صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
186-template-175
/
mini-starter
برگرفته از 155-template-138/mini-starter
2
0
انشعاب 0
پرونده‌ها
درخت: dc8865081f
شاخه‌ها تگ‌ها
mini-starter
/
packages
/
shared-crud
/
tests
/
integration
/
data-permission.integration.test.ts

data-permission.integration.test.ts 14 KB
تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477 
  1. import { describe, it, expect, beforeEach, vi, afterEach } from 'vitest';
    2. 

  2. import { testClient } from 'hono/testing';
    3. 

  3. import { IntegrationTestDatabase, setupIntegrationDatabaseHooksWithEntities } from '@d8d/shared-test-util';
    4. 

  4. import { JWTUtil } from '@d8d/shared-utils';
    5. 

  5. import { z } from '@hono/zod-openapi';
    6. 

  6. import { createCrudRoutes } from '../../src/routes/generic-crud.routes';
    7. 

  7. import { Entity, PrimaryGeneratedColumn, Column } from 'typeorm';
    8. 

  8. 

  9. // 测试用户实体
    10. 

  10. @Entity()
    11. 

  11. class TestUser {
    12. 

  12.   @PrimaryGeneratedColumn()
    13. 

  13.   id!: number;
    14. 

  14. 

  15.   @Column()
    16. 

  16.   username!: string;
    17. 

  17. 

  18.   @Column()
    19. 

  19.   password!: string;
    20. 

  20. 

  21.   @Column()
    22. 

  22.   nickname!: string;
    23. 

  23. 

  24.   @Column()
    25. 

  25.   registrationSource!: string;
    26. 

  26. }
    27. 

  27. 

  28. // 测试实体类
    29. 

  29. class TestEntity {
    30. 

  30.   id!: number;
    31. 

  31.   name!: string;
    32. 

  32.   userId!: number;
    33. 

  33.   createdBy?: number;
    34. 

  34.   updatedBy?: number;
    35. 

  35. }
    36. 

  36. 

  37. // 定义测试实体的Schema
    38. 

  38. const createTestSchema = z.object({
    39. 

  39.   name: z.string().min(1, '名称不能为空'),
    40. 

  40.   userId: z.number().optional()
    41. 

  41. });
    42. 

  42. 

  43. const updateTestSchema = z.object({
    44. 

  44.   name: z.string().min(1, '名称不能为空').optional()
    45. 

  45. });
    46. 

  46. 

  47. const getTestSchema = z.object({
    48. 

  48.   id: z.number(),
    49. 

  49.   name: z.string(),
    50. 

  50.   userId: z.number(),
    51. 

  51.   createdBy: z.number().optional(),
    52. 

  52.   updatedBy: z.number().optional()
    53. 

  53. });
    54. 

  54. 

  55. const listTestSchema = z.object({
    56. 

  56.   id: z.number(),
    57. 

  57.   name: z.string(),
    58. 

  58.   userId: z.number(),
    59. 

  59.   createdBy: z.number().optional(),
    60. 

  60.   updatedBy: z.number().optional()
    61. 

  61. });
    62. 

  62. 

  63. // 设置集成测试钩子
    64. 

  64. setupIntegrationDatabaseHooksWithEntities([TestUser])
    65. 

  65. 

  66. describe('共享CRUD数据权限控制集成测试', () => {
    67. 

  67.   let client: any;
    68. 

  68.   let testToken1: string;
    69. 

  69.   let testToken2: string;
    70. 

  70.   let testUser1: TestUser;
    71. 

  71.   let testUser2: TestUser;
    72. 

  72. 

  73.   beforeEach(async () => {
    74. 

  74.     // 获取数据源
    75. 

  75.     const dataSource = await IntegrationTestDatabase.getDataSource();
    76. 

  76. 

  77.     // 创建测试用户1
    78. 

  78.     const userRepository = dataSource.getRepository(TestUser);
    79. 

  79.     testUser1 = userRepository.create({
    80. 

  80.       username: `test_user_1_${Date.now()}`,
    81. 

  81.       password: 'test_password',
    82. 

  82.       nickname: '测试用户1',
    83. 

  83.       registrationSource: 'web'
    84. 

  84.     });
    85. 

  85.     await userRepository.save(testUser1);
    86. 

  86. 

  87.     // 创建测试用户2
    88. 

  88.     testUser2 = userRepository.create({
    89. 

  89.       username: `test_user_2_${Date.now()}`,
    90. 

  90.       password: 'test_password',
    91. 

  91.       nickname: '测试用户2',
    92. 

  92.       registrationSource: 'web'
    93. 

  93.     });
    94. 

  94.     await userRepository.save(testUser2);
    95. 

  95. 

  96.     // 生成测试用户的token
    97. 

  97.     testToken1 = JWTUtil.generateToken({
    98. 

  98.       id: testUser1.id,
    99. 

  99.       username: testUser1.username,
    100. 

  100.       roles: [{name:'user'}]
    101. 

  101.     });
    102. 

  102. 

  103.     testToken2 = JWTUtil.generateToken({
    104. 

  104.       id: testUser2.id,
    105. 

  105.       username: testUser2.username,
    106. 

  106.       roles: [{name:'user'}]
    107. 

  107.     });
    108. 

  108. 

  109.     // 创建测试路由 - 启用数据权限控制
    110. 

  110.     const testRoutes = createCrudRoutes({
    111. 

  111.       entity: TestEntity,
    112. 

  112.       createSchema: createTestSchema,
    113. 

  113.       updateSchema: updateTestSchema,
    114. 

  114.       getSchema: getTestSchema,
    115. 

  115.       listSchema: listTestSchema,
    116. 

  116.       dataPermission: {
    117. 

  117.         enabled: true,
    118. 

  118.         userIdField: 'userId'
    119. 

  119.       }
    120. 

  120.     });
    121. 

  121. 

  122.     client = testClient(testRoutes);
    123. 

  123.   });
    124. 

  124. 

  125.   describe('GET / - 列表查询权限过滤', () => {
    126. 

  126.     it('应该只返回当前用户的数据', async () => {
    127. 

  127.       // 创建测试数据
    128. 

  128.       const dataSource = await IntegrationTestDatabase.getDataSource();
    129. 

  129.       const testRepository = dataSource.getRepository(TestEntity);
    130. 

  130. 

  131.       // 为用户1创建数据
    132. 

  132.       const user1Data1 = testRepository.create({
    133. 

  133.         name: '用户1的数据1',
    134. 

  134.         userId: testUser1.id
    135. 

  135.       });
    136. 

  136.       await testRepository.save(user1Data1);
    137. 

  137. 

  138.       const user1Data2 = testRepository.create({
    139. 

  139.         name: '用户1的数据2',
    140. 

  140.         userId: testUser1.id
    141. 

  141.       });
    142. 

  142.       await testRepository.save(user1Data2);
    143. 

  143. 

  144.       // 为用户2创建数据
    145. 

  145.       const user2Data = testRepository.create({
    146. 

  146.         name: '用户2的数据',
    147. 

  147.         userId: testUser2.id
    148. 

  148.       });
    149. 

  149.       await testRepository.save(user2Data);
    150. 

  150. 

  151.       // 用户1查询列表
    152. 

  152.       const response = await client.index.$get({
    153. 

  153.         query: {}
    154. 

  154.       }, {
    155. 

  155.         headers: {
    156. 

  156.           'Authorization': `Bearer ${testToken1}`
    157. 

  157.         }
    158. 

  158.       });
    159. 

  159. 

  160.       console.debug('列表查询响应状态:', response.status);
    161. 

  161.       expect(response.status).toBe(200);
    162. 

  162. 

  163.       if (response.status === 200) {
    164. 

  164.         const data = await response.json();
    165. 

  165.         expect(data).toHaveProperty('data');
    166. 

  166.         expect(Array.isArray(data.data)).toBe(true);
    167. 

  167.         expect(data.data).toHaveLength(2); // 应该只返回用户1的2条数据
    168. 

  168. 

  169.         // 验证所有返回的数据都属于用户1
    170. 

  170.         data.data.forEach((item: any) => {
    171. 

  171.           expect(item.userId).toBe(testUser1.id);
    172. 

  172.         });
    173. 

  173.       }
    174. 

  174.     });
    175. 

  175. 

  176.     it('应该拒绝未认证用户的访问', async () => {
    177. 

  177.       const response = await client.index.$get({
    178. 

  178.         query: {}
    179. 

  179.       });
    180. 

  180.       expect(response.status).toBe(401);
    181. 

  181.     });
    182. 

  182.   });
    183. 

  183. 

  184.   describe('POST / - 创建操作权限验证', () => {
    185. 

  185.     it('应该成功创建属于当前用户的数据', async () => {
    186. 

  186.       const createData = {
    187. 

  187.         name: '测试创建数据',
    188. 

  188.         userId: testUser1.id // 用户ID与当前用户匹配
    189. 

  189.       };
    190. 

  190. 

  191.       const response = await client.index.$post({
    192. 

  192.         json: createData
    193. 

  193.       }, {
    194. 

  194.         headers: {
    195. 

  195.           'Authorization': `Bearer ${testToken1}`
    196. 

  196.         }
    197. 

  197.       });
    198. 

  198. 

  199.       console.debug('创建数据响应状态:', response.status);
    200. 

  200.       expect(response.status).toBe(201);
    201. 

  201. 

  202.       if (response.status === 201) {
    203. 

  203.         const data = await response.json();
    204. 

  204.         expect(data).toHaveProperty('id');
    205. 

  205.         expect(data.name).toBe(createData.name);
    206. 

  206.         expect(data.userId).toBe(testUser1.id);
    207. 

  207.       }
    208. 

  208.     });
    209. 

  209. 

  210.     it('应该拒绝创建不属于当前用户的数据', async () => {
    211. 

  211.       const createData = {
    212. 

  212.         name: '测试创建数据',
    213. 

  213.         userId: testUser2.id // 用户ID与当前用户不匹配
    214. 

  214.       };
    215. 

  215. 

  216.       const response = await client.index.$post({
    217. 

  217.         json: createData
    218. 

  218.       }, {
    219. 

  219.         headers: {
    220. 

  220.           'Authorization': `Bearer ${testToken1}`
    221. 

  221.         }
    222. 

  222.       });
    223. 

  223. 

  224.       console.debug('创建无权数据响应状态:', response.status);
    225. 

  225.       expect(response.status).toBe(500); // 权限验证失败会抛出错误
    226. 

  226. 

  227.       if (response.status === 500) {
    228. 

  228.         const data = await response.json();
    229. 

  229.         expect(data.message).toContain('无权');
    230. 

  230.       }
    231. 

  231.     });
    232. 

  232.   });
    233. 

  233. 

  234.   describe('GET /:id - 获取详情权限验证', () => {
    235. 

  235.     it('应该成功获取属于当前用户的数据详情', async () => {
    236. 

  236.       // 先创建测试数据
    237. 

  237.       const dataSource = await IntegrationTestDatabase.getDataSource();
    238. 

  238.       const testRepository = dataSource.getRepository(TestEntity);
    239. 

  239.       const testData = testRepository.create({
    240. 

  240.         name: '测试数据详情',
    241. 

  241.         userId: testUser1.id
    242. 

  242.       });
    243. 

  243.       await testRepository.save(testData);
    244. 

  244. 

  245.       const response = await client[':id'].$get({
    246. 

  246.         param: { id: testData.id }
    247. 

  247.       }, {
    248. 

  248.         headers: {
    249. 

  249.           'Authorization': `Bearer ${testToken1}`
    250. 

  250.         }
    251. 

  251.       });
    252. 

  252. 

  253.       console.debug('获取详情响应状态:', response.status);
    254. 

  254.       expect(response.status).toBe(200);
    255. 

  255. 

  256.       if (response.status === 200) {
    257. 

  257.         const data = await response.json();
    258. 

  258.         expect(data.id).toBe(testData.id);
    259. 

  259.         expect(data.name).toBe(testData.name);
    260. 

  260.         expect(data.userId).toBe(testUser1.id);
    261. 

  261.       }
    262. 

  262.     });
    263. 

  263. 

  264.     it('应该拒绝获取不属于当前用户的数据详情', async () => {
    265. 

  265.       // 先创建属于用户2的数据
    266. 

  266.       const dataSource = await IntegrationTestDatabase.getDataSource();
    267. 

  267.       const testRepository = dataSource.getRepository(TestEntity);
    268. 

  268.       const testData = testRepository.create({
    269. 

  269.         name: '用户2的数据',
    270. 

  270.         userId: testUser2.id
    271. 

  271.       });
    272. 

  272.       await testRepository.save(testData);
    273. 

  273. 

  274.       // 用户1尝试获取用户2的数据
    275. 

  275.       const response = await client[':id'].$get({
    276. 

  276.         param: { id: testData.id }
    277. 

  277.       }, {
    278. 

  278.         headers: {
    279. 

  279.           'Authorization': `Bearer ${testToken1}`
    280. 

  280.         }
    281. 

  281.       });
    282. 

  282. 

  283.       console.debug('获取无权详情响应状态:', response.status);
    284. 

  284.       expect(response.status).toBe(404); // 权限验证失败返回404
    285. 

  285.     });
    286. 

  286. 

  287.     it('应该处理不存在的资源', async () => {
    288. 

  288.       const response = await client[':id'].$get({
    289. 

  289.         param: { id: 999999 }
    290. 

  290.       }, {
    291. 

  291.         headers: {
    292. 

  292.           'Authorization': `Bearer ${testToken1}`
    293. 

  293.         }
    294. 

  294.       });
    295. 

  295. 

  296.       expect(response.status).toBe(404);
    297. 

  297.     });
    298. 

  298.   });
    299. 

  299. 

  300.   describe('PUT /:id - 更新操作权限验证', () => {
    301. 

  301.     it('应该成功更新属于当前用户的数据', async () => {
    302. 

  302.       // 先创建测试数据
    303. 

  303.       const dataSource = await IntegrationTestDatabase.getDataSource();
    304. 

  304.       const testRepository = dataSource.getRepository(TestEntity);
    305. 

  305.       const testData = testRepository.create({
    306. 

  306.         name: '原始数据',
    307. 

  307.         userId: testUser1.id
    308. 

  308.       });
    309. 

  309.       await testRepository.save(testData);
    310. 

  310. 

  311.       const updateData = {
    312. 

  312.         name: '更新后的数据'
    313. 

  313.       };
    314. 

  314. 

  315.       const response = await client[':id'].$put({
    316. 

  316.         param: { id: testData.id },
    317. 

  317.         json: updateData
    318. 

  318.       }, {
    319. 

  319.         headers: {
    320. 

  320.           'Authorization': `Bearer ${testToken1}`
    321. 

  321.         }
    322. 

  322.       });
    323. 

  323. 

  324.       console.debug('更新数据响应状态:', response.status);
    325. 

  325.       expect(response.status).toBe(200);
    326. 

  326. 

  327.       if (response.status === 200) {
    328. 

  328.         const data = await response.json();
    329. 

  329.         expect(data.name).toBe(updateData.name);
    330. 

  330.         expect(data.userId).toBe(testUser1.id);
    331. 

  331.       }
    332. 

  332.     });
    333. 

  333. 

  334.     it('应该拒绝更新不属于当前用户的数据', async () => {
    335. 

  335.       // 先创建属于用户2的数据
    336. 

  336.       const dataSource = await IntegrationTestDatabase.getDataSource();
    337. 

  337.       const testRepository = dataSource.getRepository(TestEntity);
    338. 

  338.       const testData = testRepository.create({
    339. 

  339.         name: '用户2的数据',
    340. 

  340.         userId: testUser2.id
    341. 

  341.       });
    342. 

  342.       await testRepository.save(testData);
    343. 

  343. 

  344.       const updateData = {
    345. 

  345.         name: '尝试更新的数据'
    346. 

  346.       };
    347. 

  347. 

  348.       // 用户1尝试更新用户2的数据
    349. 

  349.       const response = await client[':id'].$put({
    350. 

  350.         param: { id: testData.id },
    351. 

  351.         json: updateData
    352. 

  352.       }, {
    353. 

  353.         headers: {
    354. 

  354.           'Authorization': `Bearer ${testToken1}`
    355. 

  355.         }
    356. 

  356.       });
    357. 

  357. 

  358.       console.debug('更新无权数据响应状态:', response.status);
    359. 

  359.       expect(response.status).toBe(500); // 权限验证失败会抛出错误
    360. 

  360. 

  361.       if (response.status === 500) {
    362. 

  362.         const data = await response.json();
    363. 

  363.         expect(data.message).toContain('无权');
    364. 

  364.       }
    365. 

  365.     });
    366. 

  366.   });
    367. 

  367. 

  368.   describe('DELETE /:id - 删除操作权限验证', () => {
    369. 

  369.     it('应该成功删除属于当前用户的数据', async () => {
    370. 

  370.       // 先创建测试数据
    371. 

  371.       const dataSource = await IntegrationTestDatabase.getDataSource();
    372. 

  372.       const testRepository = dataSource.getRepository(TestEntity);
    373. 

  373.       const testData = testRepository.create({
    374. 

  374.         name: '待删除数据',
    375. 

  375.         userId: testUser1.id
    376. 

  376.       });
    377. 

  377.       await testRepository.save(testData);
    378. 

  378. 

  379.       const response = await client[':id'].$delete({
    380. 

  380.         param: { id: testData.id }
    381. 

  381.       }, {
    382. 

  382.         headers: {
    383. 

  383.           'Authorization': `Bearer ${testToken1}`
    384. 

  384.         }
    385. 

  385.       });
    386. 

  386. 

  387.       console.debug('删除数据响应状态:', response.status);
    388. 

  388.       expect(response.status).toBe(204);
    389. 

  389. 

  390.       // 验证数据确实被删除
    391. 

  391.       const deletedData = await testRepository.findOne({
    392. 

  392.         where: { id: testData.id }
    393. 

  393.       });
    394. 

  394.       expect(deletedData).toBeNull();
    395. 

  395.     });
    396. 

  396. 

  397.     it('应该拒绝删除不属于当前用户的数据', async () => {
    398. 

  398.       // 先创建属于用户2的数据
    399. 

  399.       const dataSource = await IntegrationTestDatabase.getDataSource();
    400. 

  400.       const testRepository = dataSource.getRepository(TestEntity);
    401. 

  401.       const testData = testRepository.create({
    402. 

  402.         name: '用户2的数据',
    403. 

  403.         userId: testUser2.id
    404. 

  404.       });
    405. 

  405.       await testRepository.save(testData);
    406. 

  406. 

  407.       // 用户1尝试删除用户2的数据
    408. 

  408.       const response = await client[':id'].$delete({
    409. 

  409.         param: { id: testData.id }
    410. 

  410.       }, {
    411. 

  411.         headers: {
    412. 

  412.           'Authorization': `Bearer ${testToken1}`
    413. 

  413.         }
    414. 

  414.       });
    415. 

  415. 

  416.       console.debug('删除无权数据响应状态:', response.status);
    417. 

  417.       expect(response.status).toBe(500); // 权限验证失败会抛出错误
    418. 

  418. 

  419.       if (response.status === 500) {
    420. 

  420.         const data = await response.json();
    421. 

  421.         expect(data.message).toContain('无权');
    422. 

  422.       }
    423. 

  423. 

  424.       // 验证数据没有被删除
    425. 

  425.       const existingData = await testRepository.findOne({
    426. 

  426.         where: { id: testData.id }
    427. 

  427.       });
    428. 

  428.       expect(existingData).not.toBeNull();
    429. 

  429.     });
    430. 

  430.   });
    431. 

  431. 

  432.   describe('禁用数据权限控制的情况', () => {
    433. 

  433.     it('当数据权限控制禁用时应该允许跨用户访问', async () => {
    434. 

  434.       // 创建禁用数据权限控制的路由
    435. 

  435.       const noPermissionRoutes = createCrudRoutes({
    436. 

  436.         entity: TestEntity,
    437. 

  437.         createSchema: createTestSchema,
    438. 

  438.         updateSchema: updateTestSchema,
    439. 

  439.         getSchema: getTestSchema,
    440. 

  440.         listSchema: listTestSchema,
    441. 

  441.         dataPermission: {
    442. 

  442.           enabled: false, // 禁用权限控制
    443. 

  443.           userIdField: 'userId'
    444. 

  444.         }
    445. 

  445.       });
    446. 

  446. 

  447.       const noPermissionClient = testClient(noPermissionRoutes);
    448. 

  448. 

  449.       // 创建属于用户2的数据
    450. 

  450.       const dataSource = await IntegrationTestDatabase.getDataSource();
    451. 

  451.       const testRepository = dataSource.getRepository(TestEntity);
    452. 

  452.       const testData = testRepository.create({
    453. 

  453.         name: '用户2的数据',
    454. 

  454.         userId: testUser2.id
    455. 

  455.       });
    456. 

  456.       await testRepository.save(testData);
    457. 

  457. 

  458.       // 用户1应该能够访问用户2的数据(权限控制已禁用)
    459. 

  459.       const response = await noPermissionClient[':id'].$get({
    460. 

  460.         param: { id: testData.id }
    461. 

  461.       }, {
    462. 

  462.         headers: {
    463. 

  463.           'Authorization': `Bearer ${testToken1}`
    464. 

  464.         }
    465. 

  465.       });
    466. 

  466. 

  467.       console.debug('禁用权限控制时的响应状态:', response.status);
    468. 

  468.       expect(response.status).toBe(200);
    469. 

  469. 

  470.       if (response.status === 200) {
    471. 

  471.         const data = await response.json();
    472. 

  472.         expect(data.id).toBe(testData.id);
    473. 

  473.         expect(data.userId).toBe(testUser2.id);
    474. 

  474.       }
    475. 

  475.     });
    476. 

  476.   });
    477. 

  477. });
    478.