Add authorization helper for admin capabilities

GitOrigin-RevId: fbf28c89500481e379db6c49512876d867478eb7
2026-05-23 17:19:37 +02:00 · 2025-08-06 17:00:30 +01:00
parent 5e3ea318e3
commit cce55cf3d8
2 changed files with 80 additions and 0 deletions
--- a/services/web/app/src/Features/UserMembership/UserMembershipAuthorization.js
+++ b/services/web/app/src/Features/UserMembership/UserMembershipAuthorization.js
@@ -1,3 +1,4 @@
+const { hasAdminAccess } = require('../Helpers/AdminAuthorizationHelper')
 const UserMembershipAuthorization = {
  hasStaffAccess(requiredStaffAccess) {
    return req => {
@@ -12,6 +13,18 @@ const UserMembershipAuthorization = {
    }
  },

+  hasAdminCapability(capability) {
+    return req => {
+      if (!hasAdminAccess(req.user)) {
+        return false
+      }
+      if (!req.adminCapabilitiesAvailable) {
+        return true
+      }
+      return req.adminCapabilities?.includes(capability)
+    }
+  },
+
  hasEntityAccess() {
    return req => {
      if (!req.entity) {
--- a/services/web/test/unit/src/UserMembership/UserMembershipAuthorizationTests.js
+++ b/services/web/test/unit/src/UserMembership/UserMembershipAuthorizationTests.js
@@ -0,0 +1,67 @@
+const { expect } = require('chai')
+const sinon = require('sinon')
+const SandboxedModule = require('sandboxed-module')
+
+const modulePath =
+  '../../../../app/src/Features/UserMembership/UserMembershipAuthorization'
+
+describe('UserMembershipAuthorization', function () {
+  let hasAdminAccess, UserMembershipAuthorization
+  beforeEach(function () {
+    hasAdminAccess = sinon.stub().returns(true)
+    UserMembershipAuthorization = SandboxedModule.require(modulePath, {
+      requires: {
+        '../Helpers/AdminAuthorizationHelper': {
+          hasAdminAccess,
+        },
+      },
+    })
+  })
+  describe('hasAdminCapability', function () {
+    describe('when user is not an admin', function () {
+      it('returns false', function () {
+        hasAdminAccess.returns(false)
+        const req = { user: {} }
+        expect(
+          UserMembershipAuthorization.hasAdminCapability('capability')(req)
+        ).to.be.false
+      })
+    })
+    describe('when user is an admin', function () {
+      describe('when adminCapabilitiesAvailable is falsey', function () {
+        it('returns true', function () {
+          const req = { user: {}, adminCapabilitiesAvailable: false }
+          expect(
+            UserMembershipAuthorization.hasAdminCapability('capability')(req)
+          ).to.be.true
+        })
+      })
+      describe('when adminCapabilitiesAvailable is true', function () {
+        describe('when user has the requested capability', function () {
+          it('returns true', function () {
+            const req = {
+              user: {},
+              adminCapabilitiesAvailable: true,
+              adminCapabilities: ['capability'],
+            }
+            expect(
+              UserMembershipAuthorization.hasAdminCapability('capability')(req)
+            ).to.be.true
+          })
+        })
+        describe('when user does not have the requested capability', function () {
+          it('returns false', function () {
+            const req = {
+              user: {},
+              adminCapabilitiesAvailable: true,
+              adminCapabilities: ['other-capability'],
+            }
+            expect(
+              UserMembershipAuthorization.hasAdminCapability('capability')(req)
+            ).to.be.false
+          })
+        })
+      })
+    })
+  })
+})