From 4e3811e69e61a032921d8d5a339a567e92d7f653 Mon Sep 17 00:00:00 2001
From: rcourtman <courtmanr@gmail.com>
Date: Wed, 4 Feb 2026 15:21:02 +0000
Subject: [PATCH] Cover RBAC mutations in permission denial tests

---
 internal/api/security_regression_test.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/internal/api/security_regression_test.go b/internal/api/security_regression_test.go
index 9b0dd3f79..ae1e0652d 100644
--- a/internal/api/security_regression_test.go
+++ b/internal/api/security_regression_test.go
@@ -2542,8 +2542,14 @@ func TestPermissionProtectedEndpointsDenyWhenAuthorizerBlocks(t *testing.T) {
 		{method: http.MethodGet, path: "/api/audit/event-1/verify", body: ""},
 		{method: http.MethodGet, path: "/api/admin/roles", body: ""},
 		{method: http.MethodGet, path: "/api/admin/roles/", body: ""},
+		{method: http.MethodPost, path: "/api/admin/roles", body: `{"id":"role-1","name":"Role 1"}`},
+		{method: http.MethodPut, path: "/api/admin/roles/role-1", body: `{"id":"role-1","name":"Role 1"}`},
+		{method: http.MethodDelete, path: "/api/admin/roles/role-1", body: ""},
 		{method: http.MethodGet, path: "/api/admin/users", body: ""},
 		{method: http.MethodGet, path: "/api/admin/users/", body: ""},
+		{method: http.MethodPut, path: "/api/admin/users/alice/roles", body: `{"roleIds":["role-1"]}`},
+		{method: http.MethodPost, path: "/api/admin/users/alice/roles", body: `{"roleIds":["role-1"]}`},
+		{method: http.MethodGet, path: "/api/admin/users/alice/permissions", body: ""},
 		{method: http.MethodGet, path: "/api/admin/reports/generate", body: ""},
 		{method: http.MethodPost, path: "/api/admin/reports/generate-multi", body: `{}`},
 		{method: http.MethodGet, path: "/api/admin/webhooks/audit", body: ""},