Fix scoped access checks

2026-04-25 14:36:55 +02:00 · 2026-04-25 14:36:55 +02:00 · e0efb65efb
commit e0efb65efb
parent d90a8fd560
7 changed files with 84 additions and 19 deletions
--- a/tests/api/security.test.ts
+++ b/tests/api/security.test.ts
@ -57,10 +57,16 @@ describe('Security: cross-user access', () => {

      expect(response.status).toBe(200)
      expect(data).toHaveLength(1)
-      // Verify the query filtered by user_id
+      // Verify the query includes owned products and products shared through membership.
      expect(mockPrisma.product.findMany).toHaveBeenCalledWith(
        expect.objectContaining({
-          where: expect.objectContaining({ user_id: 'user-1' }),
+          where: expect.objectContaining({
+            archived: false,
+            OR: expect.arrayContaining([
+              { user_id: 'user-1' },
+              { members: { some: { user_id: 'user-1' } } },
+            ]),
+          }),
        })
      )
    })