Critical (data integrity):
- warehouse inventory confirm: throw (not return) inside $transaction so a
failed deficit line rolls back the surplus corrective receipt — retries
no longer accumulate phantom stock
- warehouse issue confirm: validate batches against the COMBINED quantity
of all lines (duplicate FIFO-resolved lines drove batches negative)
- attendance delete: restore vacation_used/sick_used for the deleted day
(in-transaction, clamped at 0)
High:
- auth refresh: terminated sessions (replaced_at only) get a plain 401 —
the theft branch (family revocation) now fires only on replaced_by_hash
- POST /users strips role_id for non-admin callers (mirrors PUT guard)
- issued-order transition flushes unsaved edits via the full save payload
when dirty; server contract (items+status in one PUT) pinned
- received-invoices list: usePaginatedQuery + pager (rows 26+ unreachable)
- received-invoice dates: nullableIsoDateString + NaN guard before NAS save
(Czech-format dates corrupted month/year, orphaned NAS files)
- leave approval skips Czech public holidays and books each calendar year's
hours against its own balance (mirrors createLeave)
Medium/Low (classes):
- 52 Zod caps aligned to DB column widths across 7 schemas (over-cap input
500ed at Prisma instead of a Czech 400)
- FK pre-validation: projects update + warehouse receipts/issues return
Czech 400s instead of P2003 500s
- invoice PDF degrades gracefully when the CNB rate is unavailable
(recap omitted instead of 500 + lost NAS archival)
- date boundaries: local-day filters (warehouse lists/reports, audit-log),
@db.Date coercion on invoice dates
- plan updateEntry re-checks the per-cell cap (self-excluding)
- {id} tiebreaks on customers/received-invoices/warehouse-items sorts;
/items honors the client sort param
- htmlToPdf relaunches once when the shared browser died mid-render
- offer number release parses the year from the document number (cross-year
finalize+delete left permanent sequence gaps)
- trips/vehicles km fields integer-coerced; AI budget regated to
settings.company|settings.system; Settings System tab no longer clobbers
Firma numbering patterns; draft invoices hide the dead PDF button;
dashboard quick-trip invalidates ["vehicles"]; TOTP secret cap 64;
audit-log + invoice month buckets day-shift fixes
Docs: corrected the stale "Chromium has no CSS margin-box footers" claim
(html-to-pdf.ts + CLAUDE.md — margin boxes render since Chrome 131); audit
report M3 withdrawn accordingly.
~65 new pinning tests; every finding reproduced RED against the real test
DB before its fix. Suite: 58 files / 634 tests green.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
107 lines
3.0 KiB
TypeScript
107 lines
3.0 KiB
TypeScript
import { describe, it, expect, beforeAll, afterAll } from "vitest";
|
|
import prisma from "../config/database";
|
|
import { updateEntry } from "../services/plan.service";
|
|
|
|
/**
|
|
* Pinning tests for audit finding M9: updateEntry must re-check the per-cell
|
|
* cap (MAX_RECORDS_PER_CELL = 3) when the date range changes — expanding an
|
|
* entry onto a day that already holds 3 active entries used to succeed,
|
|
* producing a 4th that the grid (capped at 3) silently hides.
|
|
*
|
|
* The re-check must EXCLUDE the updated entry itself, so editing an at-cap
|
|
* entry without moving it stays allowed.
|
|
*/
|
|
|
|
const NOTE = "plan_updcap_test";
|
|
|
|
let userId: number;
|
|
let cappedEntryIds: number[] = [];
|
|
let fourthId: number;
|
|
|
|
const D = (day: number) => new Date(Date.UTC(2099, 6, day)); // July 2099, UTC
|
|
|
|
async function cleanup() {
|
|
await prisma.work_plan_entries.deleteMany({ where: { note: NOTE } });
|
|
}
|
|
|
|
beforeAll(async () => {
|
|
await cleanup();
|
|
const user = await prisma.users.findFirst({ select: { id: true } });
|
|
if (!user) throw new Error("Test setup: no users — seed the database");
|
|
userId = user.id;
|
|
|
|
cappedEntryIds = [];
|
|
for (let i = 0; i < 3; i++) {
|
|
const entry = await prisma.work_plan_entries.create({
|
|
data: {
|
|
user_id: userId,
|
|
date_from: D(1),
|
|
date_to: D(1),
|
|
category: "work",
|
|
note: NOTE,
|
|
created_by: userId,
|
|
},
|
|
});
|
|
cappedEntryIds.push(entry.id);
|
|
}
|
|
const fourth = await prisma.work_plan_entries.create({
|
|
data: {
|
|
user_id: userId,
|
|
date_from: D(2),
|
|
date_to: D(2),
|
|
category: "work",
|
|
note: NOTE,
|
|
created_by: userId,
|
|
},
|
|
});
|
|
fourthId = fourth.id;
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await cleanup();
|
|
await prisma.$disconnect();
|
|
});
|
|
|
|
describe("updateEntry per-cell cap (audit M9)", () => {
|
|
it("rejects expanding an entry onto a day already at the cap", async () => {
|
|
const result = await updateEntry(
|
|
fourthId,
|
|
{ date_from: "2099-07-01", date_to: "2099-07-01" },
|
|
userId,
|
|
false,
|
|
);
|
|
|
|
expect("error" in result).toBe(true);
|
|
if ("error" in result) expect(result.status).toBe(400);
|
|
|
|
// The entry must not have moved.
|
|
const fresh = await prisma.work_plan_entries.findUnique({
|
|
where: { id: fourthId },
|
|
});
|
|
expect(fresh?.date_from.toISOString().slice(0, 10)).toBe("2099-07-02");
|
|
});
|
|
|
|
it("still allows editing an at-cap entry without moving it (self-exclusion)", async () => {
|
|
const result = await updateEntry(
|
|
cappedEntryIds[0],
|
|
{ date_from: "2099-07-01", date_to: "2099-07-01", note: NOTE },
|
|
userId,
|
|
false,
|
|
);
|
|
expect("error" in result).toBe(false);
|
|
});
|
|
|
|
it("still allows a note-only edit and a move to a free day", async () => {
|
|
const noteOnly = await updateEntry(fourthId, { note: NOTE }, userId, false);
|
|
expect("error" in noteOnly).toBe(false);
|
|
|
|
const move = await updateEntry(
|
|
fourthId,
|
|
{ date_from: "2099-07-03", date_to: "2099-07-03" },
|
|
userId,
|
|
false,
|
|
);
|
|
expect("error" in move).toBe(false);
|
|
});
|
|
});
|