feat(api): migrar controllers admin a RequirePermission [UDT-006]

2026-04-15 16:34:32 -03:00
parent 4866c4f21f
commit 0218d8d371
10 changed files with 238 additions and 20 deletions
--- a/tests/SIGCM2.Api.Tests/Roles/RolesEndpointTests.cs
+++ b/tests/SIGCM2.Api.Tests/Roles/RolesEndpointTests.cs
@@ -350,4 +350,51 @@ public sealed class RolesEndpointTests : IAsyncLifetime
        Assert.Equal(HttpStatusCode.NotFound, resp.StatusCode);
    }

+    // ── UDT-006: 403 ProblemDetails shape ────────────────────────────────────
+
+    [Fact]
+    public async Task GetRoles_WithCajeroToken_Returns403WithProblemDetailsShape()
+    {
+        const string username = "udt006_roles_403_cajero";
+        try
+        {
+            var token = await CreateCajeroTokenAsync(username);
+            var resp = await _client.SendAsync(BuildRequest(HttpMethod.Get, Endpoint, bearerToken: token));
+
+            Assert.Equal(HttpStatusCode.Forbidden, resp.StatusCode);
+            Assert.Contains("problem+json", resp.Content.Headers.ContentType?.MediaType ?? "");
+
+            var json = await resp.Content.ReadFromJsonAsync<JsonElement>();
+            Assert.Equal(403, json.GetProperty("status").GetInt32());
+            Assert.Equal("Acceso denegado", json.GetProperty("title").GetString());
+            Assert.True(json.TryGetProperty("permisoRequerido", out var perm),
+                "Response must contain 'permisoRequerido'");
+            // RolesController migra a administracion:roles:gestionar
+            Assert.Equal("administracion:roles:gestionar", perm.GetString());
+        }
+        finally
+        {
+            await DeleteUsuarioIfExistsAsync(username);
+        }
+    }
+
+    // Helper: create cajero user via SQL and return token
+    private async Task<string> CreateCajeroTokenAsync(string username)
+    {
+        var adminToken = await GetBearerTokenAsync(AdminUsername, AdminPassword);
+        using var mkUser = BuildRequest(HttpMethod.Post, "/api/v1/users", new
+        {
+            username,
+            password = "Secure1234!",
+            nombre = "Cajero",
+            apellido = "Test",
+            email = (string?)null,
+            rol = "cajero"
+        }, adminToken);
+        var mkResp = await _client.SendAsync(mkUser);
+        if (mkResp.StatusCode != HttpStatusCode.Created && mkResp.StatusCode != HttpStatusCode.Conflict)
+            Assert.Fail($"Seed cajero failed: {mkResp.StatusCode}");
+        return await GetBearerTokenAsync(username, "Secure1234!");
+    }
+
 }