pinakes-server: add more route tests

Signed-off-by: NotAShelf <raf@notashelf.dev> Change-Id: Ief16a2b3181bfa50193fb69a5ad4a9166a6a6964
2026-03-21 15:32:59 +03:00 · 2026-03-21 15:32:59 +03:00 · cee172fcc3
commit cee172fcc3
parent db2d02a323
5 changed files with 295 additions and 8 deletions
--- a/crates/pinakes-server/tests/enrichment.rs
+++ b/crates/pinakes-server/tests/enrichment.rs
@ -2,9 +2,13 @@ mod common;

 use axum::http::StatusCode;
 use common::{
+  delete_authed,
  get,
  get_authed,
+  patch_json_authed,
  post_json_authed,
+  put_json_authed,
+  response_body,
  setup_app,
  setup_app_with_auth,
 };
@ -141,3 +145,66 @@ async fn get_external_metadata_auth_disabled() {
      || response.status() == StatusCode::NOT_FOUND
  );
 }
+
+// RBAC enforcement for editor-level HTTP methods
+
+#[tokio::test]
+async fn batch_enrich_response_has_job_id() {
+  let (app, _, editor_token, _) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(post_json_authed(
+      "/api/v1/jobs/enrich",
+      r#"{"media_ids":["00000000-0000-0000-0000-000000000000"]}"#,
+      &editor_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::OK);
+  let body = response_body(response).await;
+  // Route queues a job and returns a job identifier
+  assert!(
+    body["job_id"].is_string() || body["id"].is_string(),
+    "expected job identifier in response: {body}"
+  );
+}
+
+#[tokio::test]
+async fn delete_tag_requires_editor() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(delete_authed(
+      "/api/v1/tags/00000000-0000-0000-0000-000000000000",
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn update_media_requires_editor() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(patch_json_authed(
+      "/api/v1/media/00000000-0000-0000-0000-000000000000",
+      r#"{"title":"new title"}"#,
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}
+
+#[tokio::test]
+async fn update_sync_device_requires_editor() {
+  let (app, _, _, viewer_token) = setup_app_with_auth().await;
+  let response = app
+    .oneshot(put_json_authed(
+      "/api/v1/sync/devices/00000000-0000-0000-0000-000000000000",
+      r#"{"name":"my device"}"#,
+      &viewer_token,
+    ))
+    .await
+    .unwrap();
+  assert_eq!(response.status(), StatusCode::FORBIDDEN);
+}