steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

Phase 4 — P4-03/04: RBAC + user management #14

Merged
steve merged 30 commits from p4-03-04-rbac-user-mgmt into main 2026-05-05 11:01:44 +01:00
Conversation 0 Commits 30 Files Changed 37
+23
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 95aee73e2c - Show all commits
internal/server/http/rbac_test.go
+23
View File
@@ -94,3 +94,26 @@ func TestRequireRoleUnauthenticated401OnAPI(t *testing.T) {
t.Errorf("status: got %d want 401", rr.Code)
}
}
func TestAdminBandRejectsOperator(t *testing.T) {
t.Parallel()
// This test will start asserting 403 once Task B4 mounts /api/users
// inside the admin band and Task E1 lands the handler. Until then,
// the route 404s — we skip rather than red-flag the suite.
t.Skip("re-enable after B4 route grouping + E1 /api/users handler land")
srv, urlBase := newTestServer(t, false)
makeUser(t, srv, "admin1", store.RoleAdmin)
opID := makeUser(t, srv, "op1", store.RoleOperator)
cookie := loginAs(t, srv, opID)
req, _ := stdhttp.NewRequest("GET", urlBase+"/api/users", nil)
req.AddCookie(cookie)
res, err := stdhttp.DefaultClient.Do(req)
if err != nil {
t.Fatalf("GET: %v", err)
}
defer res.Body.Close()
if res.StatusCode != stdhttp.StatusForbidden {
t.Errorf("status: got %d want 403", res.StatusCode)
}
}