Update test cases and improve account actioning

This commit refactors Supabase test cases to reflect the updated account actioning mechanism. The "makerkit.get_user_id" function calls were replaced with the new "tests.get_supabase_uid" function, aligning with the testing structure update. It also introduces new policies which further refine user role actions with more precise checks, replacing the old 'delete' policy with the more comprehensive 'can_action_account_member' function. New test cases for updating memberships and deleting memberships have also been added.

apps/web/supabase/tests/database/00000-makerkit-helpers.sql

@@ -15,6 +15,8 @@ create or replace function makerkit.set_identifier(
   user_email text
 )
   returns text
+  security definer
+  set search_path = auth, pg_temp
   as $$
 begin
  update auth.users set raw_user_meta_data = jsonb_build_object('test_identifier', identifier)
@@ -65,25 +67,6 @@ end;
 
 $$ language PLPGSQL;
 
-create or replace function makerkit.get_user_id(
-  user_email text
-)
-  returns uuid
-  as $$
-begin
-
-    return
-      (select
-         primary_owner_user_id
-       from
-         accounts
-       where
-         email = user_email);
-
-end;
-
-$$ language PLPGSQL;
-
 begin;
 
 select plan(1);

apps/web/supabase/tests/database/account-permissions.test.sql

@@ -75,7 +75,7 @@ select throws_ok(
 update public.accounts_memberships
     set account_role = 'custom-role'
     where account_id = makerkit.get_account_id_by_slug('test')
-        and user_id = makerkit.get_user_id('test1@test.com');
+        and user_id = tests.get_supabase_uid('test1');
 
 set local role postgres;
 

apps/web/supabase/tests/database/delete-membership.test.sql

@@ -0,0 +1,94 @@
+begin;
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select no_plan();
+
+select makerkit.set_identifier('primary_owner', 'test@makerkit.dev');
+select makerkit.set_identifier('owner', 'owner@makerkit.dev');
+select makerkit.set_identifier('member', 'member@makerkit.dev');
+select makerkit.set_identifier('custom', 'custom@makerkit.dev');
+
+-- another user not in the team
+select tests.create_supabase_user('test', 'test@supabase.com');
+
+-- an owner cannot remove the primary owner
+select tests.authenticate_as('owner');
+
+select throws_ok(
+   $$ delete from public.accounts_memberships
+    where account_id = makerkit.get_account_id_by_slug('makerkit')
+    and user_id = '31a03e74-1639-45b6-bfa7-77447f1a4762' $$,
+   'The primary account owner cannot be actioned'
+);
+
+-- an owner can remove accounts with lower roles
+select lives_ok(
+   $$ delete from public.accounts_memberships
+      where account_id = makerkit.get_account_id_by_slug('makerkit')
+      and user_id = '6b83d656-e4ab-48e3-a062-c0c54a427368' $$,
+    'Owner should be able to remove a member'
+);
+
+-- a member cannot remove a member with a higher role
+select tests.authenticate_as('member');
+
+-- delete a membership record where the user is a higher role than the current user
+select throws_ok(
+   $$ delete from public.accounts_memberships
+    where account_id = makerkit.get_account_id_by_slug('makerkit')
+    and user_id = '5c064f1b-78ee-4e1c-ac3b-e99aa97c99bf' $$,
+    'You do not have permission to action a member from this account'
+);
+
+-- an primary_owner cannot remove themselves
+select tests.authenticate_as('primary_owner');
+
+select throws_ok(
+    $$ delete from public.accounts_memberships
+       where account_id = makerkit.get_account_id_by_slug('makerkit')
+       and user_id = '31a03e74-1639-45b6-bfa7-77447f1a4762' $$,
+    'The primary account owner cannot be removed from the account membership list'
+);
+
+-- a primary_owner can remove another member
+select lives_ok(
+   $$ delete from public.accounts_memberships
+    where account_id = makerkit.get_account_id_by_slug('makerkit')
+    and user_id = 'b73eb03e-fb7a-424d-84ff-18e2791ce0b4'; $$,
+    'Primary owner should be able to remove another member'
+);
+
+-- foreigners
+
+-- a user not in the account cannot remove a member
+
+select tests.authenticate_as('test');
+
+select throws_ok(
+    $$ delete from public.accounts_memberships
+      where account_id = '5deaa894-2094-4da3-b4fd-1fada0809d1c'
+      and user_id = tests.get_supabase_uid('owner'); $$,
+      'You do not have permission to action a member from this account'
+ );
+
+select tests.authenticate_as('owner');
+
+select isnt_empty(
+    $$ select 1 from public.accounts_memberships
+    where account_id = '5deaa894-2094-4da3-b4fd-1fada0809d1c'
+    and user_id = tests.get_supabase_uid('owner'); $$,
+    'Foreigners should not be able to remove members');
+
+select tests.authenticate_as('test');
+
+-- a user not in the account cannot remove themselves
+select throws_ok(
+   $$ delete from public.accounts_memberships
+   where account_id = makerkit.get_account_id_by_slug('makerkit')
+   and user_id = auth.uid(); $$,
+    'You do not have permission to action a member from this account'
+);
+
+select * from finish();
+
+rollback;

apps/web/supabase/tests/database/remove-membership.test.sql

@@ -1,10 +0,0 @@
-begin;
-create extension "basejump-supabase_test_helpers" version '0.0.6';
-
-select no_plan();
-
--- test
-
-select * from finish();
-
-rollback;

apps/web/supabase/tests/database/transfer-ownership.test.sql

@@ -18,7 +18,7 @@ select tests.authenticate_as('primary_owner');
 select throws_ok(
     $$ select public.transfer_team_account_ownership(
         makerkit.get_account_id_by_slug('makerkit'),
-        makerkit.get_user_id('custom@makerkit.dev')
+        tests.get_supabase_uid('custom')
     ) $$,
     'permission denied for function transfer_team_account_ownership'
 );
@@ -29,7 +29,7 @@ set local role service_role;
 select throws_ok(
     $$ select public.transfer_team_account_ownership(
         makerkit.get_account_id_by_slug('makerkit'),
-        makerkit.get_user_id('test@supabase.com')
+        tests.get_supabase_uid('test')
     ) $$,
     'The new owner must be a member of the account'
 );
@@ -38,14 +38,14 @@ select throws_ok(
 select lives_ok(
     $$ select public.transfer_team_account_ownership(
         makerkit.get_account_id_by_slug('makerkit'),
-        makerkit.get_user_id('owner@makerkit.dev')
+        tests.get_supabase_uid('owner')
     ) $$
 );
 
 -- check the account owner has been updated
 select row_eq(
     $$ select primary_owner_user_id from public.accounts where id = makerkit.get_account_id_by_slug('makerkit') $$,
-    row(makerkit.get_user_id('owner@makerkit.dev')),
+    row(tests.get_supabase_uid('owner')),
     'The account owner should be updated'
 );
 
@@ -54,7 +54,7 @@ select row_eq(
 select lives_ok(
     $$ select public.transfer_team_account_ownership(
         makerkit.get_account_id_by_slug('makerkit'),
-        makerkit.get_user_id('member@makerkit.dev')
+        tests.get_supabase_uid('member')
     ) $$
 );
 
@@ -62,20 +62,12 @@ select lives_ok(
 select row_eq(
     $$ select account_role from public.accounts_memberships
        where account_id = makerkit.get_account_id_by_slug('makerkit')
-       and user_id = makerkit.get_user_id('member@makerkit.dev');
+       and user_id = tests.get_supabase_uid('member');
     $$,
     row('owner'::varchar),
     'The account owner should be updated'
 );
 
--- rollback
-select lives_ok(
-    $$ select public.transfer_team_account_ownership(
-        makerkit.get_account_id_by_slug('makerkit'),
-        makerkit.get_user_id('test@makerkit.dev')
-    ) $$
-);
-
 select * from finish();
 
 rollback;

apps/web/supabase/tests/database/update-membership.test.sql

@@ -0,0 +1,27 @@
+begin;
+create extension "basejump-supabase_test_helpers" version '0.0.6';
+
+select no_plan();
+
+select makerkit.set_identifier('primary_owner', 'test@makerkit.dev');
+select makerkit.set_identifier('owner', 'owner@makerkit.dev');
+select makerkit.set_identifier('member', 'member@makerkit.dev');
+select makerkit.set_identifier('custom', 'custom@makerkit.dev');
+
+-- another user not in the team
+select tests.create_supabase_user('test', 'test@supabase.com');
+
+select tests.authenticate_as('member');
+
+-- run an update query
+update public.accounts_memberships set account_role = 'owner' where user_id = auth.uid() and account_id = makerkit.get_account_id_by_slug('makerkit');
+
+select row_eq(
+    $$ select account_role from public.accounts_memberships where user_id = auth.uid() and account_id = makerkit.get_account_id_by_slug('makerkit'); $$,
+    row('member'::varchar),
+    'Updates fail silently to any field of the accounts_membership table'
+);
+
+select * from finish();
+
+rollback;

apps/web/supabase/tests/database/update-role.test.sql

@@ -1,10 +0,0 @@
-begin;
-create extension "basejump-supabase_test_helpers" version '0.0.6';
-
-select no_plan();
-
--- test
-
-select * from finish();
-
-rollback;