Learn_System

maxim.dolgolyov/Learn_System

Fork 0

Commit Graph

Author	SHA1	Message	Date
Maxim Dolgolyov	c1c08be2b0	test: 7 e2e tests for permission boundaries Focused suite covering IDOR and privilege-escalation patterns: 1. Student cannot delete another teacher's class (role block) 2. Teacher cannot delete another teacher's class (ownership check) 3. Banned user blocked on all protected routes 4. Token revoked after token_version bump (password change flow) 5. Join class with wrong invite code → 404, no membership created 6. Admin-only route blocks teacher role 7. Protected route without token → 401 All 7 pass. Pre-existing auth.test.js failures (rate-limiter shared state in test server) are unrelated and were present before this PR. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-06 17:21:05 +03:00

Author

SHA1

Message

Date

Maxim Dolgolyov

c1c08be2b0

test: 7 e2e tests for permission boundaries

Focused suite covering IDOR and privilege-escalation patterns:
1. Student cannot delete another teacher's class (role block)
2. Teacher cannot delete another teacher's class (ownership check)
3. Banned user blocked on all protected routes
4. Token revoked after token_version bump (password change flow)
5. Join class with wrong invite code → 404, no membership created
6. Admin-only route blocks teacher role
7. Protected route without token → 401

All 7 pass. Pre-existing auth.test.js failures (rate-limiter shared
state in test server) are unrelated and were present before this PR.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-06 17:21:05 +03:00

1 Commits