use crate::harness::TestHarness; #[tokio::test] async fn non_mod_cannot_pin() { let mut h = TestHarness::new().await; let owner_id = h.login_as("owner").await; let comm_id = h.create_community("Test", "test").await; let cat_id = h.create_category(comm_id, "General", "general").await; h.add_membership(owner_id, comm_id, "owner").await; let thread_id = h .create_thread_with_post(cat_id, owner_id, "Pin Test", "Body") .await; // Login as a regular member let member_id = h.login_as("member").await; h.add_membership(member_id, comm_id, "member").await; let thread_url = format!("/p/test/general/{}", thread_id); h.client.get(&thread_url).await; let pin_url = format!("/p/test/general/{}/pin", thread_id); let resp = h.client.post_form(&pin_url, "").await; assert_eq!(resp.status.as_u16(), 403); } #[tokio::test] async fn mod_can_pin() { let mut h = TestHarness::new().await; let mod_id = h.login_as("moderator").await; let comm_id = h.create_community("Test", "test").await; let cat_id = h.create_category(comm_id, "General", "general").await; h.add_membership(mod_id, comm_id, "moderator").await; let thread_id = h .create_thread_with_post(cat_id, mod_id, "Pin Me", "Body") .await; let thread_url = format!("/p/test/general/{}", thread_id); h.client.get(&thread_url).await; let pin_url = format!("/p/test/general/{}/pin", thread_id); let resp = h.client.post_form(&pin_url, "").await; assert!( resp.status.is_redirection(), "Expected redirect after pin, got {}", resp.status ); } #[tokio::test] async fn non_owner_cannot_access_settings() { let mut h = TestHarness::new().await; let owner_id = h.login_as("owner").await; let comm_id = h.create_community("Test", "test").await; h.add_membership(owner_id, comm_id, "owner").await; // Login as member let member_id = h.login_as("normie").await; h.add_membership(member_id, comm_id, "member").await; let resp = h.client.get("/p/test/settings").await; assert_eq!(resp.status.as_u16(), 403); } #[tokio::test] async fn owner_can_access_settings() { let mut h = TestHarness::new().await; let owner_id = h.login_as("settingsowner").await; let comm_id = h.create_community("Test", "test").await; h.add_membership(owner_id, comm_id, "owner").await; let _cat_id = h.create_category(comm_id, "General", "general").await; let resp = h.client.get("/p/test/settings").await; assert!(resp.status.is_success(), "Expected 200, got {}", resp.status); } #[tokio::test] async fn non_owner_cannot_create_category() { let mut h = TestHarness::new().await; let owner_id = h.login_as("catowner").await; let comm_id = h.create_community("Test", "test").await; h.add_membership(owner_id, comm_id, "owner").await; // Login as member let member_id = h.login_as("catmember").await; h.add_membership(member_id, comm_id, "member").await; // Get CSRF from some page h.client.get("/").await; let resp = h .client .post_form( "/p/test/settings/categories/new", "name=Hacked&slug=hacked&description=nope", ) .await; assert_eq!(resp.status.as_u16(), 403); } /// Posts are immutable — edit route no longer exists. #[tokio::test] async fn post_edit_route_returns_404() { let mut h = TestHarness::new().await; let user_id = h.login_as("lateEditor").await; let comm_id = h.create_community("Test", "test").await; let cat_id = h.create_category(comm_id, "General", "general").await; h.add_membership(user_id, comm_id, "member").await; let thread_id = h .create_thread_with_post(cat_id, user_id, "Old Post", "Body") .await; let posts = mt_db::queries::list_posts_in_thread(&h.db, thread_id) .await .unwrap(); let post_id = posts[0].id; let edit_url = format!( "/p/test/general/{}/posts/{}/edit", thread_id, post_id ); let resp = h.client.get(&edit_url).await; assert_eq!(resp.status.as_u16(), 404, "Edit route should be 404"); }