package access import "testing" func TestCanEditLogic(t *testing.T) { groups := map[string][]string{"ops": {"carol"}} // No allowlist configured: everyone with write access may edit logic. open := New("", nil, groups, nil) for _, u := range []string{"", "alice", "carol"} { if !open.CanEditLogic(u) { t.Errorf("unrestricted: CanEditLogic(%q) = false, want true", u) } } if open.LogicRestricted() { t.Error("LogicRestricted() = true with no allowlist") } // Allowlist by username and by group name. p := New("", nil, groups, []string{"alice", "ops"}) if !p.LogicRestricted() { t.Error("LogicRestricted() = false with allowlist set") } cases := map[string]bool{ "": true, // anonymous / trusted LAN "alice": true, // listed user "carol": true, // member of listed group "ops" "bob": false, // not listed } for u, want := range cases { if got := p.CanEditLogic(u); got != want { t.Errorf("CanEditLogic(%q) = %v, want %v", u, got, want) } } }