feat(plan): listEntries/listOverrides with employee scoping

This commit is contained in:
BOHA
2026-06-05 12:33:20 +02:00
parent fb022802ae
commit ef404e4362
2 changed files with 121 additions and 0 deletions

View File

@@ -11,6 +11,8 @@ import {
createOverride,
updateOverride,
deleteOverride,
listEntries,
listOverrides,
} from "../services/plan.service";
// ---------------------------------------------------------------------------
@@ -21,6 +23,7 @@ import {
const N = "wh_plan_";
let adminUserId: number;
let noPermUserId: number;
beforeAll(async () => {
// Pick the first admin user from the test database as our fixture.
@@ -31,6 +34,12 @@ beforeAll(async () => {
});
if (!admin) throw new Error("Test setup: admin user not found");
adminUserId = admin.id;
// For list-scoping tests: any non-admin user that is NOT the admin we use
// for create tests. Just pick the second user.
const allUsers = await prisma.users.findMany({ take: 2 });
noPermUserId =
allUsers.find((u) => u.id !== adminUserId)?.id ?? allUsers[0].id;
});
beforeEach(async () => {
@@ -490,3 +499,70 @@ describe("plan.service.deleteOverride", () => {
expect(still?.is_deleted).toBe(true);
});
});
// ---------------------------------------------------------------------------
// listEntries / listOverrides (employee scoping)
// ---------------------------------------------------------------------------
describe("plan.service.listEntries (employee scoping)", () => {
it("returns entries for the actor user when scoped", async () => {
await createEntry(
{
user_id: adminUserId,
date_from: "2098-01-01",
date_to: "2098-01-05",
category: "work",
note: `${N}scope test`,
},
adminUserId,
false,
);
const rows = await listEntries(
{ user_id: adminUserId, date_from: "2098-01-01", date_to: "2098-01-31" },
adminUserId,
true, // isAdmin
);
expect(rows.length).toBeGreaterThan(0);
});
it("scopes non-admin to actor user_id when querying for another user", async () => {
await createEntry(
{
user_id: adminUserId,
date_from: "2098-02-01",
date_to: "2098-02-05",
category: "work",
note: `${N}admin entry`,
},
adminUserId,
false,
);
const rows = await listEntries(
{ user_id: adminUserId, date_from: "2098-02-01", date_to: "2098-02-28" },
noPermUserId,
false, // not admin
);
expect(rows).toEqual([]);
});
});
describe("plan.service.listOverrides (employee scoping)", () => {
it("scopes non-admin to actor user_id", async () => {
await createOverride(
{
user_id: adminUserId,
shift_date: "2098-03-01",
category: "leave",
note: `${N}admin override`,
},
adminUserId,
false,
);
const rows = await listOverrides(
{ user_id: adminUserId, date_from: "2098-03-01", date_to: "2098-03-31" },
noPermUserId,
false,
);
expect(rows).toEqual([]);
});
});

View File

@@ -541,3 +541,48 @@ export async function deleteOverride(
return { data: { ok: true }, oldData: existing };
}
// ---------------------------------------------------------------------------
// Raw-row list endpoints
// ---------------------------------------------------------------------------
/** List raw work_plan_entries rows in a date range, excluding soft-deleted.
* When isAdmin is false, the user_id filter is forced to the actor's own id
* (so a non-admin cannot read another user's plan via the user_id query param). */
export async function listEntries(
query: { user_id?: number; date_from: string; date_to: string },
actorUserId: number,
isAdmin: boolean,
) {
const effectiveUserId = isAdmin ? query.user_id : actorUserId;
return prisma.work_plan_entries.findMany({
where: {
user_id: effectiveUserId,
is_deleted: false,
date_from: { lte: toDateOnly(query.date_to) },
date_to: { gte: toDateOnly(query.date_from) },
},
orderBy: [{ date_from: "asc" }, { id: "asc" }],
});
}
/** List raw work_plan_overrides rows in a date range, excluding soft-deleted.
* Same employee-scoping rules as listEntries. */
export async function listOverrides(
query: { user_id?: number; date_from: string; date_to: string },
actorUserId: number,
isAdmin: boolean,
) {
const effectiveUserId = isAdmin ? query.user_id : actorUserId;
return prisma.work_plan_overrides.findMany({
where: {
user_id: effectiveUserId,
is_deleted: false,
shift_date: {
gte: toDateOnly(query.date_from),
lte: toDateOnly(query.date_to),
},
},
orderBy: [{ shift_date: "asc" }, { id: "asc" }],
});
}