fix(auth): restore self role lookup and lock regression coverage

2026-05-28 18:39:56 +08:00
parent 11232177d9
commit e46567678f
3 changed files with 52 additions and 5 deletions
--- a/internal/api/handler/handler_test.go
+++ b/internal/api/handler/handler_test.go
@@ -757,18 +757,48 @@ func TestUserHandler_UpdateUserStatus_RequiresAdmin(t *testing.T) {
 	}
 }

-func TestUserHandler_GetUserRoles_ForbiddenForRegularUser(t *testing.T) {
+func TestUserHandler_GetUserRoles_SelfCanView(t *testing.T) {
 	server, cleanup := setupHandlerTestServer(t)
 	defer cleanup()

 	registerUser(server.URL, "rolesuser", "rolesuser@test.com", "UserPass123!")
 	token := getToken(server.URL, "rolesuser", "UserPass123!")

-	resp, _ := doGet(server.URL+"/api/v1/users/1/roles", token)
+	resp, body := doGet(server.URL+"/api/v1/users/1/roles", token)
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		t.Errorf("expected status %d for self role lookup, got %d, body: %s", http.StatusOK, resp.StatusCode, body)
+	}
+}
+
+func TestUserHandler_GetUserRoles_ForbiddenForOtherRegularUser(t *testing.T) {
+	server, cleanup := setupHandlerTestServer(t)
+	defer cleanup()
+
+	registerUser(server.URL, "rolesuser", "rolesuser@test.com", "UserPass123!")
+	registerUser(server.URL, "otherrolesuser", "otherrolesuser@test.com", "UserPass123!")
+	token := getToken(server.URL, "rolesuser", "UserPass123!")
+
+	resp, _ := doGet(server.URL+"/api/v1/users/2/roles", token)
 	defer resp.Body.Close()

 	if resp.StatusCode != http.StatusForbidden {
-		t.Errorf("expected status %d for non-admin user, got %d", http.StatusForbidden, resp.StatusCode)
+		t.Errorf("expected status %d for viewing another user's roles, got %d", http.StatusForbidden, resp.StatusCode)
+	}
+}
+
+func TestUserHandler_GetUserRoles_UnauthorizedWithoutToken(t *testing.T) {
+	server, cleanup := setupHandlerTestServer(t)
+	defer cleanup()
+
+	registerUser(server.URL, "rolesuser", "rolesuser@test.com", "UserPass123!")
+
+	resp, _ := doGet(server.URL+"/api/v1/users/1/roles", "")
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusUnauthorized {
+		t.Errorf("expected status %d without token, got %d", http.StatusUnauthorized, resp.StatusCode)
 	}
 }

@@ -790,6 +820,23 @@ func TestUserHandler_GetUserRoles_AdminCanViewOther(t *testing.T) {
 	}
 }

+func TestUserHandler_GetUserRoles_AdminGetsNotFoundForMissingUser(t *testing.T) {
+	server, cleanup := setupHandlerTestServer(t)
+	defer cleanup()
+
+	token := bootstrapAdminToken(server.URL, "rolesbootstrap", "rolesbootstrap@test.com", "AdminPass123!")
+	if token == "" {
+		t.Fatal("bootstrap admin token should succeed")
+	}
+
+	resp, _ := doGet(server.URL+"/api/v1/users/99999/roles", token)
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusNotFound {
+		t.Errorf("expected status %d for missing user, got %d", http.StatusNotFound, resp.StatusCode)
+	}
+}
+
 func TestUserHandler_AssignRoles_RequiresAdmin(t *testing.T) {
 	server, cleanup := setupHandlerTestServer(t)
 	defer cleanup()
--- a/internal/api/router/router.go
+++ b/internal/api/router/router.go
@@ -212,7 +212,7 @@ func (r *Router) Setup() *gin.Engine {
 				users.DELETE("/:id", middleware.RequirePermission("user:delete"), r.userHandler.DeleteUser)
 				users.PUT("/:id/password", r.userHandler.UpdatePassword)
 				users.PUT("/:id/status", middleware.RequirePermission("user:manage"), r.userHandler.UpdateUserStatus)
-				users.GET("/:id/roles", middleware.RequirePermission("user:manage"), r.userHandler.GetUserRoles)
+				users.GET("/:id/roles", r.userHandler.GetUserRoles)
 				users.PUT("/:id/roles", middleware.RequirePermission("user:manage"), r.userHandler.AssignRoles)
 				users.PUT("/batch/status", middleware.RequirePermission("user:manage"), r.userHandler.BatchUpdateStatus)
 				users.DELETE("/batch", middleware.RequirePermission("user:delete"), r.userHandler.BatchDelete)