test to ensure only creator can see and edit the entries

Author: mluukkai

tests/admin.spec.ts

@@ -1,7 +1,163 @@
 import { test, expect } from '@playwright/test'
+import { testUser } from './helpers'
 
 test.describe.configure({ mode: 'serial' })
 
+test.describe('entry access control', () => {
+  const baseUrl = 'http://localhost:8000'
+  let createdEntryId: string
+
+  test('admin can create an entry', async () => {
+    // Set user as admin
+    await fetch(`${baseUrl}/mock/user?type=admin`)
+
+    const payload = {
+      data: {
+        '1': 'Admin User',
+        '2': testUser,
+        '3': 'Test Project',
+        '4': 'bilateral',
+        '6': 'university',
+        '8': 'Afghanistan',
+        '9': 'partner',
+        '10': 'agreementNotDone',
+        '11': ['education'],
+        '12': 'mediumDuration',
+        '13': 'noExternalFunding',
+        '16': 'mediumBudget',
+        '17': 'noTransferPersonalData',
+        '20': 'Kardan University',
+        '23': 'noTransferMilitaryKnowledge',
+        '24': 'noSuccessfulCollaboration',
+        '25': 'likelyNoEthicalIssues',
+        faculty: 'H40',
+        unit: 'H528',
+        tuhatProjectExists: 'tuhatOptionNegative',
+      },
+      sessionToken: 'test-session-token',
+      tuhatData: {},
+    }
+
+    const response = await fetch(`${baseUrl}/api/entries/1`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    })
+
+    expect(response.status).toBe(201)
+    const entry = await response.json()
+    createdEntryId = entry.id
+    expect(createdEntryId).toBeDefined()
+  })
+
+  test('normal user cannot access entry created by admin', async () => {
+    // Change user to normal
+    await fetch(`${baseUrl}/mock/user?type=normal`)
+
+    const response = await fetch(`${baseUrl}/api/entries/${createdEntryId}`, {
+      method: 'GET',
+      headers: { 'Content-Type': 'application/json' },
+    })
+
+    expect(response.status).toBe(401)
+    const data = await response.json()
+    expect(data.error).toContain('Unauthorized')
+  })
+
+  test('normal user cannot edit entry created by admin', async () => {
+    // Ensure user is still normal
+    await fetch(`${baseUrl}/mock/user?type=normal`)
+
+    const payload = {
+      data: {
+        '1': 'Modified by Normal User',
+        '2': testUser,
+        '3': 'Modified Project',
+        '4': 'bilateral',
+        '6': 'university',
+        '8': 'Sweden',
+        '9': 'partner',
+        '10': 'agreementDone',
+        '11': ['education', 'research'],
+        '12': 'mediumDuration',
+        '13': 'noExternalFunding',
+        '16': 'mediumBudget',
+        '17': 'noTransferPersonalData',
+        '20': 'Kardan University',
+        '23': 'noTransferMilitaryKnowledge',
+        '24': 'successfulCollaboration',
+        '25': 'likelyNoEthicalIssues',
+        faculty: 'H40',
+        unit: 'H528',
+        tuhatProjectExists: 'tuhatOptionNegative',
+      },
+      tuhatData: {},
+    }
+
+    const response = await fetch(`${baseUrl}/api/entries/${createdEntryId}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    })
+
+    expect(response.status).toBe(401)
+    const data = await response.json()
+    expect(data.error).toContain('Unauthorized')
+  })
+
+  test('admin creator can still access and edit their entry', async () => {
+    // Change back to admin
+    await fetch(`${baseUrl}/mock/user?type=admin`)
+
+    // Test GET
+    const getResponse = await fetch(`${baseUrl}/api/entries/${createdEntryId}`, {
+      method: 'GET',
+      headers: { 'Content-Type': 'application/json' },
+    })
+
+    expect(getResponse.status).toBe(200)
+    const entry = await getResponse.json()
+    expect(entry.id).toBe(createdEntryId)
+
+    // Test PUT
+    const payload = {
+      data: {
+        '1': 'Admin Modified',
+        '2': testUser,
+        '3': 'Admin Modified Project',
+        '4': 'bilateral',
+        '6': 'university',
+        '8': 'Denmark',
+        '9': 'coordinator',
+        '10': 'agreementDone',
+        '11': ['education', 'research'],
+        '12': 'longDuration',
+        '13': 'externalFunding',
+        '16': 'largeBudget',
+        '17': 'noTransferPersonalData',
+        '20': 'Ahlobait University',
+        '23': 'noTransferMilitaryKnowledge',
+        '24': 'successfulCollaboration',
+        '25': 'likelyNoEthicalIssues',
+        faculty: 'H40',
+        unit: 'H528',
+        tuhatProjectExists: 'tuhatOptionNegative',
+      },
+      tuhatData: {},
+    }
+
+    const putResponse = await fetch(`${baseUrl}/api/entries/${createdEntryId}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    })
+
+    expect(putResponse.status).toBe(200)
+    const updatedEntry = await putResponse.json()
+    expect(updatedEntry.id).toBe(createdEntryId)
+  })
+})
+
 test.describe('admin endpoints access control', () => {
   const baseUrl = 'http://localhost:8000'
 

tests/api.spec.ts

@@ -297,4 +297,92 @@ test.describe('api', () => {
     expect(updatedEntry.data.updatedData[0].country[0].code).toBe('AF')
     expect(updatedEntry.data.updatedData[1].country[0].code).toBe('SE')
   })
+
+  test('only creator can view and edit an entry', async () => {
+    let mockUserResponse = await fetch(`${baseUrl}/api/mock/user?type=admin`)
+
+    const initialPayload = {
+      data: {
+        '1': 'Admin Creator',
+        '2': testUser,
+        '3': 'Admin Project',
+        '4': 'bilateral',
+        '6': 'university',
+        '8': 'Afghanistan',
+        '9': 'partner',
+        '10': 'agreementNotDone',
+        '11': ['education'],
+        '12': 'mediumDuration',
+        '13': 'noExternalFunding',
+        '16': 'mediumBudget',
+        '17': 'noTransferPersonalData',
+        '20': 'Kardan University',
+        '23': 'noTransferMilitaryKnowledge',
+        '24': 'noSuccessfulCollaboration',
+        '25': 'likelyNoEthicalIssues',
+        faculty: 'H40',
+        unit: 'H528',
+        tuhatProjectExists: 'tuhatOptionNegative',
+      },
+      sessionToken: 'access-control-test-session',
+      tuhatData: {},
+    }
+
+    const createResponse = await fetch(`${baseUrl}/api/entries/1`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(initialPayload),
+    })
+
+    expect(createResponse.status).toBe(201)
+    const createdEntry = await createResponse.json()
+    const entryId = createdEntry.id
+    mockUserResponse = await fetch(`${baseUrl}/api/mock/user?type=normal`)
+    expect(mockUserResponse.status).toBe(200)
+
+    const getResponse = await fetch(`${baseUrl}/api/entries/${entryId}`, {
+      method: 'GET',
+      headers: { 'Content-Type': 'application/json' },
+    })
+
+    expect(getResponse.status).toBe(401)
+    const getError = await getResponse.json()
+    expect(getError.error).toContain('Unauthorized')
+
+    const updatePayload = {
+      data: {
+        '1': 'Unauthorized Edit',
+        '2': testUser,
+        '3': 'Should Not Work',
+        '4': 'bilateral',
+        '6': 'university',
+        '8': 'Sweden',
+        '9': 'partner',
+        '10': 'agreementDone',
+        '11': ['education', 'research'],
+        '12': 'mediumDuration',
+        '13': 'noExternalFunding',
+        '16': 'mediumBudget',
+        '17': 'noTransferPersonalData',
+        '20': 'Kardan University',
+        '23': 'noTransferMilitaryKnowledge',
+        '24': 'successfulCollaboration',
+        '25': 'likelyNoEthicalIssues',
+        faculty: 'H40',
+        unit: 'H528',
+        tuhatProjectExists: 'tuhatOptionNegative',
+      },
+      tuhatData: {},
+    }
+
+    const putResponse = await fetch(`${baseUrl}/api/entries/${entryId}`, {
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(updatePayload),
+    })
+
+    expect(putResponse.status).toBe(401)
+    const putError = await putResponse.json()
+    expect(putError.error).toContain('Unauthorized')
+  })
 })