From d511c22df05c83e9fb7600e23660dbe4188cf283 Mon Sep 17 00:00:00 2001 From: Mashbean Date: Fri, 29 May 2026 11:05:08 +0800 Subject: [PATCH 1/2] test: cover community watch permission boundaries --- .../communityWatchRemoveComment.test.ts | 9 ++++++++ src/types/__test__/2/system.test.ts | 14 +++++++++++ src/types/__test__/2/user/user.test.ts | 23 +++++++++++++++++++ 3 files changed, 46 insertions(+) diff --git a/src/common/utils/__test__/communityWatchRemoveComment.test.ts b/src/common/utils/__test__/communityWatchRemoveComment.test.ts index 3a8584dc3..eb700b2ac 100644 --- a/src/common/utils/__test__/communityWatchRemoveComment.test.ts +++ b/src/common/utils/__test__/communityWatchRemoveComment.test.ts @@ -284,6 +284,15 @@ describe('communityWatchRemoveComment', () => { ) }) + test('rejects frozen community watch users before loading the comment', async () => { + const { context } = createContext({ viewerState: USER_STATE.frozen }) + + await expect(removeComment(context)).rejects.toHaveProperty( + 'extensions.code', + 'FORBIDDEN_BY_STATE' + ) + }) + test('rejects non-comment targets', async () => { const { context } = createContext() diff --git a/src/types/__test__/2/system.test.ts b/src/types/__test__/2/system.test.ts index dac9762f4..bd9349884 100644 --- a/src/types/__test__/2/system.test.ts +++ b/src/types/__test__/2/system.test.ts @@ -1422,6 +1422,20 @@ describe('submitReport', () => { } ` + test('rejects non-admin users from OSS reports', async () => { + const server = await testClient({ + isAuth: true, + connections, + }) + const { errors, data } = await server.executeOperation({ + query: GET_REPORTS, + variables: { input: { first: 1, filter: { source: 'community_watch' } } }, + }) + + expect(errors?.[0].extensions.code).toBe('FORBIDDEN') + expect(data).toBe(null) + }) + test('submit report successfully', async () => { const server = await testClient({ isAuth: true, diff --git a/src/types/__test__/2/user/user.test.ts b/src/types/__test__/2/user/user.test.ts index 6bbdfe3bd..79ef4c070 100644 --- a/src/types/__test__/2/user/user.test.ts +++ b/src/types/__test__/2/user/user.test.ts @@ -1028,6 +1028,29 @@ describe('update user state', () => { const activeUser1Email = 'test2@matters.news' const activeUser2Email = 'test3@matters.news' + test('non-admin users can not update user state', async () => { + const UPDATE_USER_STATE = /* GraphQL */ ` + mutation ($input: UpdateUserStateInput!) { + updateUserState(input: $input) { + id + } + } + ` + const server = await testClient({ isAuth: true, connections }) + const { errors, data } = await server.executeOperation({ + query: UPDATE_USER_STATE, + variables: { + input: { + id: activeUser1Id, + state: USER_STATE.frozen, + }, + }, + }) + + expect(errors?.[0].extensions.code).toBe('FORBIDDEN') + expect(data).toBe(null) + }) + test('archive user should provide viewer passwd', async () => { const { errors } = await updateUserState( { id, state: USER_STATE.archived }, From 13e6cf527ee83a5d21f5a5b9f98f626c19715e30 Mon Sep 17 00:00:00 2001 From: Mashbean Date: Fri, 29 May 2026 11:22:24 +0800 Subject: [PATCH 2/2] test: align forbidden update user state assertion --- src/types/__test__/2/user/user.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/types/__test__/2/user/user.test.ts b/src/types/__test__/2/user/user.test.ts index 79ef4c070..158937bf4 100644 --- a/src/types/__test__/2/user/user.test.ts +++ b/src/types/__test__/2/user/user.test.ts @@ -1048,7 +1048,7 @@ describe('update user state', () => { }) expect(errors?.[0].extensions.code).toBe('FORBIDDEN') - expect(data).toBe(null) + expect(data.updateUserState).toBe(null) }) test('archive user should provide viewer passwd', async () => {