tududi/backend/tests/integration/permissions-projects.test.js

const request = require('supertest');
const app = require('../../app');
const { Project } = require('../../models');
const { createTestUser } = require('../helpers/testUtils');

describe('Projects Permissions', () => {
    let user, otherUser, agent;

    beforeEach(async () => {
        user = await createTestUser({
            email: `user_${Date.now()}@example.com`,
        });
        otherUser = await createTestUser({
            email: `other_${Date.now()}@example.com`,
        });

        agent = request.agent(app);
        await agent
            .post('/api/login')
            .send({ email: user.email, password: 'password123' });
    });

    it("GET /api/project/:uidSlug should return 403 for other user's project", async () => {
        const otherProject = await Project.create({
            name: 'Other Project',
            user_id: otherUser.id,
        });
        const slugged = otherProject.name.toLowerCase().replace(/\s+/g, '-');
        const uidSlug = `${otherProject.uid}-${slugged}`;

        const res = await agent.get(`/api/project/${uidSlug}`);
        expect(res.status).toBe(403);
        expect(res.body.error).toBe('Forbidden');
    });
});