package role import ( "errors" "testing" "time" roleModel "perms-system-server/internal/model/role" "perms-system-server/internal/response" "perms-system-server/internal/svc" "perms-system-server/internal/testutil" "perms-system-server/internal/testutil/ctxhelper" "perms-system-server/internal/types" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) // TC-0730: 修复:非超管 admin 不能把角色权限**提升**(数字越小 = 权限越高) // 修复前的源码注释写作"不能降低 PermsLevel",与实际代码 `req.PermsLevel < role.PermsLevel → 403` // 的语义相反(数字越小 = 权限越高,`<` 拦截的是"提升"); 把 Error msg 与注释一并修正, // 测试随之把断言从"不能降低"改为"不能提升",钉死 R12 后的语义契约。 func TestUpdateRole_NonSuperAdminCannotPromoteLevel(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := testutil.UniqueId() pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc) roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{ ProductCode: pc, Name: testutil.UniqueId(), Status: 1, PermsLevel: 100, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) roleId, _ := roleRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_role`", roleId) testutil.CleanTable(ctx, conn, "`sys_product`", pid) }) adminCtx := ctxhelper.AdminCtx(pc) // 100 → 10:数字变小 = 权限提升,修复后应被拒 err = NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "high", Remark: "promote attempt", PermsLevel: 10, }) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) assert.Contains(t, ce.Error(), "不能提升角色的权限级别", "错误消息必须与代码语义一致;历史上这里写作'不能降低',方向反向,"+ "本断言锁死 R12 修复后的正向消息,不允许回退") persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId) require.NoError(t, err) assert.Equal(t, int64(100), persisted.PermsLevel, "PermsLevel 必须保持不变") } // TC-0731: 修复:非超管 admin 可以保持或提升 PermsLevel func TestUpdateRole_NonSuperAdminCanRaiseOrKeepLevel(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := testutil.UniqueId() pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc) roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{ ProductCode: pc, Name: testutil.UniqueId(), Status: 1, PermsLevel: 100, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) roleId, _ := roleRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_role`", roleId) testutil.CleanTable(ctx, conn, "`sys_product`", pid) }) adminCtx := ctxhelper.AdminCtx(pc) require.NoError(t, NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "keep", Remark: "keep level", PermsLevel: 100, }), "PermsLevel 保持不变应允许") require.NoError(t, NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "raise", Remark: "raise level", PermsLevel: 500, }), "PermsLevel 提升应允许") persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId) require.NoError(t, err) assert.Equal(t, int64(500), persisted.PermsLevel) } // TC-0732: :超管可以任意降低 PermsLevel func TestUpdateRole_SuperAdminCanDemoteLevel(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := testutil.UniqueId() pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc) roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{ ProductCode: pc, Name: testutil.UniqueId(), Status: 1, PermsLevel: 500, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) roleId, _ := roleRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_role`", roleId) testutil.CleanTable(ctx, conn, "`sys_product`", pid) }) require.NoError(t, NewUpdateRoleLogic(ctx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "down", Remark: "superadmin demote", PermsLevel: 10, })) persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId) require.NoError(t, err) assert.Equal(t, int64(10), persisted.PermsLevel) } // TC-0733: :边界 PermsLevel 校验 func TestUpdateRole_PermsLevelBoundary(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() pc := testutil.UniqueId() pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc) roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{ ProductCode: pc, Name: testutil.UniqueId(), Status: 1, PermsLevel: 50, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) roleId, _ := roleRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_role`", roleId) testutil.CleanTable(ctx, conn, "`sys_product`", pid) }) for _, level := range []int64{0, -1, 1000, 10000} { err := NewUpdateRoleLogic(ctx, svcCtx).UpdateRole(&types.UpdateRoleReq{ Id: roleId, Name: "b", PermsLevel: level, }) require.Error(t, err, "PermsLevel=%d 应当被拒", level) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 400, ce.Code()) } }