not.toHaveURL('/documents/new');
|
|
await page.screenshot({ path: 'test-results/e2e/permissions-reader-no-new-doc-direct.png' });
|
|
});
|
|
|
|
// J11: non-admin user is blocked from /admin/*
|
|
test('navigating to /admin shows a 403 error — not the admin panel', async ({ page }) => {
|
|
await page.goto('/admin');
|
|
// The admin layout throws 403 for any user without an admin permission.
|
|
// SvelteKit renders the error page — verify the admin panel does NOT load.
|
|
await expect(page.getByRole('button', { name: 'Benutzer', exact: true })).not.toBeVisible({
|
|
timeout: 5000
|
|
});
|
|
// The error page should be visible instead (SvelteKit error renders the status code).
|
|
await expect(page.getByText(/403|Zugriff verweigert|Forbidden/i)).toBeVisible({
|
|
timeout: 5000
|
|
});
|
|
await page.screenshot({ path: 'test-results/e2e/permissions-reader-admin-blocked.png' });
|
|
});
|
|
});
|