Files
wehub-resource-sync 4cddfcf2f3
Backend Tests / Tests (other) (push) Failing after 1s
Backend Tests / Static Checks (push) Failing after 2s
Backend Tests / Tests (internal) (push) Failing after 2s
Backend Tests / Tests (server) (push) Failing after 1s
Backend Tests / Tests (store) (push) Failing after 1s
Build Canary Image / build-frontend (push) Failing after 1s
Frontend Tests / Lint (push) Failing after 1s
Build Canary Image / build-push (linux/amd64) (push) Has been skipped
Build Canary Image / build-push (linux/arm64) (push) Has been skipped
Build Canary Image / merge (push) Has been skipped
Frontend Tests / Build (push) Failing after 1s
Release Please / release-please (push) Failing after 0s
Proto Linter / Lint Protos (push) Failing after 2s
chore: import upstream snapshot with attribution
2026-07-13 12:02:24 +08:00

57 lines
2.0 KiB
Go

package v1
import (
"context"
"testing"
"github.com/stretchr/testify/assert"
"github.com/usememos/memos/internal/profile"
"github.com/usememos/memos/server/auth"
)
// TestAuthorizerCheckAccess exercises the method-level access policy matrix.
//
// The store-backed first-run CreateUser branch is covered by integration tests;
// every case here is decided without touching the store, so a nil store is safe.
func TestAuthorizerCheckAccess(t *testing.T) {
ctx := context.Background()
authenticated := &auth.AuthResult{AccessToken: "token"}
openInstance := &Authorizer{profile: &profile.Profile{InstanceURL: "https://memos.example.com"}}
privateInstance := &Authorizer{profile: &profile.Profile{InstanceURL: ""}}
const (
protectedMethod = "/memos.api.v1.MemoService/CreateMemo"
publicMethod = "/memos.api.v1.MemoService/ListMemos"
bootstrapMethod = "/memos.api.v1.AuthService/SignIn"
shareMethod = "/memos.api.v1.MemoService/GetMemoByShare"
)
cases := []struct {
name string
az *Authorizer
procedure string
result *auth.AuthResult
wantErr bool
}{
{"authenticated reaches protected method", privateInstance, protectedMethod, authenticated, false},
{"authenticated reaches public method on private instance", privateInstance, publicMethod, authenticated, false},
{"anonymous denied on protected method", openInstance, protectedMethod, nil, true},
{"anonymous allowed on public method, open instance", openInstance, publicMethod, nil, false},
{"anonymous denied on public method, private instance", privateInstance, publicMethod, nil, true},
{"anonymous allowed on bootstrap method, private instance", privateInstance, bootstrapMethod, nil, false},
{"anonymous allowed on share access, private instance", privateInstance, shareMethod, nil, false},
}
for _, c := range cases {
t.Run(c.name, func(t *testing.T) {
err := c.az.CheckAccess(ctx, c.procedure, c.result)
if c.wantErr {
assert.ErrorIs(t, err, ErrUnauthenticated)
} else {
assert.NoError(t, err)
}
})
}
}