src/lib/Utility/authorisation.test.ts


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

import { describe, expect, it } from "vitest";
import { isOwnerOrPrivileged } from "./authorisation";

describe("isOwnerOrPrivileged", () => {
	it("allows the owner to act on their own resources", () => {
		expect(isOwnerOrPrivileged(7, 7, false)).toBe(true);
	});

	it("allows a privileged user to act on anyone", () => {
		expect(isOwnerOrPrivileged(7, 999, true)).toBe(true);
	});

	it("blocks a non-privileged user acting on someone else (the IDOR case)", () => {
		expect(isOwnerOrPrivileged(7, 999, false)).toBe(false);
	});

	it("allows a privileged owner (both conditions)", () => {
		expect(isOwnerOrPrivileged(7, 7, true)).toBe(true);
	});
});