@jmruthers/pace-core 0.6.4 → 0.6.6

package/src/rbac/hooks/useResourcePermissions.test.ts

@@ -11,6 +11,7 @@ import { renderHook, waitFor } from '@testing-library/react';
 import { vi, describe, it, expect, beforeEach, afterEach } from 'vitest';
 import { useResourcePermissions } from './useResourcePermissions';
 import type { Scope } from '../types';
+import { isSuperAdmin } from '../api';
 
 // Mock dependencies
 vi.mock('../../providers/services/UnifiedAuthProvider', () => ({
@@ -33,6 +34,12 @@ vi.mock('./usePermissions', () => ({
   useCan: vi.fn(),
 }));
 
+vi.mock('../api', () => ({
+  isSuperAdmin: vi.fn(),
+}));
+
+const mockIsSuperAdmin = vi.mocked(isSuperAdmin);
+
 import { useUnifiedAuth } from '../../providers/services/UnifiedAuthProvider';
 import { useOrganisations } from '../../hooks/useOrganisations';
 import { useEvents } from '../../hooks/useEvents';
@@ -89,11 +96,14 @@ describe('useResourcePermissions Hook', () => {
     } as any);
 
     mockUseResolvedScope.mockReturnValue({
-      resolvedScope: mockScope,
+      resolvedScope: mockScope, // Use correct property name from UseResolvedScopeReturn interface
       isLoading: false,
       error: null,
     });
 
+    // Mock isSuperAdmin to resolve immediately (prevents isLoading from being true due to super admin check)
+    mockIsSuperAdmin.mockResolvedValue(false);
+
     // Default useCan mocks - all permissions allowed
     mockUseCan.mockReturnValue({
       can: true,
@@ -117,9 +127,16 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.canRead).toBeTypeOf('function');
     });
 
-    it('returns scope object', () => {
+    it('returns scope object', async () => {
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
+      // The hook returns resolvedScope if available, otherwise fallback scope
+      // Since mockScope has appId, it should be returned as-is
       expect(result.current.scope).toEqual(mockScope);
     });
 
@@ -130,27 +147,46 @@ describe('useResourcePermissions Hook', () => {
         supabase: mockSupabase,
         selectedOrganisationId: 'org-123',
         selectedEventId: 'event-123',
+        selectedEventOrganisationId: null, // Mock event doesn't have organisation_id, so it becomes null
       });
     });
 
-    it('calls useCan for each permission type', () => {
+    it('calls useCan for each permission type', async () => {
       renderHook(() => useResourcePermissions('contacts'));
 
-      expect(mockUseCan).toHaveBeenCalledTimes(4); // create, update, delete, read
-      // When appId is available in scope, resource name is passed as pageId to enable page permission checks
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(mockUseCan).toHaveBeenCalled();
+      });
+
+      // The hook calls useCan for each permission type (create, update, delete, read)
+      // Note: It may be called multiple times due to re-renders during super admin check,
+      // so we verify that all four permission types are checked rather than exact call count
+      const calls = mockUseCan.mock.calls;
+      expect(calls.length).toBeGreaterThanOrEqual(4);
+      
+      // When appId is available in resolvedScope, permission strings include page. prefix
+      // and resource name is passed as pageId to enable page permission checks
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
-        mockScope,
-        'create:contacts',
-        'contacts', // pageId is resource name when appId is available
+        mockScope, // resolvedScope is used when available
+        'create:page.contacts',
+        'contacts', // pageId is resource name when appId is available in resolvedScope
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (resolved after async check)
         undefined // appName
       );
+      
+      // Verify all four permission types are checked
+      const permissions = calls.map(call => call[2]); // permission is the 3rd argument
+      expect(permissions).toContain('create:page.contacts');
+      expect(permissions).toContain('update:page.contacts');
+      expect(permissions).toContain('delete:page.contacts');
+      expect(permissions).toContain('read:page.contacts');
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         mockScope,
-        'update:contacts',
+        'update:page.contacts',
         'contacts', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -159,7 +195,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         mockScope,
-        'delete:contacts',
+        'delete:page.contacts',
         'contacts', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -168,7 +204,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         mockScope,
-        'read:contacts',
+        'read:page.contacts',
         'contacts', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -191,9 +227,10 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.canCreate('contacts')).toBe(true);
     });
 
-    it('returns false when user cannot create resource', () => {
+    it('returns false when user cannot create resource', async () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:contacts') {
+        // When appId is available in resolvedScope, permission format is 'create:page.contacts'
+        if (permission === 'create:page.contacts' || permission === 'create:contacts') {
           return {
             can: false,
             isLoading: false,
@@ -211,6 +248,11 @@ describe('useResourcePermissions Hook', () => {
 
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       expect(result.current.canCreate('contacts')).toBe(false);
       expect(result.current.canUpdate('contacts')).toBe(true);
       expect(result.current.canDelete('contacts')).toBe(true);
@@ -232,9 +274,10 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.canRead('contacts')).toBe(true);
     });
 
-    it('checks read permissions when enableRead is true', () => {
+    it('checks read permissions when enableRead is true', async () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:contacts') {
+        // When appId is available in resolvedScope, permission format is 'read:page.contacts'
+        if (permission === 'read:page.contacts' || permission === 'read:contacts') {
           return {
             can: true,
             isLoading: false,
@@ -254,12 +297,18 @@ describe('useResourcePermissions Hook', () => {
         useResourcePermissions('contacts', { enableRead: true })
       );
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       expect(result.current.canRead('contacts')).toBe(true);
     });
 
-    it('returns false for read when permission is denied and enableRead is true', () => {
+    it('returns false for read when permission is denied and enableRead is true', async () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:contacts') {
+        // When appId is available in resolvedScope, permission format is 'read:page.contacts'
+        if (permission === 'read:page.contacts' || permission === 'read:contacts') {
           return {
             can: false,
             isLoading: false,
@@ -279,6 +328,11 @@ describe('useResourcePermissions Hook', () => {
         useResourcePermissions('contacts', { enableRead: true })
       );
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       expect(result.current.canRead('contacts')).toBe(false);
     });
   });
@@ -398,7 +452,7 @@ describe('useResourcePermissions Hook', () => {
   });
 
   describe('Missing User Context', () => {
-    it('handles missing user gracefully', () => {
+    it('handles missing user gracefully', async () => {
       mockUseUnifiedAuth.mockReturnValue({
         user: null,
         supabase: mockSupabase,
@@ -406,21 +460,26 @@ describe('useResourcePermissions Hook', () => {
 
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
+      // Wait for super admin check to complete (will be false when user is null)
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       // When user is null, userId is empty string, but scope and permissions are still checked
-      // Since mockScope has appId, pageId will be the resource name ('contacts')
+      // Since resolvedScope (mockScope) has appId, permission strings include page. prefix
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
-        mockScope,
-        'create:contacts',
-        'contacts', // pageId is resource name when appId is available in scope
+        mockScope, // resolvedScope is used when available
+        'create:page.contacts',
+        'contacts', // pageId is resource name when appId is available in resolvedScope
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (false when user is null)
         undefined // appName
       );
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
         mockScope,
-        'update:contacts',
+        'update:page.contacts',
         'contacts',
         true,
         null, // precomputedSuperAdmin
@@ -429,7 +488,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
         mockScope,
-        'delete:contacts',
+        'delete:page.contacts',
         'contacts',
         true,
         null, // precomputedSuperAdmin
@@ -438,7 +497,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         '',
         mockScope,
-        'read:contacts',
+        'read:page.contacts',
         'contacts',
         true,
         null, // precomputedSuperAdmin
@@ -453,11 +512,11 @@ describe('useResourcePermissions Hook', () => {
         throw new Error('Event provider not available');
       });
 
-      mockUseResolvedScope.mockReturnValue({
-        resolvedScope: mockScope,
-        isLoading: false,
-        error: null,
-      });
+    mockUseResolvedScope.mockReturnValue({
+      resolvedScope: mockScope,
+      isLoading: false, // Scope is resolved
+      error: null,
+    });
 
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
@@ -481,7 +540,7 @@ describe('useResourcePermissions Hook', () => {
 
     it('aggregates loading states from permission checks', () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:contacts') {
+        if (permission === 'create:page.contacts') {
           return {
             can: false,
             isLoading: true,
@@ -504,7 +563,7 @@ describe('useResourcePermissions Hook', () => {
 
     it('includes read loading state when enableRead is true', () => {
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:contacts') {
+        if (permission === 'read:page.contacts') {
           return {
             can: false,
             isLoading: true,
@@ -527,12 +586,20 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.isLoading).toBe(true);
     });
 
-    it('excludes read loading state when enableRead is false', () => {
+    it('excludes read loading state when enableRead is false', async () => {
+      // Ensure scope is resolved (not loading) - this prevents scopeLoading from contributing to isLoading
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: mockScope, // Use correct property name
+        isLoading: false,
+        error: null,
+      });
+      
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'read:contacts') {
+        // Read permission check should not contribute to isLoading when enableRead is false
+        if (permission === 'read:page.contacts' || permission === 'read:contacts') {
           return {
             can: false,
-            isLoading: true,
+            isLoading: true, // Read is loading, but should be excluded
             error: null,
             refetch: vi.fn(),
           } as any;
@@ -545,9 +612,12 @@ describe('useResourcePermissions Hook', () => {
         } as any;
       });
 
-      const { result } = renderHook(() => useResourcePermissions('contacts'));
+      const { result } = renderHook(() => useResourcePermissions('contacts', { enableRead: false }));
 
-      expect(result.current.isLoading).toBe(false);
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
     });
   });
 
@@ -565,10 +635,11 @@ describe('useResourcePermissions Hook', () => {
       expect(result.current.error).toEqual(scopeError);
     });
 
-    it('aggregates errors from permission checks', () => {
+    it('aggregates errors from permission checks', async () => {
       const permissionError = new Error('Permission check failed');
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:contacts') {
+        // When appId is available in resolvedScope, permission format is 'create:page.contacts'
+        if (permission === 'create:page.contacts' || permission === 'create:contacts') {
           return {
             can: false,
             isLoading: false,
@@ -586,6 +657,11 @@ describe('useResourcePermissions Hook', () => {
 
       const { result } = renderHook(() => useResourcePermissions('contacts'));
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(result.current.isLoading).toBe(false);
+      });
+
       expect(result.current.error).toEqual(permissionError);
     });
 
@@ -600,7 +676,7 @@ describe('useResourcePermissions Hook', () => {
       });
 
       mockUseCan.mockImplementation((userId, scope, permission) => {
-        if (permission === 'create:contacts') {
+        if (permission === 'create:page.contacts') {
           return {
             can: false,
             isLoading: false,
@@ -629,17 +705,22 @@ describe('useResourcePermissions Hook', () => {
   });
 
   describe('Options', () => {
-    it('respects enableRead option', () => {
+    it('respects enableRead option', async () => {
       renderHook(() => useResourcePermissions('contacts', { enableRead: true }));
 
-      // Should still call useCan for read permission
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(mockUseCan).toHaveBeenCalled();
+      });
+
+      // Should call useCan for read permission with page. prefix when appId is available in resolvedScope
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
-        'read:contacts',
-        'contacts', // pageId is resource name when appId is available
+        'read:page.contacts',
+        'contacts', // pageId is resource name when appId is available in resolvedScope
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (resolved after async check)
         undefined // appName
       );
     });
@@ -653,22 +734,28 @@ describe('useResourcePermissions Hook', () => {
   });
 
   describe('Different Resources', () => {
-    it('works with different resource names', () => {
+    it('works with different resource names', async () => {
       renderHook(() => useResourcePermissions('risks'));
 
+      // Wait for super admin check to complete
+      await waitFor(() => {
+        expect(mockUseCan).toHaveBeenCalled();
+      });
+
+      // When appId is available in resolvedScope, permission format includes page. prefix
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
-        'create:risks',
-        'risks', // pageId is resource name when appId is available
+        'create:page.risks',
+        'risks', // pageId is resource name when appId is available in resolvedScope
         true,
-        null, // precomputedSuperAdmin
+        false, // precomputedSuperAdmin (resolved after async check)
         undefined // appName
       );
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
-        'update:risks',
+        'update:page.risks',
         'risks', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -677,7 +764,7 @@ describe('useResourcePermissions Hook', () => {
       expect(mockUseCan).toHaveBeenCalledWith(
         expect.any(String),
         expect.any(Object),
-        'delete:risks',
+        'delete:page.risks',
         'risks', // pageId is resource name when appId is available
         true,
         null, // precomputedSuperAdmin
@@ -687,7 +774,7 @@ describe('useResourcePermissions Hook', () => {
   });
 
   describe('Page Permission Support', () => {
-    it('passes resource name as pageId when appId is available in scope', () => {
+    it('constructs permission strings with page. prefix when appId is available', () => {
       const scopeWithAppId: Scope = {
         organisationId: 'org-123',
         eventId: 'event-123',
@@ -702,20 +789,38 @@ describe('useResourcePermissions Hook', () => {
 
       renderHook(() => useResourcePermissions('planning'));
 
-      // When appId is available, resource name should be passed as pageId
-      // This enables the RPC function to check page permissions
+      // When appId is available, permission strings should include page. prefix
+      // and resource name should be passed as pageId to enable page permission checks
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         scopeWithAppId,
-        'create:planning',
+        'create:page.planning',
         'planning', // Resource name passed as pageId to enable page permission checks
         true,
         null, // precomputedSuperAdmin
         undefined // appName
       );
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithAppId,
+        'update:page.planning',
+        'planning',
+        true,
+        null,
+        undefined
+      );
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithAppId,
+        'delete:page.planning',
+        'planning',
+        true,
+        null,
+        undefined
+      );
     });
 
-    it('does not pass pageId when appId is not available', () => {
+    it('does not add page. prefix when appId is not available', () => {
       const scopeWithoutAppId: Scope = {
         organisationId: 'org-123',
         eventId: 'event-123',
@@ -730,8 +835,8 @@ describe('useResourcePermissions Hook', () => {
 
       renderHook(() => useResourcePermissions('planning'));
 
-      // When appId is not available, pageId should be undefined
-      // This falls back to resource-based permission checking
+      // When appId is not available, permission strings should NOT include page. prefix
+      // and pageId should be undefined - falls back to resource-based permission checking
       expect(mockUseCan).toHaveBeenCalledWith(
         'user-123',
         scopeWithoutAppId,
@@ -741,6 +846,82 @@ describe('useResourcePermissions Hook', () => {
         null, // precomputedSuperAdmin
         undefined // appName
       );
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithoutAppId,
+        'update:planning',
+        undefined,
+        true,
+        null,
+        undefined
+      );
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithoutAppId,
+        'delete:planning',
+        undefined,
+        true,
+        null,
+        undefined
+      );
+    });
+
+    it('waits for scope resolution before using page permissions (timing fix)', () => {
+      // Simulate scope resolution in progress (resolvedScope is null, isLoading is true)
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: null,
+        isLoading: true,
+        error: null,
+      });
+
+      renderHook(() => useResourcePermissions('planning'));
+
+      // During scope loading, should use resource-based permissions (no page. prefix)
+      // because resolvedScope is null, so hasAppId is false
+      const fallbackScope: Scope = {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: undefined,
+      };
+
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        fallbackScope,
+        'create:planning', // Resource-based permission (no page. prefix) during loading
+        undefined, // No pageId when appId is not available
+        true,
+        null,
+        undefined
+      );
+
+      // Now simulate scope resolution completing with appId
+      const scopeWithAppId: Scope = {
+        organisationId: 'org-123',
+        eventId: 'event-123',
+        appId: 'app-123',
+      };
+
+      mockUseResolvedScope.mockReturnValue({
+        resolvedScope: scopeWithAppId,
+        isLoading: false,
+        error: null,
+      });
+
+      // Re-render to trigger update
+      const { rerender } = renderHook(() => useResourcePermissions('planning'));
+      rerender();
+
+      // After scope resolution, should use page permissions (with page. prefix)
+      // because resolvedScope.appId is now available, so hasAppId is true
+      expect(mockUseCan).toHaveBeenCalledWith(
+        'user-123',
+        scopeWithAppId,
+        'create:page.planning', // Page-based permission (with page. prefix) after resolution
+        'planning', // pageId is resource name when appId is available
+        true,
+        null,
+        undefined
+      );
     });
   });
 });