Skip to content

Commit 9b07180

Browse files
test(authz): add viewer-denied middleware test for UpdateMembership
Mirror TestViewerDeniedDeleteMembership to cover the UpdateMembership deny path through the authz middleware. Signed-off-by: Matías Insaurralde <matias@chainloop.dev>
1 parent 748d625 commit 9b07180

1 file changed

Lines changed: 16 additions & 0 deletions

File tree

app/controlplane/pkg/authz/middleware/middleware_test.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -270,3 +270,19 @@ func TestViewerDeniedDeleteMembership(t *testing.T) {
270270
assert.Error(t, err)
271271
assert.True(t, errors.IsForbidden(err))
272272
}
273+
274+
func TestViewerDeniedUpdateMembership(t *testing.T) {
275+
logger := log.NewHelper(log.NewStdLogger(io.Discard))
276+
277+
ctx := context.Background()
278+
ctx = usercontext.WithAuthzSubject(ctx, string(authz.RoleViewer))
279+
ctx = transport.NewServerContext(ctx, &mockTransport{operation: "/controlplane.v1.OrganizationService/UpdateMembership"})
280+
281+
e := NewMockEnforcer(t)
282+
e.On("Enforce", mock.Anything, string(authz.RoleViewer), authz.PolicyOrganizationMembershipsUpdate).Return(false, nil)
283+
284+
m := WithAuthzMiddleware(e, logger)
285+
_, err := m(emptyHandler)(ctx, nil)
286+
assert.Error(t, err)
287+
assert.True(t, errors.IsForbidden(err))
288+
}

0 commit comments

Comments
 (0)