MOPC/MOPC-Portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: lunch.upsertPick with role-aware guard + cutoff

Browse Source 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matt
2026-04-29 02:32:42 +02:00
parent 06b171b0d4
commit 9e14775f08
2 changed files with 275 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
tests/unit/lunch-upsert-pick.test.ts Normal file
View File

@@ -0,0 +1,159 @@
import { afterAll, describe, expect, it } from 'vitest'
import { prisma, createCaller } from '../setup'
import {
createTestUser,
createTestProgram,
createTestProject,
cleanupTestData,
uid,
} from '../helpers'
import { lunchRouter } from '@/server/routers/lunch'
const programIds: string[] = []
const userIds: string[] = []
afterAll(async () => {
for (const programId of programIds) {
await prisma.memberLunchPick.deleteMany({
where: { attendingMember: { confirmation: { project: { programId } } } },
})
await prisma.attendingMember.deleteMany({
where: { confirmation: { project: { programId } } },
})
await prisma.finalistConfirmation.deleteMany({ where: { project: { programId } } })
await prisma.dish.deleteMany({ where: { lunchEvent: { programId } } })
await prisma.lunchEvent.deleteMany({ where: { programId } })
await prisma.teamMember.deleteMany({ where: { project: { programId } } })
await cleanupTestData(programId, [])
}
if (userIds.length > 0) {
await prisma.auditLog.deleteMany({ where: { userId: { in: userIds } } })
await prisma.user.deleteMany({ where: { id: { in: userIds } } })
}
})
async function setupTeam(opts: {
cutoffHours?: number
eventAt?: Date
enabled?: boolean
}) {
const program = await createTestProgram({ name: `pick-${uid()}` })
programIds.push(program.id)
const lead = await createTestUser('APPLICANT')
const member = await createTestUser('APPLICANT')
const admin = await createTestUser('SUPER_ADMIN')
userIds.push(lead.id, member.id, admin.id)
const project = await createTestProject(program.id, {
title: `pick-${uid()}`,
competitionCategory: 'STARTUP',
})
await prisma.teamMember.createMany({
data: [
{ projectId: project.id, userId: lead.id, role: 'LEAD' },
{ projectId: project.id, userId: member.id, role: 'MEMBER' },
],
})
const conf = await prisma.finalistConfirmation.create({
data: {
projectId: project.id, category: 'STARTUP', status: 'CONFIRMED',
deadline: new Date(Date.now() + 86_400_000), token: `tok-${uid()}`,
},
})
const am = await prisma.attendingMember.create({
data: { confirmationId: conf.id, userId: member.id },
})
const event = await prisma.lunchEvent.create({
data: {
programId: program.id,
enabled: opts.enabled ?? true,
eventAt: opts.eventAt ?? new Date(Date.now() + 7 * 86_400_000),
changeCutoffHours: opts.cutoffHours ?? 48,
},
})
const dish = await prisma.dish.create({
data: { lunchEventId: event.id, name: 'Risotto', dietaryTags: ['VEGETARIAN'] },
})
await prisma.memberLunchPick.create({ data: { attendingMemberId: am.id } })
return { program, lead, member, admin, project, attendingMember: am, dish, event }
}
function callerFor(user: { id: string; email: string; role: string }) {
return createCaller(lunchRouter, user)
}
describe('lunch.upsertPick', () => {
it('member can edit their own pick before deadline', async () => {
const t = await setupTeam({})
const caller = callerFor({ id: t.member.id, email: t.member.email, role: 'APPLICANT' })
const result = await caller.upsertPick({
attendingMemberId: t.attendingMember.id, dishId: t.dish.id,
allergens: ['GLUTEN'], allergenOther: null,
})
expect(result.dishId).toBe(t.dish.id)
expect(result.pickedAt).not.toBeNull()
const audit = await prisma.auditLog.findFirst({
where: { action: 'LUNCH_PICK_UPDATED', entityId: result.id },
orderBy: { timestamp: 'desc' },
})
expect((audit?.detailsJson as Record<string, unknown> | null)?.actorRole).toBe('SELF')
})
it('team lead can edit a teammate pick before deadline', async () => {
const t = await setupTeam({})
const caller = callerFor({ id: t.lead.id, email: t.lead.email, role: 'APPLICANT' })
const result = await caller.upsertPick({
attendingMemberId: t.attendingMember.id, dishId: t.dish.id,
allergens: [], allergenOther: null,
})
expect(result.dishId).toBe(t.dish.id)
const audit = await prisma.auditLog.findFirst({
where: { action: 'LUNCH_PICK_UPDATED', entityId: result.id },
orderBy: { timestamp: 'desc' },
})
expect((audit?.detailsJson as Record<string, unknown> | null)?.actorRole).toBe('TEAM_LEAD')
})
it('non-team-member is forbidden', async () => {
const t = await setupTeam({})
const stranger = await createTestUser('APPLICANT')
userIds.push(stranger.id)
const caller = callerFor({ id: stranger.id, email: stranger.email, role: 'APPLICANT' })
await expect(
caller.upsertPick({
attendingMemberId: t.attendingMember.id, dishId: t.dish.id,
allergens: [], allergenOther: null,
}),
).rejects.toThrow(/not allowed/i)
})
it('member cannot edit their own pick after deadline', async () => {
// event is "now + 1h", cutoffHours = 24 -> deadline already passed
const t = await setupTeam({
eventAt: new Date(Date.now() + 60 * 60 * 1000), cutoffHours: 24,
})
const caller = callerFor({ id: t.member.id, email: t.member.email, role: 'APPLICANT' })
await expect(
caller.upsertPick({
attendingMemberId: t.attendingMember.id, dishId: t.dish.id,
allergens: [], allergenOther: null,
}),
).rejects.toThrow(/deadline/i)
})
it('admin can edit after deadline; audit records ADMIN role', async () => {
const t = await setupTeam({
eventAt: new Date(Date.now() + 60 * 60 * 1000), cutoffHours: 24,
})
const caller = callerFor({ id: t.admin.id, email: t.admin.email, role: 'SUPER_ADMIN' })
const result = await caller.upsertPick({
attendingMemberId: t.attendingMember.id, dishId: t.dish.id,
allergens: [], allergenOther: null,
})
expect(result.dishId).toBe(t.dish.id)
const audit = await prisma.auditLog.findFirst({
where: { action: 'LUNCH_PICK_UPDATED', entityId: result.id },
orderBy: { timestamp: 'desc' },
})
expect((audit?.detailsJson as Record<string, unknown> | null)?.actorRole).toBe('ADMIN')
})
})