Files
app/src/__tests__/plan-update-cap.test.ts
BOHA e11765bf0e fix: resolve all 28 findings from the 2026-06-12 full audit (TDD-pinned)
Critical (data integrity):
- warehouse inventory confirm: throw (not return) inside $transaction so a
  failed deficit line rolls back the surplus corrective receipt — retries
  no longer accumulate phantom stock
- warehouse issue confirm: validate batches against the COMBINED quantity
  of all lines (duplicate FIFO-resolved lines drove batches negative)
- attendance delete: restore vacation_used/sick_used for the deleted day
  (in-transaction, clamped at 0)

High:
- auth refresh: terminated sessions (replaced_at only) get a plain 401 —
  the theft branch (family revocation) now fires only on replaced_by_hash
- POST /users strips role_id for non-admin callers (mirrors PUT guard)
- issued-order transition flushes unsaved edits via the full save payload
  when dirty; server contract (items+status in one PUT) pinned
- received-invoices list: usePaginatedQuery + pager (rows 26+ unreachable)
- received-invoice dates: nullableIsoDateString + NaN guard before NAS save
  (Czech-format dates corrupted month/year, orphaned NAS files)
- leave approval skips Czech public holidays and books each calendar year's
  hours against its own balance (mirrors createLeave)

Medium/Low (classes):
- 52 Zod caps aligned to DB column widths across 7 schemas (over-cap input
  500ed at Prisma instead of a Czech 400)
- FK pre-validation: projects update + warehouse receipts/issues return
  Czech 400s instead of P2003 500s
- invoice PDF degrades gracefully when the CNB rate is unavailable
  (recap omitted instead of 500 + lost NAS archival)
- date boundaries: local-day filters (warehouse lists/reports, audit-log),
  @db.Date coercion on invoice dates
- plan updateEntry re-checks the per-cell cap (self-excluding)
- {id} tiebreaks on customers/received-invoices/warehouse-items sorts;
  /items honors the client sort param
- htmlToPdf relaunches once when the shared browser died mid-render
- offer number release parses the year from the document number (cross-year
  finalize+delete left permanent sequence gaps)
- trips/vehicles km fields integer-coerced; AI budget regated to
  settings.company|settings.system; Settings System tab no longer clobbers
  Firma numbering patterns; draft invoices hide the dead PDF button;
  dashboard quick-trip invalidates ["vehicles"]; TOTP secret cap 64;
  audit-log + invoice month buckets day-shift fixes

Docs: corrected the stale "Chromium has no CSS margin-box footers" claim
(html-to-pdf.ts + CLAUDE.md — margin boxes render since Chrome 131); audit
report M3 withdrawn accordingly.

~65 new pinning tests; every finding reproduced RED against the real test
DB before its fix. Suite: 58 files / 634 tests green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-12 23:00:19 +02:00

107 lines
3.0 KiB
TypeScript

import { describe, it, expect, beforeAll, afterAll } from "vitest";
import prisma from "../config/database";
import { updateEntry } from "../services/plan.service";
/**
* Pinning tests for audit finding M9: updateEntry must re-check the per-cell
* cap (MAX_RECORDS_PER_CELL = 3) when the date range changes — expanding an
* entry onto a day that already holds 3 active entries used to succeed,
* producing a 4th that the grid (capped at 3) silently hides.
*
* The re-check must EXCLUDE the updated entry itself, so editing an at-cap
* entry without moving it stays allowed.
*/
const NOTE = "plan_updcap_test";
let userId: number;
let cappedEntryIds: number[] = [];
let fourthId: number;
const D = (day: number) => new Date(Date.UTC(2099, 6, day)); // July 2099, UTC
async function cleanup() {
await prisma.work_plan_entries.deleteMany({ where: { note: NOTE } });
}
beforeAll(async () => {
await cleanup();
const user = await prisma.users.findFirst({ select: { id: true } });
if (!user) throw new Error("Test setup: no users — seed the database");
userId = user.id;
cappedEntryIds = [];
for (let i = 0; i < 3; i++) {
const entry = await prisma.work_plan_entries.create({
data: {
user_id: userId,
date_from: D(1),
date_to: D(1),
category: "work",
note: NOTE,
created_by: userId,
},
});
cappedEntryIds.push(entry.id);
}
const fourth = await prisma.work_plan_entries.create({
data: {
user_id: userId,
date_from: D(2),
date_to: D(2),
category: "work",
note: NOTE,
created_by: userId,
},
});
fourthId = fourth.id;
});
afterAll(async () => {
await cleanup();
await prisma.$disconnect();
});
describe("updateEntry per-cell cap (audit M9)", () => {
it("rejects expanding an entry onto a day already at the cap", async () => {
const result = await updateEntry(
fourthId,
{ date_from: "2099-07-01", date_to: "2099-07-01" },
userId,
false,
);
expect("error" in result).toBe(true);
if ("error" in result) expect(result.status).toBe(400);
// The entry must not have moved.
const fresh = await prisma.work_plan_entries.findUnique({
where: { id: fourthId },
});
expect(fresh?.date_from.toISOString().slice(0, 10)).toBe("2099-07-02");
});
it("still allows editing an at-cap entry without moving it (self-exclusion)", async () => {
const result = await updateEntry(
cappedEntryIds[0],
{ date_from: "2099-07-01", date_to: "2099-07-01", note: NOTE },
userId,
false,
);
expect("error" in result).toBe(false);
});
it("still allows a note-only edit and a move to a free day", async () => {
const noteOnly = await updateEntry(fourthId, { note: NOTE }, userId, false);
expect("error" in noteOnly).toBe(false);
const move = await updateEntry(
fourthId,
{ date_from: "2099-07-03", date_to: "2099-07-03" },
userId,
false,
);
expect("error" in move).toBe(false);
});
});