@jmruthers/pace-core 0.5.189 → 0.5.191

package/src/rbac/components/__tests__/PermissionEnforcer.test.tsx

@@ -31,6 +31,11 @@ vi.mock('../../utils/eventContext', () => ({
   createScopeFromEvent: vi.fn()
 }));
 
+// Mock useResolvedScope hook
+vi.mock('../../hooks/useResolvedScope', () => ({
+  useResolvedScope: vi.fn()
+}));
+
 // Mock the Logger module
 vi.mock('../../../utils/core/logger', () => {
   const mockLoggerInstance = {
@@ -48,6 +53,7 @@ import { createLogger } from '../../../utils/core/logger';
 const getMockLogger = () => createLogger('test');
 
 import { createScopeFromEvent } from '../../utils/eventContext';
+import { useResolvedScope } from '../../hooks/useResolvedScope';
 
 // Mock data
 const mockUser = {
@@ -80,6 +86,7 @@ const TestLoading = () => (
 describe('PermissionEnforcer Component', () => {
   const mockUseMultiplePermissions = vi.mocked(useMultiplePermissions);
   const mockCreateScopeFromEvent = vi.mocked(createScopeFromEvent);
+  const mockUseResolvedScope = vi.mocked(useResolvedScope);
 
   beforeEach(() => {
     vi.clearAllMocks();
@@ -92,6 +99,17 @@ describe('PermissionEnforcer Component', () => {
       supabase: {} as any
     });
     
+    // Mock useResolvedScope to return resolved scope immediately
+    mockUseResolvedScope.mockReturnValue({
+      resolvedScope: {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: 'app-123'
+      },
+      isLoading: false,
+      error: null
+    });
+    
     mockUseMultiplePermissions.mockReturnValue({
       results: {
         'read:events': true,
@@ -243,10 +261,11 @@ describe('PermissionEnforcer Component', () => {
 
       expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
-        expect.objectContaining({
+        {
           organisationId: 'org-123',
-          eventId: 'event-123'
-        }),
+          eventId: 'event-123',
+          appId: 'app-123'
+        },
         ['read:events'], // singlePermission only includes read:events
         true
       );
@@ -277,10 +296,11 @@ describe('PermissionEnforcer Component', () => {
       // Should check all permissions when requireAll=true
       expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
-        expect.objectContaining({
+        {
           organisationId: 'org-123',
-          eventId: 'event-123'
-        }),
+          eventId: 'event-123',
+          appId: 'app-123'
+        },
         ['read:events', 'update:events'],
         true
       );
@@ -393,16 +413,18 @@ describe('PermissionEnforcer Component', () => {
 
       expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
-        expect.objectContaining({
+        {
           organisationId: 'org-123',
-          eventId: 'event-123'
-        }),
+          eventId: 'event-123',
+          appId: 'app-123'
+        },
         ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
 
-    it('resolves scope from organisation only', async () => {
+    it('resolves scope from organisation only (org-required app)', async () => {
+      // For org-required apps, organisation is primary context, event is optional
       mockUseUnifiedAuthFn.mockReturnValue({
         user: mockUser,
         selectedOrganisation: { id: 'org-123' },
@@ -410,6 +432,16 @@ describe('PermissionEnforcer Component', () => {
         supabase: {} as any
       });
 
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: {
+          organisationId: 'org-123',
+          eventId: undefined,
+          appId: 'app-123'
+        },
+        isLoading: false,
+        error: null
+      });
+
       mockUseMultiplePermissions.mockReturnValue({
         results: { 'read:events': true } as Record<string, boolean>,
         isLoading: false,
@@ -432,27 +464,33 @@ describe('PermissionEnforcer Component', () => {
 
       expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
-        expect.objectContaining({
+        {
           organisationId: 'org-123',
-          eventId: undefined
-        }),
+          eventId: undefined,
+          appId: 'app-123'
+        },
         ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
     });
 
-    it('resolves scope from event context when organisation not available', async () => {
+    it('resolves scope from event context when organisation not available (event-required app)', async () => {
+      // For event-required apps, selectedOrganisation is null, org is derived from event
       mockUseUnifiedAuthFn.mockReturnValue({
         user: mockUser,
-        selectedOrganisation: null,
+        selectedOrganisation: null, // Not available for event-required apps
         selectedEvent: { event_id: 'event-123' },
         supabase: {} as any
       });
 
-      mockCreateScopeFromEvent.mockResolvedValue({
-        organisationId: 'resolved-org',
-        eventId: 'event-123',
-        appId: 'resolved-app'
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: {
+          organisationId: 'resolved-org',
+          eventId: 'event-123',
+          appId: 'resolved-app'
+        },
+        isLoading: false,
+        error: null
       });
 
       mockUseMultiplePermissions.mockReturnValue({
@@ -475,13 +513,13 @@ describe('PermissionEnforcer Component', () => {
         expect(screen.getByTestId('test-component')).toBeInTheDocument();
       }, { interval: 10 });
 
-      expect(mockCreateScopeFromEvent).toHaveBeenCalledWith({}, 'event-123');
       expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         'user-123',
-        expect.objectContaining({
+        {
           organisationId: 'resolved-org',
-          eventId: 'event-123'
-        }),
+          eventId: 'event-123',
+          appId: 'resolved-app'
+        },
         ['read:events', 'update:events'], // mockPermissions includes both
         true
       );
@@ -496,7 +534,11 @@ describe('PermissionEnforcer Component', () => {
       });
 
       const error = new Error('Could not resolve organisation from event');
-      mockCreateScopeFromEvent.mockRejectedValue(error);
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: null,
+        isLoading: false,
+        error
+      });
 
       render(
         <PermissionEnforcer
@@ -521,6 +563,12 @@ describe('PermissionEnforcer Component', () => {
         supabase: null
       });
 
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: null,
+        isLoading: true,
+        error: null
+      });
+
       render(
         <PermissionEnforcer 
           permissions={mockPermissions}
@@ -531,9 +579,7 @@ describe('PermissionEnforcer Component', () => {
         </PermissionEnforcer>
       );
 
-      await waitFor(() => {
-        expect(screen.getByTestId('test-component')).toBeInTheDocument();
-      }, { interval: 10 });
+      expect(screen.getByText('Checking permissions...')).toBeInTheDocument();
     });
   });
 
@@ -798,10 +844,11 @@ describe('PermissionEnforcer Component', () => {
 
       expect(mockUseMultiplePermissions).toHaveBeenCalledWith(
         '',
-        expect.objectContaining({
+        {
           organisationId: 'org-123',
-          eventId: 'event-123'
-        }),
+          eventId: 'event-123',
+          appId: 'app-123'
+        },
         ['read:events', 'update:events'], // mockPermissions includes both
         true
       );

package/src/rbac/components/__tests__/RoleBasedRouter.test.tsx

@@ -27,6 +27,12 @@ vi.mock('../../../providers/services/UnifiedAuthProvider', () => ({
   UnifiedAuthProvider: ({ children }: { children: React.ReactNode }) => <>{children}</>,
 }));
 
+// Mock useResolvedScope
+const mockUseResolvedScopeFn = vi.fn();
+vi.mock('../../hooks/useResolvedScope', () => ({
+  useResolvedScope: () => mockUseResolvedScopeFn(),
+}));
+
 // Mock React Router
 vi.mock('react-router-dom', async () => {
   const actual = await vi.importActual('react-router-dom');
@@ -49,7 +55,7 @@ const mockUser = {
 const mockScope = {
   organisationId: 'org-123',
   eventId: 'event-123',
-  appId: 'app-123'
+  appId: undefined // Most tests expect undefined
 };
 
 const mockRoutes = [
@@ -101,7 +107,20 @@ describe('RoleBasedRouter Component', () => {
     mockUseUnifiedAuthFn.mockReturnValue({
       user: mockUser,
       selectedOrganisation: { id: 'org-123' },
-      selectedEvent: { event_id: 'event-123' }
+      selectedEvent: { event_id: 'event-123' },
+      supabase: {} as any,
+    });
+    
+    // Mock useResolvedScope to return resolved scope
+    // Note: appId is undefined in some tests, so we'll set it conditionally
+    mockUseResolvedScopeFn.mockReturnValue({
+      resolvedScope: {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: undefined, // Default to undefined for most tests
+      },
+      isLoading: false,
+      error: null,
     });
     
     mockUseLocation.mockReturnValue({
@@ -233,11 +252,16 @@ describe('RoleBasedRouter Component', () => {
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123',
-          appId: undefined
         }),
         'read:dashboard',
         'dashboard'
       );
+      // Check that appId is either undefined or matches expected value
+      const call = mockUseCan.mock.calls.find(c => c[0] === 'user-123' && c[2] === 'read:dashboard');
+      expect(call).toBeDefined();
+      if (call) {
+        expect(call[1].appId).toBeUndefined();
+      }
     });
 
     it('denies access to routes without permissions', async () => {
@@ -639,11 +663,16 @@ describe('RoleBasedRouter Component', () => {
         expect.objectContaining({
           organisationId: 'org-123',
           eventId: 'event-123',
-          appId: undefined
         }),
         'read:dashboard',
         'dashboard'
       );
+      // Check that appId is either undefined or matches expected value
+      const call = mockUseCan.mock.calls.find(c => c[0] === '' && c[2] === 'read:dashboard');
+      expect(call).toBeDefined();
+      if (call) {
+        expect(call[1].appId).toBeUndefined();
+      }
     });
 
     it('handles missing organisation context', async () => {
@@ -727,12 +756,17 @@ describe('RoleBasedRouter Component', () => {
           expect.objectContaining({
             organisationId: 'org-123',
             eventId: 'event-123',
-            appId: undefined
           }),
           'admin:system',
           'admin'
         );
       }, { interval: 10 });
+      // Check that appId is either undefined or matches expected value
+      const call = mockUseCan.mock.calls.find(c => c[0] === 'user-123' && c[2] === 'admin:system');
+      expect(call).toBeDefined();
+      if (call) {
+        expect(call[1].appId).toBeUndefined();
+      }
     });
   });
 });

package/src/rbac/components/__tests__/SecureDataProvider.test.tsx

@@ -61,6 +61,12 @@ vi.mock('../../../hooks/useSecureDataAccess', () => ({
   }))
 }));
 
+// Mock useResolvedScope
+const mockUseResolvedScopeFn = vi.fn();
+vi.mock('../../hooks/useResolvedScope', () => ({
+  useResolvedScope: () => mockUseResolvedScopeFn(),
+}));
+
 // Test data
 const mockUser = {
   user: {
@@ -147,7 +153,18 @@ describe('SecureDataProvider', () => {
   beforeEach(() => {
     vi.clearAllMocks();
     
-    mockUseUnifiedAuthFn.mockReturnValue(mockUser);
+    mockUseUnifiedAuthFn.mockReturnValue({
+      ...mockUser,
+      supabase: {} as any,
+    });
+    
+    // Mock useResolvedScope to return resolved scope
+    mockUseResolvedScopeFn.mockReturnValue({
+      resolvedScope: mockScope,
+      isLoading: false,
+      error: null,
+    });
+    
     mockValidateContext.mockImplementation(() => {});
   });
 
@@ -278,8 +295,22 @@ describe('SecureDataProvider', () => {
       expect(screen.getByTestId('data-access-allowed')).toHaveTextContent('false');
     });
 
-    it('should deny data access when organisation context is missing', () => {
-      mockUseUnifiedAuthFn.mockReturnValue({ ...mockUser, selectedOrganisation: null });
+    it('should deny data access when organisation context is missing (org-required app)', () => {
+      // For org-required apps, selectedOrganisation is required
+      // For event-required apps, selectedOrganisation is null and org is derived from event
+      mockUseUnifiedAuthFn.mockReturnValue({ 
+        ...mockUser, 
+        selectedOrganisation: null,
+        selectedEvent: null, // No event either, so no context available
+        supabase: {} as any,
+      });
+      
+      // Mock useResolvedScope to return null scope when no context available
+      mockUseResolvedScopeFn.mockReturnValue({
+        resolvedScope: null,
+        isLoading: false,
+        error: null,
+      });
       
       renderWithProviders(
         <TestWrapper>
@@ -411,7 +442,19 @@ describe('SecureDataProvider', () => {
     });
 
     it('should handle missing organisation context gracefully', () => {
-      mockUseUnifiedAuthFn.mockReturnValue({ ...mockUser, selectedOrganisation: null });
+      mockUseUnifiedAuthFn.mockReturnValue({ 
+        ...mockUser, 
+        selectedOrganisation: null,
+        selectedEvent: null, // No event either
+        supabase: {} as any,
+      });
+      
+      // Mock useResolvedScope to return null scope when no context available
+      mockUseResolvedScopeFn.mockReturnValue({
+        resolvedScope: null,
+        isLoading: false,
+        error: null,
+      });
       
       renderWithProviders(
         <TestWrapper>

package/src/rbac/engine.ts

@@ -296,7 +296,7 @@ export class RBACEngine {
 
     // Check organisation role
     if (scope.organisationId) {
-      const { data: orgRole } = await this.supabase
+      const { data: orgRoles } = await this.supabase
         .from('rbac_organisation_roles')
         .select('role')
         .eq('user_id', userId)
@@ -305,7 +305,9 @@ export class RBACEngine {
         .is('revoked_at', null)
         .lte('valid_from', now)
         .or(`valid_to.is.null,valid_to.gte.${now}`)
-        .single() as { data: { role: string } | null; error: any };
+        .limit(1) as { data: Array<{ role: string }> | null; error: any };
+
+      const orgRole = orgRoles?.[0];
 
       if (orgRole?.role === 'org_admin') {
         rbacCache.set(cacheKey, 'admin', 60000);