2026-05-20 21:00:47 +08:00
|
|
|
import assert from 'node:assert/strict'
|
|
|
|
|
import test from 'node:test'
|
|
|
|
|
|
2026-05-21 09:28:33 +08:00
|
|
|
import {
|
|
|
|
|
canApproveLeaderExpenseClaims,
|
2026-05-26 09:15:14 +08:00
|
|
|
canAccessAppView,
|
|
|
|
|
canDeleteArchivedExpenseClaims,
|
2026-05-26 17:29:35 +08:00
|
|
|
canEditBudgetCenter,
|
2026-05-21 09:28:33 +08:00
|
|
|
canManageExpenseClaims,
|
2026-05-26 17:29:35 +08:00
|
|
|
canReturnExpenseClaims,
|
|
|
|
|
canSwitchBudgetDepartments
|
2026-05-21 09:28:33 +08:00
|
|
|
} from '../src/utils/accessControl.js'
|
|
|
|
|
import { canProcessApprovalRequest } from '../src/utils/approvalInbox.js'
|
2026-05-20 21:00:47 +08:00
|
|
|
|
|
|
|
|
test('direct approvers can return claims without receiving delete permissions', () => {
|
|
|
|
|
const managerUser = { roleCodes: ['manager'] }
|
|
|
|
|
const approverUser = { roleCodes: ['approver'] }
|
|
|
|
|
|
|
|
|
|
assert.equal(canReturnExpenseClaims(managerUser), true)
|
|
|
|
|
assert.equal(canReturnExpenseClaims(approverUser), true)
|
2026-05-21 09:28:33 +08:00
|
|
|
assert.equal(canApproveLeaderExpenseClaims(managerUser), true)
|
|
|
|
|
assert.equal(canApproveLeaderExpenseClaims(approverUser), true)
|
2026-05-20 21:00:47 +08:00
|
|
|
assert.equal(canManageExpenseClaims(managerUser), false)
|
|
|
|
|
assert.equal(canManageExpenseClaims(approverUser), false)
|
|
|
|
|
})
|
|
|
|
|
|
2026-05-21 09:28:33 +08:00
|
|
|
test('finance can return and final approve, but only executives can manage delete permissions', () => {
|
2026-05-20 21:00:47 +08:00
|
|
|
assert.equal(canReturnExpenseClaims({ roleCodes: ['finance'] }), true)
|
2026-05-21 09:28:33 +08:00
|
|
|
assert.equal(canApproveLeaderExpenseClaims({ roleCodes: ['finance'] }), false)
|
|
|
|
|
assert.equal(canManageExpenseClaims({ roleCodes: ['finance'] }), false)
|
2026-05-20 21:00:47 +08:00
|
|
|
assert.equal(canReturnExpenseClaims({ roleCodes: ['executive'] }), true)
|
|
|
|
|
assert.equal(canManageExpenseClaims({ roleCodes: ['executive'] }), true)
|
|
|
|
|
})
|
2026-05-21 09:28:33 +08:00
|
|
|
|
2026-05-26 09:15:14 +08:00
|
|
|
test('archived claims can only be deleted by admin users', () => {
|
|
|
|
|
assert.equal(canDeleteArchivedExpenseClaims({ roleCodes: ['executive'] }), false)
|
|
|
|
|
assert.equal(canDeleteArchivedExpenseClaims({ roleCodes: ['finance'] }), false)
|
|
|
|
|
assert.equal(canDeleteArchivedExpenseClaims({ isAdmin: true, roleCodes: ['manager'] }), true)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
test('legacy reimbursement approval and archive centers are no longer accessible app views', () => {
|
|
|
|
|
const adminUser = { isAdmin: true, roleCodes: ['manager', 'finance'] }
|
|
|
|
|
|
|
|
|
|
assert.equal(canAccessAppView(adminUser, 'requests'), false)
|
|
|
|
|
assert.equal(canAccessAppView(adminUser, 'approval'), false)
|
|
|
|
|
assert.equal(canAccessAppView(adminUser, 'archive'), false)
|
|
|
|
|
assert.equal(canAccessAppView(adminUser, 'documents'), true)
|
|
|
|
|
})
|
|
|
|
|
|
2026-05-26 17:29:35 +08:00
|
|
|
test('budget center is visible to platform admin, budget monitor, and executive roles only', () => {
|
|
|
|
|
assert.equal(canAccessAppView({ isAdmin: true, roleCodes: ['manager'] }, 'budget'), true)
|
|
|
|
|
assert.equal(canAccessAppView({ username: 'admin', roleCodes: ['manager'] }, 'budget'), true)
|
|
|
|
|
assert.equal(canAccessAppView({ roleCodes: ['budget_monitor'] }, 'budget'), true)
|
|
|
|
|
assert.equal(canAccessAppView({ roleCodes: ['auditor'] }, 'budget'), true)
|
|
|
|
|
assert.equal(canAccessAppView({ roleCodes: ['executive'] }, 'budget'), true)
|
|
|
|
|
assert.equal(canAccessAppView({ roleCodes: ['finance'] }, 'budget'), false)
|
|
|
|
|
assert.equal(canAccessAppView({ roleCodes: ['manager'] }, 'budget'), false)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
test('budget edit and department switching are limited to admin and senior finance', () => {
|
|
|
|
|
assert.equal(canEditBudgetCenter({ username: 'admin', roleCodes: ['manager'] }), true)
|
|
|
|
|
assert.equal(canSwitchBudgetDepartments({ username: 'admin', roleCodes: ['manager'] }), true)
|
|
|
|
|
assert.equal(canEditBudgetCenter({ roleCodes: ['executive'] }), true)
|
|
|
|
|
assert.equal(canSwitchBudgetDepartments({ roleCodes: ['executive'] }), true)
|
|
|
|
|
assert.equal(canEditBudgetCenter({ roleCodes: ['budget_monitor'] }), false)
|
|
|
|
|
assert.equal(canSwitchBudgetDepartments({ roleCodes: ['budget_monitor'] }), false)
|
|
|
|
|
})
|
|
|
|
|
|
2026-05-21 09:28:33 +08:00
|
|
|
test('finance approval inbox only processes finance-stage requests', () => {
|
|
|
|
|
const financeUser = { roleCodes: ['finance'], name: '财务' }
|
|
|
|
|
|
|
|
|
|
assert.equal(
|
|
|
|
|
canProcessApprovalRequest({ workflowNode: '财务审批', person: '张三' }, financeUser),
|
|
|
|
|
true
|
|
|
|
|
)
|
|
|
|
|
assert.equal(
|
|
|
|
|
canProcessApprovalRequest({ workflowNode: '直属领导审批', person: '张三' }, financeUser),
|
|
|
|
|
false
|
|
|
|
|
)
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
test('users with both finance and manager roles can process both relevant stages', () => {
|
|
|
|
|
const financeManagerUser = { roleCodes: ['finance', 'manager'], name: '李经理' }
|
|
|
|
|
|
|
|
|
|
assert.equal(
|
|
|
|
|
canProcessApprovalRequest({ workflowNode: '财务审批', person: '张三' }, financeManagerUser),
|
|
|
|
|
true
|
|
|
|
|
)
|
|
|
|
|
assert.equal(
|
|
|
|
|
canProcessApprovalRequest({ workflowNode: '直属领导审批', person: '张三' }, financeManagerUser),
|
|
|
|
|
true
|
|
|
|
|
)
|
|
|
|
|
})
|
