feat(api): migrar controllers admin a RequirePermission [UDT-006]

2026-04-15 16:34:32 -03:00
parent 4866c4f21f
commit 0218d8d371
10 changed files with 238 additions and 20 deletions
--- a/tests/SIGCM2.Api.Tests/Permisos/PermisosEndpointTests.cs
+++ b/tests/SIGCM2.Api.Tests/Permisos/PermisosEndpointTests.cs
@@ -130,7 +130,7 @@ public sealed class PermisosEndpointTests : IAsyncLifetime
    // ── GET /api/v1/permisos — catalog ───────────────────────────────────────

    [Fact]
-    public async Task GetPermisos_WithAdmin_Returns200With18Items()
+    public async Task GetPermisos_WithAdmin_Returns200With21Items()
    {
        var token = await GetBearerTokenAsync(AdminUsername, AdminPassword);
        using var req = BuildRequest(HttpMethod.Get, "/api/v1/permisos", bearerToken: token);
@@ -138,7 +138,8 @@ public sealed class PermisosEndpointTests : IAsyncLifetime

        Assert.Equal(HttpStatusCode.OK, resp.StatusCode);
        var list = await resp.Content.ReadFromJsonAsync<JsonElement>();
-        Assert.Equal(18, list.GetArrayLength());
+        // V007 (UDT-006) adds 3 new admin permisos → 21 total
+        Assert.Equal(21, list.GetArrayLength());
    }

    [Fact]
@@ -181,7 +182,7 @@ public sealed class PermisosEndpointTests : IAsyncLifetime
    // ── GET /api/v1/roles/{codigo}/permisos ──────────────────────────────────

    [Fact]
-    public async Task GetRolPermisos_AdminRol_Returns200With18Items()
+    public async Task GetRolPermisos_AdminRol_Returns200With21Items()
    {
        var token = await GetBearerTokenAsync(AdminUsername, AdminPassword);
        using var req = BuildRequest(HttpMethod.Get, "/api/v1/roles/admin/permisos", bearerToken: token);
@@ -189,7 +190,8 @@ public sealed class PermisosEndpointTests : IAsyncLifetime

        Assert.Equal(HttpStatusCode.OK, resp.StatusCode);
        var list = await resp.Content.ReadFromJsonAsync<JsonElement>();
-        Assert.Equal(18, list.GetArrayLength());
+        // V007 (UDT-006) adds 3 new admin permisos → 21 total
+        Assert.Equal(21, list.GetArrayLength());
    }

    [Fact]
@@ -424,4 +426,63 @@ public sealed class PermisosEndpointTests : IAsyncLifetime
            await DeleteUsuarioIfExistsAsync(username);
        }
    }
+
+    // ── UDT-006: 403 ProblemDetails shape ─────────────────────────────────────
+
+    [Fact]
+    public async Task GetPermisos_WithCajeroToken_Returns403WithProblemDetailsShape()
+    {
+        const string username = "udt006_permisos_403_cajero";
+        try
+        {
+            var token = await CreateNonAdminUserAndGetTokenAsync(username);
+            using var req = BuildRequest(HttpMethod.Get, "/api/v1/permisos", bearerToken: token);
+            var resp = await _client.SendAsync(req);
+
+            Assert.Equal(HttpStatusCode.Forbidden, resp.StatusCode);
+            Assert.Contains("problem+json", resp.Content.Headers.ContentType?.MediaType ?? "");
+
+            var json = await resp.Content.ReadFromJsonAsync<JsonElement>();
+            Assert.Equal(403, json.GetProperty("status").GetInt32());
+            Assert.Equal("Acceso denegado", json.GetProperty("title").GetString());
+            Assert.True(json.TryGetProperty("permisoRequerido", out var perm),
+                "Response must contain 'permisoRequerido'");
+            // GET /permisos migra a administracion:permisos:ver
+            Assert.Equal("administracion:permisos:ver", perm.GetString());
+        }
+        finally
+        {
+            await DeleteUsuarioIfExistsAsync(username);
+        }
+    }
+
+    [Fact]
+    public async Task PutRolPermisos_WithCajeroToken_Returns403WithProblemDetailsShape()
+    {
+        const string username = "udt006_put_permisos_403";
+        try
+        {
+            var token = await CreateNonAdminUserAndGetTokenAsync(username);
+            using var req = BuildRequest(
+                HttpMethod.Put,
+                "/api/v1/roles/cajero/permisos",
+                new { codigos = new[] { "ventas:contado:crear" } },
+                token);
+            var resp = await _client.SendAsync(req);
+
+            Assert.Equal(HttpStatusCode.Forbidden, resp.StatusCode);
+            Assert.Contains("problem+json", resp.Content.Headers.ContentType?.MediaType ?? "");
+
+            var json = await resp.Content.ReadFromJsonAsync<JsonElement>();
+            Assert.Equal(403, json.GetProperty("status").GetInt32());
+            Assert.True(json.TryGetProperty("permisoRequerido", out var perm),
+                "Response must contain 'permisoRequerido'");
+            // PUT /roles/{c}/permisos migra a administracion:roles_permisos:gestionar
+            Assert.Equal("administracion:roles_permisos:gestionar", perm.GetString());
+        }
+        finally
+        {
+            await DeleteUsuarioIfExistsAsync(username);
+        }
+    }
 }