using JobTrackerApi.Controllers; using JobTrackerApi.Data; using JobTrackerApi.Models; using JobTrackerApi.Services; using JobTrackerApi.Tests.TestSupport; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; using Microsoft.EntityFrameworkCore; using Microsoft.Extensions.Logging.Abstractions; using Moq; using Xunit; namespace JobTrackerApi.Tests; public sealed class JobApplicationsAuthorizationTests { [Fact] public async Task GetHistory_returns_not_found_for_other_users_job() { var dbName = Guid.NewGuid().ToString(); await using var ownerDb = CreateDb(dbName, "owner-1"); var company = new Company { Name = "Acme", OwnerUserId = "owner-1" }; ownerDb.Companies.Add(company); await ownerDb.SaveChangesAsync(); var job = new JobApplication { JobTitle = "Secret Job", CompanyId = company.Id, OwnerUserId = "owner-1" }; ownerDb.JobApplications.Add(job); await ownerDb.SaveChangesAsync(); ownerDb.JobEvents.Add(new JobEvent { JobApplicationId = job.Id, Type = "Created", Note = "owner only" }); await ownerDb.SaveChangesAsync(); await using var attackerDb = CreateDb(dbName, "other-user"); var controller = CreateController(attackerDb); var result = await controller.GetHistory(job.Id, CancellationToken.None); Assert.IsType(result.Result); } private static JobTrackerContext CreateDb(string dbName, string? userId) { var options = new DbContextOptionsBuilder() .UseInMemoryDatabase(dbName) .Options; var currentUser = new Mock(); currentUser.SetupGet(service => service.UserId).Returns(userId); return new JobTrackerContext(options, currentUser.Object); } private static JobApplicationsController CreateController(JobTrackerContext db) { var summarizer = new Mock(); var users = TestHostFactory.CreateUserManager(); return new JobApplicationsController(db, summarizer.Object, Mock.Of(), users.Object, NullLogger.Instance) { ControllerContext = new ControllerContext { HttpContext = new DefaultHttpContext() } }; } }