goyco/internal/e2e/posts_test.go

package e2e

import (
	"net/http"
	"testing"
)

func TestE2E_PostManagement(t *testing.T) {
	ctx := setupTestContext(t)

	t.Run("post_crud_operations", func(t *testing.T) {
		_, authClient := ctx.createUserAndLogin(t, "testuser", "StrongPass123!")

		createdPost := authClient.CreatePost(t, "Original Post", "https://example.com/original", "Original content")
		updatedPost := authClient.UpdatePost(t, createdPost.ID, "Updated Post", "https://example.com/updated", "Updated content")

		if updatedPost.Title != "Updated Post" {
			t.Errorf("Expected updated title 'Updated Post', got '%s'", updatedPost.Title)
		}
		if updatedPost.Content != "Updated content" {
			t.Errorf("Expected updated content 'Updated content', got '%s'", updatedPost.Content)
		}

		postsResp := authClient.GetPosts(t)
		assertPostInList(t, postsResp, updatedPost)

		authClient.DeletePost(t, createdPost.ID)

		finalPostsResp := authClient.GetPosts(t)
		if len(finalPostsResp.Data.Posts) > 0 {
			for _, post := range finalPostsResp.Data.Posts {
				if post.ID == createdPost.ID {
					t.Errorf("Expected post to be deleted, but it still appears in posts list")
					break
				}
			}
		}
	})
}

func TestE2E_PostOwnershipAuthorization(t *testing.T) {
	ctx := setupTestContext(t)

	t.Run("post_ownership_authorization", func(t *testing.T) {
		createdUsers := ctx.createMultipleUsersWithCleanup(t, 2, "user", "StrongPass123!")
		user1 := createdUsers[0]
		user2 := createdUsers[1]

		authClient1 := ctx.loginUser(t, user1.Username, user1.Password)
		createdPost := authClient1.CreatePost(t, "User1's Post", "https://example.com/user1", "This is user1's post content")

		authClient2 := ctx.loginUser(t, user2.Username, user2.Password)

		t.Run("user2_cannot_update_user1_post", func(t *testing.T) {
			statusCode := authClient2.UpdatePostExpectStatus(t, createdPost.ID, "Hacked Title", "https://evil.com", "Hacked content")
			if statusCode != http.StatusForbidden {
				t.Errorf("Expected 403 Forbidden when User2 tries to update User1's post, got %d", statusCode)
			}
		})

		t.Run("user2_cannot_delete_user1_post", func(t *testing.T) {
			statusCode := authClient2.DeletePostExpectStatus(t, createdPost.ID)
			if statusCode != http.StatusForbidden {
				t.Errorf("Expected 403 Forbidden when User2 tries to delete User1's post, got %d", statusCode)
			}
		})

		t.Run("user1_post_unchanged", func(t *testing.T) {
			postsResp := authClient1.GetPosts(t)
			found := false
			for _, post := range postsResp.Data.Posts {
				if post.ID == createdPost.ID {
					found = true
					if post.Title != createdPost.Title {
						t.Errorf("Expected post title to remain '%s', but it was modified to '%s'", createdPost.Title, post.Title)
					}
					if post.Content != createdPost.Content {
						t.Errorf("Expected post content to remain unchanged, but it was modified")
					}
					break
				}
			}
			if !found {
				t.Errorf("Expected User1's post to still exist, but it was not found in the posts list")
			}
		})

		t.Run("user1_can_update_own_post", func(t *testing.T) {
			updatedPost := authClient1.UpdatePost(t, createdPost.ID, "Updated by User1", "https://example.com/updated", "Updated content by User1")
			if updatedPost.Title != "Updated by User1" {
				t.Errorf("Expected post title to be 'Updated by User1', got '%s'", updatedPost.Title)
			}
		})

		t.Run("user1_can_delete_own_post", func(t *testing.T) {
			deletablePost := authClient1.CreatePost(t, "Deletable Post", "https://example.com/deletable", "This post will be deleted")
			authClient1.DeletePost(t, deletablePost.ID)

			postsResp := authClient1.GetPosts(t)
			for _, post := range postsResp.Data.Posts {
				if post.ID == deletablePost.ID {
					t.Errorf("Expected post %d to be deleted, but it still exists", deletablePost.ID)
					break
				}
			}
		})
	})
}