package job import ( "net/http/httptest" "testing" "hyapp-admin-server/internal/middleware" "hyapp-admin-server/internal/model" "github.com/gin-gonic/gin" ) func TestCanReadJobScopesAppUserExportToCreator(t *testing.T) { gin.SetMode(gin.TestMode) context, _ := gin.CreateTestContext(httptest.NewRecorder()) context.Set(middleware.ContextUserID, uint(7)) context.Set(middleware.ContextPermissions, []string{"app-user:export"}) owned := &model.AdminJob{ID: 1, Type: "app-user-export", CreatedBy: 7} if !canReadJob(context, owned) { t.Fatal("app-user exporter must read own export job") } if canReadJob(context, &model.AdminJob{ID: 2, Type: "app-user-export", CreatedBy: 8}) { t.Fatal("app-user exporter must not read another operator's export") } if canReadJob(context, &model.AdminJob{ID: 3, Type: "country-code-rename", CreatedBy: 7}) { t.Fatal("app-user exporter must not read unrelated job types") } context.Set(middleware.ContextPermissions, []string{"job:view"}) if !canReadJob(context, &model.AdminJob{ID: 4, Type: "country-code-rename", CreatedBy: 8}) { t.Fatal("job viewer must retain broad read access") } }