documenso/packages/app-tests/e2e/templates/test-unauthorized-template-access.spec.ts

import { expect, test } from '@playwright/test';

import { NEXT_PUBLIC_WEBAPP_URL } from '@documenso/lib/constants/app';
import { mapSecondaryIdToTemplateId } from '@documenso/lib/utils/envelope';
import { seedBlankTemplate } from '@documenso/prisma/seed/templates';
import { seedUser } from '@documenso/prisma/seed/users';

import { apiSignin } from '../fixtures/authentication';

test.describe.configure({
  mode: 'parallel',
});

test.describe('Unauthorized Access to Templates', () => {
  test('should block unauthorized access to the template page', async ({ page }) => {
    const { user, team } = await seedUser();
    const template = await seedBlankTemplate(user, team.id);

    const { user: unauthorizedUser } = await seedUser();

    await apiSignin({
      page,
      email: unauthorizedUser.email,
      redirectPath: `/t/${team.url}/templates/${mapSecondaryIdToTemplateId(template.secondaryId)}`,
    });

    await page.goto(
      `${NEXT_PUBLIC_WEBAPP_URL()}/t/${team.url}/templates/${mapSecondaryIdToTemplateId(template.secondaryId)}`,
    );
    await expect(page.getByRole('heading', { name: 'Oops! Something went wrong.' })).toBeVisible();
  });

  test('should block unauthorized access to the template edit page', async ({ page }) => {
    const { user, team } = await seedUser();
    const template = await seedBlankTemplate(user, team.id);

    const { user: unauthorizedUser } = await seedUser();

    await apiSignin({
      page,
      email: unauthorizedUser.email,
      redirectPath: `/t/${team.url}/templates/${mapSecondaryIdToTemplateId(template.secondaryId)}/edit`,
    });

    await page.goto(
      `${NEXT_PUBLIC_WEBAPP_URL()}/t/${team.url}/templates/${mapSecondaryIdToTemplateId(template.secondaryId)}/edit`,
    );
    await expect(page.getByRole('heading', { name: 'Oops! Something went wrong.' })).toBeVisible();
  });
});