test(V2): cover live non-home project mutations

TheLastCicada · TheLastCicada · commit 4bc04e43cd99 · 2026-05-27T16:43:07.000-07:00
Add live API checks that non-home project update and delete requests are
rejected when subscribed non-home project data is available.
diff --git a/tests/v2/live-api/project-validation.live.spec.js b/tests/v2/live-api/project-validation.live.spec.js
@@ -15,17 +15,55 @@ import {
   makeDeleteRequest,
   checkRecordInStaging,
 } from './helpers/api-request-helpers.js';
-import { addCreatedId, shouldAutoCommit, trackBatchVerification, getFirstRecordIdFromDatabase, getAllRecordIdsFromDatabase } from './helpers/shared-state.js';
+import { addCreatedId, shouldAutoCommit, trackBatchVerification } from './helpers/shared-state.js';
 import {
   generateProject,
   generateProjectMinimal,
   generateProjectMaximal,
   generateProjectLongStrings,
   generateProjectForbiddenFields,
-  getLongString,
   getInvalidPicklistValue,
 } from './data/test-data-generators.js';
 
+const findNonHomeProject = async (request, homeOrgId) => {
+  let page = 1;
+  const limit = 100;
+
+  while (page <= 10) {
+    const response = await request
+      .get('/v2/project')
+      .query({ page, limit })
+      .expect(200);
+    const data = Array.isArray(response.body) ? response.body : (response.body?.data || []);
+    const nonHomeProject = data.find(record => record.orgUid && record.orgUid !== homeOrgId);
+    if (nonHomeProject) return nonHomeProject;
+
+    const totalPages = response.body?.pageCount || 1;
+    if (page >= totalPages || data.length < limit) break;
+    page++;
+  }
+
+  return null;
+};
+
+const buildProjectUpdateData = (record, overrides = {}) => ({
+  projectRegistryName: record.projectRegistryName,
+  projectId: record.projectId,
+  projectName: record.projectName,
+  projectCreditingProgram: record.projectCreditingProgram ?? null,
+  projectLink: record.projectLink ?? null,
+  projectDescription: record.projectDescription ?? null,
+  projectSector: record.projectSector ?? null,
+  projectType: record.projectType ?? null,
+  projectSubtype: record.projectSubtype ?? null,
+  projectStatus: record.projectStatus ?? null,
+  projectStatusDate: record.projectStatusDate ?? null,
+  projectUnitMetric: record.projectUnitMetric ?? null,
+  cadTrustReferenceProjectId: record.cadTrustReferenceProjectId ?? null,
+  cadTrustProgramId: record.cadTrustProgramId ?? null,
+  ...overrides,
+});
+
 describe('Project Live API Validation Tests', function () {
   this.timeout(600000); // 10 minute timeout
   let request;
@@ -179,16 +217,37 @@ describe('Project Live API Validation Tests', function () {
     });
   });
   describe('Step 7: PUT Request Tests', function () {
+    it('should reject updating a project not owned by the home organization', async function () {
+      const nonHomeProject = await findNonHomeProject(request, homeOrgId);
+      if (!nonHomeProject) {
+        this.skip();
+      }
+
+      const updateData = buildProjectUpdateData(nonHomeProject, {
+        projectName: `Should Not Update ${Date.now()}`,
+      });
+
+      try {
+        const response = await request
+          .put(`/v2/project/${nonHomeProject.cadTrustProjectId}`)
+          .send(updateData);
+
+        expect(response.status).to.equal(400);
+        expect(response.body.success).to.be.false;
+        expect(response.body.error).to.include('Restricted data');
+      } finally {
+        await clearStagingTable(request);
+      }
+    });
+
     it('should update a project', async function () {
       // Get ID from createdIds (if available) or query for test records we created
       let id = createdIds[0];
       if (!id) {
         // Query for test records by filtering by home org and TEST- prefix
         let page = 1;
         const limit = 100;
-        let found = false;
-
-        while (!found && page <= 10) { // Limit to 10 pages to avoid infinite loop
+        while (page <= 10) { // Limit to 10 pages to avoid infinite loop
           const response = await request.get(`/v2/project?page=${page}&limit=${limit}&orgUid=${homeOrgId}`).expect(200);
           const data = Array.isArray(response.body) ? response.body : (response.body?.data || []);
 
@@ -199,7 +258,6 @@ describe('Project Live API Validation Tests', function () {
 
           if (testRecord) {
             id = testRecord.cadTrustProjectId;
-            found = true;
             break;
           }
 
@@ -306,6 +364,24 @@ describe('Project Live API Validation Tests', function () {
     });
   });
   describe('Step 9: DELETE Request Tests', function () {
+    it('should reject deleting a project not owned by the home organization', async function () {
+      const nonHomeProject = await findNonHomeProject(request, homeOrgId);
+      if (!nonHomeProject) {
+        this.skip();
+      }
+
+      try {
+        const response = await request
+          .delete(`/v2/project/${nonHomeProject.cadTrustProjectId}`);
+
+        expect(response.status).to.equal(400);
+        expect(response.body.success).to.be.false;
+        expect(response.body.error).to.include('Restricted data');
+      } finally {
+        await clearStagingTable(request);
+      }
+    });
+
     it('should delete all created projects', async function () {
       // Query for test projects by orgUid and TEST- prefix
       // This works even when DELETE runs in a separate process
