Cover RBAC mutations in permission denial tests

2026-04-29 20:10:21 +00:00 · 2026-02-04 15:21:02 +00:00 · 2026-02-04 15:21:02 +00:00 · 4e3811e69e
commit 4e3811e69e
parent 895a7e07e2
1 changed files with 6 additions and 0 deletions
--- a/internal/api/security_regression_test.go
+++ b/internal/api/security_regression_test.go
@ -2542,8 +2542,14 @@ func TestPermissionProtectedEndpointsDenyWhenAuthorizerBlocks(t *testing.T) {
 		{method: http.MethodGet, path: "/api/audit/event-1/verify", body: ""},
 		{method: http.MethodGet, path: "/api/admin/roles", body: ""},
 		{method: http.MethodGet, path: "/api/admin/roles/", body: ""},
+		{method: http.MethodPost, path: "/api/admin/roles", body: `{"id":"role-1","name":"Role 1"}`},
+		{method: http.MethodPut, path: "/api/admin/roles/role-1", body: `{"id":"role-1","name":"Role 1"}`},
+		{method: http.MethodDelete, path: "/api/admin/roles/role-1", body: ""},
 		{method: http.MethodGet, path: "/api/admin/users", body: ""},
 		{method: http.MethodGet, path: "/api/admin/users/", body: ""},
+		{method: http.MethodPut, path: "/api/admin/users/alice/roles", body: `{"roleIds":["role-1"]}`},
+		{method: http.MethodPost, path: "/api/admin/users/alice/roles", body: `{"roleIds":["role-1"]}`},
+		{method: http.MethodGet, path: "/api/admin/users/alice/permissions", body: ""},
 		{method: http.MethodGet, path: "/api/admin/reports/generate", body: ""},
 		{method: http.MethodPost, path: "/api/admin/reports/generate-multi", body: `{}`},
 		{method: http.MethodGet, path: "/api/admin/webhooks/audit", body: ""},