feat(api): migrar controllers admin a RequirePermission [UDT-006]

2026-04-15 16:34:32 -03:00
parent 4866c4f21f
commit 0218d8d371
10 changed files with 238 additions and 20 deletions
--- a/tests/SIGCM2.Api.Tests/Usuarios/CreateUsuarioEndpointTests.cs
+++ b/tests/SIGCM2.Api.Tests/Usuarios/CreateUsuarioEndpointTests.cs
@@ -388,6 +388,56 @@ public sealed class CreateUsuarioEndpointTests : IAsyncLifetime
        }
    }

+    // ---------------------------------------------------------------------------
+    // UDT-006 Scenario: 403 con ProblemDetails shape — token cajero sin permiso administracion:usuarios:gestionar
+    // ---------------------------------------------------------------------------
+    [Fact]
+    public async Task CreateUsuario_WithCajeroRole_Returns403WithProblemDetailsShape()
+    {
+        const string username = "udt006_403_shape_test";
+        try
+        {
+            var token = await CreateCajeroTokenAsync(username);
+            using var request = BuildRequest(HttpMethod.Post, Endpoint, ValidCreateBody("shape_target"), token);
+            var response = await _client.SendAsync(request);
+
+            Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+
+            // Content-Type must be application/problem+json
+            Assert.Contains("problem+json", response.Content.Headers.ContentType?.MediaType ?? "");
+
+            var json = await response.Content.ReadFromJsonAsync<JsonElement>();
+            Assert.Equal(403, json.GetProperty("status").GetInt32());
+            Assert.Equal("Acceso denegado", json.GetProperty("title").GetString());
+            Assert.True(json.TryGetProperty("permisoRequerido", out var perm),
+                "Response must contain 'permisoRequerido'");
+            Assert.Equal("administracion:usuarios:gestionar", perm.GetString());
+        }
+        finally
+        {
+            await DeleteUsuarioAsync(username);
+        }
+    }
+
+    // Helper: create a cajero user and return its token
+    private async Task<string> CreateCajeroTokenAsync(string username)
+    {
+        var adminToken = await GetBearerTokenAsync(AdminUsername, AdminPassword);
+        using var mkUser = BuildRequest(HttpMethod.Post, Endpoint, new
+        {
+            username,
+            password = "Secure1234!",
+            nombre = "Cajero",
+            apellido = "Test",
+            email = (string?)null,
+            rol = "cajero"
+        }, adminToken);
+        var mkResp = await _client.SendAsync(mkUser);
+        if (mkResp.StatusCode != HttpStatusCode.Created && mkResp.StatusCode != HttpStatusCode.Conflict)
+            Assert.Fail($"Seed cajero failed: {mkResp.StatusCode}");
+        return await GetBearerTokenAsync(username, "Secure1234!");
+    }
+
    // ---------------------------------------------------------------------------
    // Scenario 7 (UDT-004 Phase 5.3): 400 — rol existe pero está inactivo
    // ---------------------------------------------------------------------------