package tests import ( "testing" ) func TestResourcePermission(t *testing.T) { ensureUsers(t) // Case 1: Admin modifies User1 (Should Success) t.Run("Admin modifies User1", func(t *testing.T) { resp := doRequest(t, "PATCH", "/api/users/"+User1ID, map[string]string{ "nickname": "Edited By Admin", }, AdminToken) assertStatus(t, resp, 200) var data UserResp decodeResponse(t, resp, &data) if data.Nickname != "Edited By Admin" { t.Errorf("Expected nickname 'Edited By Admin', got '%s'", data.Nickname) } }) // Case 2: User1 modifies User1 (Should Success) t.Run("User1 modifies User1", func(t *testing.T) { resp := doRequest(t, "PATCH", "/api/users/"+User1ID, map[string]string{ "nickname": "Edited By Self", }, User1Token) assertStatus(t, resp, 200) var data UserResp decodeResponse(t, resp, &data) if data.Nickname != "Edited By Self" { t.Errorf("Expected nickname 'Edited By Self', got '%s'", data.Nickname) } }) // Case 3: User1 modifies User2 (Should Fail 403/404) t.Run("User1 modifies User2", func(t *testing.T) { resp := doRequest(t, "PATCH", "/api/users/"+User2ID, map[string]string{ "nickname": "Hacked By User1", }, User1Token) // Expecting 403 Forbidden or 404 NotFound if resp.Code != 200 { // Good } else { // Check Vigo code var errResp BaseResp decodeResponse(t, resp, &errResp) // Common Forbidden/NotFound codes: 40300, 40400, etc. // Or maybe 40100 Unauthorized if errResp.Code < 40000 { t.Errorf("Expected error code, got %d. Msg: %s", errResp.Code, errResp.Msg) } } }) // Case 4: User1 modifies Admin (Should Fail 403/404) t.Run("User1 modifies Admin", func(t *testing.T) { resp := doRequest(t, "PATCH", "/api/users/"+AdminID, map[string]string{ "nickname": "Hacked By User1", }, User1Token) if resp.Code != 200 { // Good } else { var errResp BaseResp decodeResponse(t, resp, &errResp) if errResp.Code < 40000 { t.Errorf("Expected error code, got %d. Msg: %s", errResp.Code, errResp.Msg) } } }) }