weiym
/
perms-system-server


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152
							package role

import (
	"errors"
	"testing"
	"time"

	roleModel "perms-system-server/internal/model/role"
	"perms-system-server/internal/response"
	"perms-system-server/internal/svc"
	"perms-system-server/internal/testutil"
	"perms-system-server/internal/testutil/ctxhelper"
	"perms-system-server/internal/types"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

// TC-0730:  修复：非超管 admin 不能把角色权限**提升**（数字越小 = 权限越高）
// 修复前的源码注释写作"不能降低 PermsLevel"，与实际代码 `req.PermsLevel < role.PermsLevel → 403`
// 的语义相反（数字越小 = 权限越高，`<` 拦截的是"提升")； 把 Error msg 与注释一并修正，
// 测试随之把断言从"不能降低"改为"不能提升"，钉死 R12 后的语义契约。
func TestUpdateRole_NonSuperAdminCannotPromoteLevel(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	now := time.Now().Unix()
	pc := testutil.UniqueId()
	pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc)

	roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{
		ProductCode: pc, Name: testutil.UniqueId(),
		Status: 1, PermsLevel: 100, CreateTime: now, UpdateTime: now,
	})
	require.NoError(t, err)
	roleId, _ := roleRes.LastInsertId()
	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_role`", roleId)
		testutil.CleanTable(ctx, conn, "`sys_product`", pid)
	})

	adminCtx := ctxhelper.AdminCtx(pc)
	// 100 → 10：数字变小 = 权限提升，修复后应被拒
	err = NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{
		Id: roleId, Name: "high", Remark: "promote attempt", PermsLevel: 10,
	})
	require.Error(t, err)
	var ce *response.CodeError
	require.True(t, errors.As(err, &ce))
	assert.Equal(t, 403, ce.Code())
	assert.Contains(t, ce.Error(), "不能提升角色的权限级别",
		"错误消息必须与代码语义一致；历史上这里写作'不能降低'，方向反向，"+
			"本断言锁死 R12 修复后的正向消息，不允许回退")

	persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId)
	require.NoError(t, err)
	assert.Equal(t, int64(100), persisted.PermsLevel, "PermsLevel 必须保持不变")
}

// TC-0731:  修复：非超管 admin 可以保持或提升 PermsLevel
func TestUpdateRole_NonSuperAdminCanRaiseOrKeepLevel(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	now := time.Now().Unix()
	pc := testutil.UniqueId()
	pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc)

	roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{
		ProductCode: pc, Name: testutil.UniqueId(),
		Status: 1, PermsLevel: 100, CreateTime: now, UpdateTime: now,
	})
	require.NoError(t, err)
	roleId, _ := roleRes.LastInsertId()
	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_role`", roleId)
		testutil.CleanTable(ctx, conn, "`sys_product`", pid)
	})

	adminCtx := ctxhelper.AdminCtx(pc)
	require.NoError(t, NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{
		Id: roleId, Name: "keep", Remark: "keep level", PermsLevel: 100,
	}), "PermsLevel 保持不变应允许")

	require.NoError(t, NewUpdateRoleLogic(adminCtx, svcCtx).UpdateRole(&types.UpdateRoleReq{
		Id: roleId, Name: "raise", Remark: "raise level", PermsLevel: 500,
	}), "PermsLevel 提升应允许")

	persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId)
	require.NoError(t, err)
	assert.Equal(t, int64(500), persisted.PermsLevel)
}

// TC-0732: ：超管可以任意降低 PermsLevel
func TestUpdateRole_SuperAdminCanDemoteLevel(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	now := time.Now().Unix()
	pc := testutil.UniqueId()
	pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc)

	roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{
		ProductCode: pc, Name: testutil.UniqueId(),
		Status: 1, PermsLevel: 500, CreateTime: now, UpdateTime: now,
	})
	require.NoError(t, err)
	roleId, _ := roleRes.LastInsertId()
	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_role`", roleId)
		testutil.CleanTable(ctx, conn, "`sys_product`", pid)
	})

	require.NoError(t, NewUpdateRoleLogic(ctx, svcCtx).UpdateRole(&types.UpdateRoleReq{
		Id: roleId, Name: "down", Remark: "superadmin demote", PermsLevel: 10,
	}))

	persisted, err := svcCtx.SysRoleModel.FindOne(ctx, roleId)
	require.NoError(t, err)
	assert.Equal(t, int64(10), persisted.PermsLevel)
}

// TC-0733: ：边界 PermsLevel 校验
func TestUpdateRole_PermsLevelBoundary(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	now := time.Now().Unix()
	pc := testutil.UniqueId()
	pid := mustInsertEnabledProduct(t, ctx, svcCtx, pc)

	roleRes, err := svcCtx.SysRoleModel.Insert(ctx, &roleModel.SysRole{
		ProductCode: pc, Name: testutil.UniqueId(),
		Status: 1, PermsLevel: 50, CreateTime: now, UpdateTime: now,
	})
	require.NoError(t, err)
	roleId, _ := roleRes.LastInsertId()
	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_role`", roleId)
		testutil.CleanTable(ctx, conn, "`sys_product`", pid)
	})

	for _, level := range []int64{0, -1, 1000, 10000} {
		err := NewUpdateRoleLogic(ctx, svcCtx).UpdateRole(&types.UpdateRoleReq{
			Id: roleId, Name: "b", PermsLevel: level,
		})
		require.Error(t, err, "PermsLevel=%d 应当被拒", level)
		var ce *response.CodeError
		require.True(t, errors.As(err, &ce))
		assert.Equal(t, 400, ce.Code())
	}
}