package role import ( "errors" "testing" "time" roleModel "perms-system-server/internal/model/role" "perms-system-server/internal/response" "perms-system-server/internal/svc" "perms-system-server/internal/testutil" "perms-system-server/internal/testutil/ctxhelper" "perms-system-server/internal/types" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) // TC-0730: L-3 修复:非超管 admin 不能降低角色 PermsLevel func TestUpdateRole_NonSuperAdminCannotDemoteLevel(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := testutil.UniqueId() pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc) roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{ ProductCode: pc, Name: testutil.UniqueId(), Status: 1, PermsLevel: 100, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) roleId, _ := roleRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_role`", roleId) testutil.CleanTable(ctx, conn, "`sys_product`", pid) }) adminCtx := ctxhelper.AdminCtx(pc) err = NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "low", Remark: "demote attempt", PermsLevel: 10, }) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "不能降低角色的权限级别") persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId) require.NoError(t, err) assert.Equal(t, int64(100), persisted.PermsLevel, "PermsLevel 必须保持不变") } // TC-0731: L-3 修复:非超管 admin 可以保持或提升 PermsLevel func TestUpdateRole_NonSuperAdminCanRaiseOrKeepLevel(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := testutil.UniqueId() pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc) roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{ ProductCode: pc, Name: testutil.UniqueId(), Status: 1, PermsLevel: 100, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) roleId, _ := roleRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_role`", roleId) testutil.CleanTable(ctx, conn, "`sys_product`", pid) }) adminCtx := ctxhelper.AdminCtx(pc) require.NoError(t, NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "keep", Remark: "keep level", PermsLevel: 100, }), "PermsLevel 保持不变应允许") require.NoError(t, NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "raise", Remark: "raise level", PermsLevel: 500, }), "PermsLevel 提升应允许") persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId) require.NoError(t, err) assert.Equal(t, int64(500), persisted.PermsLevel) } // TC-0732: L-3:超管可以任意降低 PermsLevel func TestUpdateRole_SuperAdminCanDemoteLevel(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := testutil.UniqueId() pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc) roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{ ProductCode: pc, Name: testutil.UniqueId(), Status: 1, PermsLevel: 500, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) roleId, _ := roleRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_role`", roleId) testutil.CleanTable(ctx, conn, "`sys_product`", pid) }) require.NoError(t, NewUpdateRoleLogic(ctx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "down", Remark: "superadmin demote", PermsLevel: 10, })) persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId) require.NoError(t, err) assert.Equal(t, int64(10), persisted.PermsLevel) } // TC-0733: L-3:边界 PermsLevel 校验 func TestUpdateRole_PermsLevelBoundary(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := testutil.UniqueId() pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc) roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{ ProductCode: pc, Name: testutil.UniqueId(), Status: 1, PermsLevel: 50, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) roleId, _ := roleRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_role`", roleId) testutil.CleanTable(ctx, conn, "`sys_product`", pid) }) for _, level := range []int64{0, -1, 1000, 10000} { err := NewUpdateRoleLogic(ctx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "b", PermsLevel: level, }) require.Error(t, err, "PermsLevel=%d 应当被拒", level) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 400, ce.Code()) } }