Files
collective-lists/supabase/tests/017_admin_rpcs.sql
Oier Bravo Urtasun 27afda74f1 feat(fase-13): admin UI + sidebar entry + isServerAdmin store + e2e SA-01..04
13.3 admin UI:
  - (admin) route group with own layout + red banner + sidebar (Collectives,
    Admins, Audit log, Server). +layout.ts is client-rendered (ssr=false),
    same rationale as the (app) group.
  - /admin/collectives — paginated list via admin_list_collectives, search
    by name, soft-delete / restore / hard-delete modals (hard-delete needs
    explicit checkbox; force toggle bypasses the 30-day wait server-side).
  - /admin/collectives/[id] — members list with kick action; recent actions
    for the collective filtered from admin_actions.
  - /admin/admins — list via server_admins join to users (disambiguated by
    FK name — there are TWO FKs to users so the embed needs the explicit
    server_admins_user_id_fkey); promote modal does an email lookup; revoke
    button is replaced by "you (cannot revoke yourself while sole admin)"
    when applicable.
  - /admin/audit — paginated feed (default 50), action filter.
  - /admin/server — server-layer default-section toggles backed by
    admin_set_default_section + the new admin_clear_default_section RPC
    (added because patching the JSONB to `true` is NOT equivalent to "no
    opinion" — `true` explicitly overrides a collective OFF).

13.4 sidebar/drawer entry:
  - $isServerAdmin store (writable; +$isServerAdminLoaded for the gate
    race) refreshed on every onAuthStateChange in root layout, cleared on
    sign-out. Cached so the sidebar tile is synchronous.
  - DesktopSidebar + MobileDrawer render the entry only when the store is
    true. Distinct red icon so it never blends with normal nav.

Stores wiring:
  - features.ts gains serverSectionDefaults writable + enabledSections
    derived now reads server > collective > user > default. Loader
    piggybacks on loadCurrentUserFeatures so the server layer is fetched
    once per sign-in.
  - serverAdmin.ts new module — refreshServerAdminFlag() + clearServerAdminFlag().
  - Tracks isServerAdminLoaded so the (admin) layout doesn't redirect away
    during the millisecond between SIGNED_IN and the RPC resolving (caught
    empirically — every hard-load to /admin/* bounced to / without it).

13.5 tests:
  - admin.test.ts (SA-01..SA-04) with new loginAsAdmin fixture. Ana is the
    seed admin (server_admins seeded via supabase/seed.sql).
  - SA-04 + SV-02 reset their server-layer JSONB via the new
    admin_clear_default_section RPC so the suites don't leak state into
    each other.

Migration 025 adds admin_clear_default_section(text) — same SECURITY DEFINER
+ audit pattern as the rest. pgTAP 017 updated (23 plans, AR-T13b + the
SECURITY DEFINER list now includes the clear RPC).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-18 05:30:56 +02:00

222 lines
8.2 KiB
PL/PgSQL

-- pgTAP: admin RPCs + server_settings + section_enabled() server layer (Fase 13.2)
-- Run with: psql -U postgres -d postgres -f supabase/tests/017_admin_rpcs.sql
--
-- Verifies schema-level invariants on the new RPCs and the server_settings
-- table. Runtime behaviour (denied-for-non-admin, audit writes, last-admin
-- guard, hard-delete cascade) lives in the Vitest integration suite — pgTAP
-- runs as postgres so the SECURITY DEFINER `is_server_admin` check passes
-- vacuously, making these tests structural only.
CREATE EXTENSION IF NOT EXISTS pgtap;
BEGIN;
SELECT plan(23);
-- ── server_settings table ──────────────────────────────────────────────────
SELECT has_table(
'public', 'server_settings',
'AR-T01: public.server_settings table exists'
);
SELECT col_is_pk(
'public', 'server_settings', 'key',
'AR-T02: server_settings.key is the primary key'
);
SELECT col_type_is(
'public', 'server_settings', 'value', 'jsonb',
'AR-T03: server_settings.value is jsonb'
);
SELECT ok(
(SELECT relrowsecurity FROM pg_class
WHERE relname = 'server_settings' AND relnamespace = 'public'::regnamespace),
'AR-T04: RLS enabled on server_settings'
);
-- Read-allowed to anyone (server-layer flags need to be evaluable from a
-- non-admin session inside section_enabled). Writes are admin-only via RPC.
SELECT results_eq(
$$ SELECT cmd::text FROM pg_policies
WHERE schemaname = 'public' AND tablename = 'server_settings'
ORDER BY cmd $$,
$$ VALUES ('SELECT') $$,
'AR-T05: server_settings has exactly one policy and it is SELECT-only'
);
-- ── RPC existence + SECURITY DEFINER posture ───────────────────────────────
SELECT has_function(
'public', 'grant_server_admin', ARRAY['uuid'],
'AR-T06: grant_server_admin(uuid) exists'
);
SELECT has_function(
'public', 'revoke_server_admin', ARRAY['uuid'],
'AR-T07: revoke_server_admin(uuid) exists'
);
SELECT has_function(
'public', 'admin_list_collectives', ARRAY['text', 'integer'],
'AR-T08: admin_list_collectives(text, int) exists'
);
SELECT has_function(
'public', 'admin_soft_delete_collective', ARRAY['uuid', 'text'],
'AR-T09: admin_soft_delete_collective(uuid, text) exists'
);
SELECT has_function(
'public', 'admin_restore_collective', ARRAY['uuid'],
'AR-T10: admin_restore_collective(uuid) exists'
);
SELECT has_function(
'public', 'admin_hard_delete_collective', ARRAY['uuid', 'boolean'],
'AR-T11: admin_hard_delete_collective(uuid, boolean) exists'
);
SELECT has_function(
'public', 'admin_remove_member', ARRAY['uuid', 'uuid', 'text'],
'AR-T12: admin_remove_member(uuid, uuid, text) exists'
);
SELECT has_function(
'public', 'admin_set_default_section', ARRAY['text', 'boolean'],
'AR-T13: admin_set_default_section(text, boolean) exists'
);
SELECT has_function(
'public', 'admin_clear_default_section', ARRAY['text'],
'AR-T13b: admin_clear_default_section(text) exists'
);
-- Every admin_* function plus grant/revoke MUST be SECURITY DEFINER so the
-- `if not is_server_admin() then raise` guard is the gate, not RLS.
SELECT results_eq(
$$ SELECT proname::text COLLATE "C" FROM pg_proc
WHERE pronamespace = 'public'::regnamespace
AND (proname LIKE 'admin\_%' OR proname IN ('grant_server_admin','revoke_server_admin'))
AND prosecdef = true
ORDER BY proname COLLATE "C" $$,
$$ VALUES
('admin_clear_default_section'::text COLLATE "C"),
('admin_hard_delete_collective'::text COLLATE "C"),
('admin_list_collectives'::text COLLATE "C"),
('admin_remove_member'::text COLLATE "C"),
('admin_restore_collective'::text COLLATE "C"),
('admin_set_default_section'::text COLLATE "C"),
('admin_soft_delete_collective'::text COLLATE "C"),
('grant_server_admin'::text COLLATE "C"),
('revoke_server_admin'::text COLLATE "C")
$$,
'AR-T14: every privileged RPC is SECURITY DEFINER (exact list)'
);
-- ── collectives.deleted_at column added by this migration ──────────────────
SELECT has_column(
'public', 'collectives', 'deleted_at',
'AR-T15: collectives.deleted_at column exists'
);
SELECT col_type_is(
'public', 'collectives', 'deleted_at', 'timestamp with time zone',
'AR-T16: collectives.deleted_at is timestamptz'
);
-- ── section_enabled() extended with server layer ───────────────────────────
-- Behavioural assertions: with no server flag set, falls through to the
-- collective/user/default layers (Fase 12 contract preserved). With a server
-- flag of false, returns false regardless of any lower layer.
-- Ensure a clean slate on every layer.
DELETE FROM public.server_settings WHERE key = 'default_sections';
UPDATE public.users SET feature_flags = '{}'::jsonb WHERE id = '11111111-1111-1111-1111-111111111111';
UPDATE public.collectives SET feature_flags = '{}'::jsonb WHERE id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
-- AR-T17: server absent + everything else absent → true (default ON preserved).
SELECT is(
public.section_enabled(
'tasks',
'11111111-1111-1111-1111-111111111111',
'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
),
true,
'AR-T17: with no flags anywhere, section_enabled returns true'
);
-- AR-T18: server OFF beats collective ON beats user ON.
UPDATE public.users SET feature_flags = '{"notes": true}'::jsonb WHERE id = '11111111-1111-1111-1111-111111111111';
UPDATE public.collectives SET feature_flags = '{"notes": true}'::jsonb WHERE id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
INSERT INTO public.server_settings (key, value)
VALUES ('default_sections', '{"notes": false}'::jsonb)
ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value;
SELECT is(
public.section_enabled(
'notes',
'11111111-1111-1111-1111-111111111111',
'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
),
false,
'AR-T18: server OFF wins over collective ON and user ON'
);
-- AR-T19: server ON over collective OFF — server is the top layer; if it
-- explicitly turns a section ON we want that to win too.
UPDATE public.collectives SET feature_flags = '{"notes": false}'::jsonb WHERE id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
UPDATE public.server_settings SET value = '{"notes": true}'::jsonb WHERE key = 'default_sections';
SELECT is(
public.section_enabled(
'notes',
'11111111-1111-1111-1111-111111111111',
'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
),
true,
'AR-T19: server ON wins over collective OFF'
);
-- AR-T20: server "no opinion" (key absent inside the JSONB) → fall through
-- to collective layer.
UPDATE public.server_settings SET value = '{}'::jsonb WHERE key = 'default_sections';
UPDATE public.collectives SET feature_flags = '{"notes": false}'::jsonb WHERE id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
SELECT is(
public.section_enabled(
'notes',
'11111111-1111-1111-1111-111111111111',
'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
),
false,
'AR-T20: server with no opinion falls through to collective'
);
-- AR-T21: a row missing entirely in server_settings still behaves like
-- "no opinion".
DELETE FROM public.server_settings WHERE key = 'default_sections';
UPDATE public.collectives SET feature_flags = '{}'::jsonb WHERE id = 'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa';
UPDATE public.users SET feature_flags = '{"tasks": false}'::jsonb WHERE id = '11111111-1111-1111-1111-111111111111';
SELECT is(
public.section_enabled(
'tasks',
'11111111-1111-1111-1111-111111111111',
'aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa'
),
false,
'AR-T21: missing server_settings row equals no-opinion, user layer wins'
);
-- AR-T22: the function is still STABLE (no behavioural side effects, planner
-- can cache within a statement).
SELECT volatility_is(
'public', 'section_enabled', ARRAY['text', 'uuid', 'uuid'], 'stable',
'AR-T22: section_enabled() remains STABLE after server-layer extension'
);
SELECT * FROM finish();
ROLLBACK;