OneAuth/tests/org_permission_test.go

package tests

import (
	"testing"
)

func TestOrgPermission(t *testing.T) {
	ensureUsers(t)

	// User1 will be the Org Creator (Owner)
	// User2 will be the Outsider -> Member

	var orgID string

	// 1. User1 Creates Org
	t.Run("User1 Creates Org", func(t *testing.T) {
		resp := doRequest(t, "POST", "/api/orgs", map[string]string{
			"code":        "test_org_1",
			"name":        "Test Org 1",
			"description": "Created by User1",
		}, User1Token)

		// If org code already exists (from previous run), we might get 400
		// But let's assume clean run or handle unique code
		if resp.Code == 400 {
			// Try to get the org if it exists, or just use a unique code
			// For simplicity in TestMain environment, we can use a fixed code
			// If it fails, we might need to query it.
			// Let's just assert 200 for now as we clean DB.
		}

		assertStatus(t, resp, 200)

		var data struct {
			ID string `json:"id"`
		}
		decodeResponse(t, resp, &data)
		orgID = data.ID
	})

	if orgID == "" {
		t.Fatal("Failed to create org, skipping remaining org tests")
	}

	// 2. User2 tries to update Org (Should Fail - Outsider)
	t.Run("User2 (Outsider) updates Org", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{
			"name": "Hacked By User2",
		}, User2Token)

		if resp.Code != 200 {
			// Good
		} else {
			var errResp BaseResp
			decodeResponse(t, resp, &errResp)
			if errResp.Code < 40000 {
				t.Errorf("Expected error code, got %d. Msg: %s", errResp.Code, errResp.Msg)
			}
		}
	})

	// 3. User1 adds User2 as Member
	t.Run("User1 adds User2 as Member", func(t *testing.T) {
		// Endpoint: POST /api/orgs/:id/users
		// Body: { user_id: "...", role_code: "member" }
		resp := doRequest(t, "POST", "/api/orgs/"+orgID+"/members", map[string]string{
			"user_id": User2ID,
			"role":    "member",
		}, User1Token)
		assertStatus(t, resp, 200)
	})

	// 4. User2 (Member) tries to update Org (Should Fail - Member cannot update org info)
	t.Run("User2 (Member) updates Org", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{
			"name": "Hacked By Member",
		}, User2Token)

		if resp.Code != 200 {
			// Good
		} else {
			var errResp BaseResp
			decodeResponse(t, resp, &errResp)
			if errResp.Code < 40000 {
				t.Errorf("Expected error code, got %d. Msg: %s", errResp.Code, errResp.Msg)
			}
		}
	})

	// 5. User1 (Owner) updates Org (Should Success)
	t.Run("User1 (Owner) updates Org", func(t *testing.T) {
		resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{
			"name": "Updated By User1",
		}, User1Token)
		assertStatus(t, resp, 200)

		var data OrgResp
		decodeResponse(t, resp, &data)
		if data.Name != "Updated By User1" {
			t.Errorf("Expected name 'Updated By User1', got '%s'", data.Name)
		}
	})
}
refactor(test): restructure integration tests for auth and permissions - Move and split 'auth/auth_test.go' into the 'tests/' directory - Add 'tests/main_test.go' for global test suite setup - Add 'tests/helpers_test.go' for shared test utilities - Create separate test files for different auth scenarios ('auth_test.go', 'none_auth_test.go') - Add focused tests for org permissions and middleware ('org_permission_test.go', 'resource_perm_test.go', 'org_load_middleware_test.go') 1 week ago			`package tests`

			`import (`
			`"testing"`
			`)`

			`func TestOrgPermission(t *testing.T) {`
			`ensureUsers(t)`

			`// User1 will be the Org Creator (Owner)`
			`// User2 will be the Outsider -> Member`

			`var orgID string`

			`// 1. User1 Creates Org`
			`t.Run("User1 Creates Org", func(t *testing.T) {`
			`resp := doRequest(t, "POST", "/api/orgs", map[string]string{`
			`"code": "test_org_1",`
			`"name": "Test Org 1",`
			`"description": "Created by User1",`
			`}, User1Token)`

			`// If org code already exists (from previous run), we might get 400`
			`// But let's assume clean run or handle unique code`
			`if resp.Code == 400 {`
			`// Try to get the org if it exists, or just use a unique code`
			`// For simplicity in TestMain environment, we can use a fixed code`
			`// If it fails, we might need to query it.`
			`// Let's just assert 200 for now as we clean DB.`
			`}`

			`assertStatus(t, resp, 200)`

			`var data struct {`
			ID string `json:"id"`
			`}`
			`decodeResponse(t, resp, &data)`
			`orgID = data.ID`
			`})`

			`if orgID == "" {`
			`t.Fatal("Failed to create org, skipping remaining org tests")`
			`}`

			`// 2. User2 tries to update Org (Should Fail - Outsider)`
			`t.Run("User2 (Outsider) updates Org", func(t *testing.T) {`
			`resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{`
			`"name": "Hacked By User2",`
			`}, User2Token)`

			`if resp.Code != 200 {`
			`// Good`
			`} else {`
			`var errResp BaseResp`
			`decodeResponse(t, resp, &errResp)`
			`if errResp.Code < 40000 {`
			`t.Errorf("Expected error code, got %d. Msg: %s", errResp.Code, errResp.Msg)`
			`}`
			`}`
			`})`

			`// 3. User1 adds User2 as Member`
			`t.Run("User1 adds User2 as Member", func(t *testing.T) {`
			`// Endpoint: POST /api/orgs/:id/users`
			`// Body: { user_id: "...", role_code: "member" }`
			`resp := doRequest(t, "POST", "/api/orgs/"+orgID+"/members", map[string]string{`
			`"user_id": User2ID,`
			`"role": "member",`
			`}, User1Token)`
			`assertStatus(t, resp, 200)`
			`})`

			`// 4. User2 (Member) tries to update Org (Should Fail - Member cannot update org info)`
			`t.Run("User2 (Member) updates Org", func(t *testing.T) {`
			`resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{`
			`"name": "Hacked By Member",`
			`}, User2Token)`

			`if resp.Code != 200 {`
			`// Good`
			`} else {`
			`var errResp BaseResp`
			`decodeResponse(t, resp, &errResp)`
			`if errResp.Code < 40000 {`
			`t.Errorf("Expected error code, got %d. Msg: %s", errResp.Code, errResp.Msg)`
			`}`
			`}`
			`})`

			`// 5. User1 (Owner) updates Org (Should Success)`
			`t.Run("User1 (Owner) updates Org", func(t *testing.T) {`
			`resp := doRequest(t, "PATCH", "/api/orgs/"+orgID, map[string]string{`
			`"name": "Updated By User1",`
			`}, User1Token)`
			`assertStatus(t, resp, 200)`

			`var data OrgResp`
			`decodeResponse(t, resp, &data)`
			`if data.Name != "Updated By User1" {`
			`t.Errorf("Expected name 'Updated By User1', got '%s'", data.Name)`
			`}`
			`})`
			`}`