fix(V2): move non-home ownership tests to v2 remote sync CI job

TheLastCicada · TheLastCicada · commit 80e678c5e14e · 2026-05-28T13:43:02.000-07:00
The v2 live api tests job has no V2 governance body configured, so
no non-home projects are ever synced. Move the ownership guard
rejection tests to a curl-based step in the v2 remote sync tests
job where governance is active and non-home project data is available.
diff --git a/.github/workflows/tests.yaml b/.github/workflows/tests.yaml
@@ -4361,6 +4361,68 @@ jobs:
           fi
           echo "All AEF data matches expected values"
 
+      - name: Verify ownership guards block non-home mutations
+        shell: bash
+        run: |
+          echo "########################################################"
+          echo "Verifying ownership guards reject non-home org mutations"
+          echo "########################################################"
+          BASE="http://127.0.0.1:31310/v2"
+          ERRORS=0
+
+          PROJECT=$(curl -s "$BASE/project?page=1&limit=1" | jq '(if type == "object" then .data else . end)[0]')
+          PROJECT_ID=$(echo "$PROJECT" | jq -r '.cadTrustProjectId')
+          echo "Using synced project: $PROJECT_ID"
+
+          echo ""
+          echo "--- PUT update on non-home project (expect 400) ---"
+          PUT_RESP=$(curl -s -w "\n%{http_code}" -X PUT "$BASE/project/$PROJECT_ID" \
+            -H "Content-Type: application/json" \
+            -d "{\"projectName\": \"Should Not Update $(date +%s)\"}")
+          PUT_HTTP=$(echo "$PUT_RESP" | tail -1)
+          PUT_BODY=$(echo "$PUT_RESP" | head -n -1)
+          if [ "$PUT_HTTP" = "400" ]; then
+            echo "  PASS: PUT returned 400"
+            if echo "$PUT_BODY" | jq -r '.error' 2>/dev/null | grep -q "Restricted data"; then
+              echo "  PASS: Error contains 'Restricted data'"
+            else
+              echo "  FAIL: Expected 'Restricted data' in error body"
+              echo "  Body: $PUT_BODY"
+              ERRORS=$((ERRORS + 1))
+            fi
+          else
+            echo "  FAIL: Expected HTTP 400, got $PUT_HTTP"
+            echo "  Body: $PUT_BODY"
+            ERRORS=$((ERRORS + 1))
+          fi
+
+          echo ""
+          echo "--- DELETE on non-home project (expect 400) ---"
+          DEL_RESP=$(curl -s -w "\n%{http_code}" -X DELETE "$BASE/project/$PROJECT_ID")
+          DEL_HTTP=$(echo "$DEL_RESP" | tail -1)
+          DEL_BODY=$(echo "$DEL_RESP" | head -n -1)
+          if [ "$DEL_HTTP" = "400" ]; then
+            echo "  PASS: DELETE returned 400"
+            if echo "$DEL_BODY" | jq -r '.error' 2>/dev/null | grep -q "Restricted data"; then
+              echo "  PASS: Error contains 'Restricted data'"
+            else
+              echo "  FAIL: Expected 'Restricted data' in error body"
+              echo "  Body: $DEL_BODY"
+              ERRORS=$((ERRORS + 1))
+            fi
+          else
+            echo "  FAIL: Expected HTTP 400, got $DEL_HTTP"
+            echo "  Body: $DEL_BODY"
+            ERRORS=$((ERRORS + 1))
+          fi
+
+          echo ""
+          if [ "$ERRORS" -gt 0 ]; then
+            echo "FAILED: $ERRORS ownership guard checks failed"
+            exit 1
+          fi
+          echo "All ownership guard checks passed"
+
       - name: Show CADT logs after tests
         if: always()
         shell: bash
diff --git a/tests/v2/live-api/project-validation.live.spec.js b/tests/v2/live-api/project-validation.live.spec.js
@@ -25,53 +25,6 @@ import {
   getInvalidPicklistValue,
 } from './data/test-data-generators.js';
 
-const findNonHomeProject = async (request, homeOrgId) => {
-  let page = 1;
-  const limit = 100;
-
-  while (page <= 10) {
-    const response = await request
-      .get('/v2/project')
-      .query({ page, limit })
-      .expect(200);
-    const data = Array.isArray(response.body) ? response.body : (response.body?.data || []);
-    const nonHomeProject = data.find(record => record.orgUid && record.orgUid !== homeOrgId);
-    if (nonHomeProject) return nonHomeProject;
-
-    const totalPages = response.body?.pageCount || 1;
-    if (page >= totalPages || data.length < limit) break;
-    page++;
-  }
-
-  return null;
-};
-
-const requireNonHomeProject = async (request, homeOrgId, mochaContext) => {
-  const nonHomeProject = await findNonHomeProject(request, homeOrgId);
-  if (!nonHomeProject) {
-    mochaContext.skip();
-  }
-  return nonHomeProject;
-};
-
-const buildProjectUpdateData = (record, overrides = {}) => ({
-  projectRegistryName: record.projectRegistryName,
-  projectId: record.projectId,
-  projectName: record.projectName,
-  projectCreditingProgram: record.projectCreditingProgram ?? null,
-  projectLink: record.projectLink ?? null,
-  projectDescription: record.projectDescription ?? null,
-  projectSector: record.projectSector ?? null,
-  projectType: record.projectType ?? null,
-  projectSubtype: record.projectSubtype ?? null,
-  projectStatus: record.projectStatus ?? null,
-  projectStatusDate: record.projectStatusDate ?? null,
-  projectUnitMetric: record.projectUnitMetric ?? null,
-  cadTrustReferenceProjectId: record.cadTrustReferenceProjectId ?? null,
-  cadTrustProgramId: record.cadTrustProgramId ?? null,
-  ...overrides,
-});
-
 describe('Project Live API Validation Tests', function () {
   this.timeout(600000); // 10 minute timeout
   let request;
@@ -225,26 +178,6 @@ describe('Project Live API Validation Tests', function () {
     });
   });
   describe('Step 7: PUT Request Tests', function () {
-    it('should reject updating a project not owned by the home organization', async function () {
-      const nonHomeProject = await requireNonHomeProject(request, homeOrgId, this);
-
-      const updateData = buildProjectUpdateData(nonHomeProject, {
-        projectName: `Should Not Update ${Date.now()}`,
-      });
-
-      try {
-        const response = await request
-          .put(`/v2/project/${nonHomeProject.cadTrustProjectId}`)
-          .send(updateData);
-
-        expect(response.status).to.equal(400);
-        expect(response.body.success).to.be.false;
-        expect(response.body.error).to.include('Restricted data');
-      } finally {
-        await clearStagingTable(request);
-      }
-    });
-
     it('should update a project', async function () {
       // Get ID from createdIds (if available) or query for test records we created
       let id = createdIds[0];
@@ -358,11 +291,6 @@ describe('Project Live API Validation Tests', function () {
       }
     });
 
-    it('should include synced project data from another organization', async function () {
-      const nonHomeProject = await requireNonHomeProject(request, homeOrgId, this);
-      expect(nonHomeProject.orgUid).to.not.equal(homeOrgId);
-    });
-
     it('should support search functionality', async function () {
       // Test search if supported by endpoint
       const response = await request
@@ -374,21 +302,6 @@ describe('Project Live API Validation Tests', function () {
     });
   });
   describe('Step 9: DELETE Request Tests', function () {
-    it('should reject deleting a project not owned by the home organization', async function () {
-      const nonHomeProject = await requireNonHomeProject(request, homeOrgId, this);
-
-      try {
-        const response = await request
-          .delete(`/v2/project/${nonHomeProject.cadTrustProjectId}`);
-
-        expect(response.status).to.equal(400);
-        expect(response.body.success).to.be.false;
-        expect(response.body.error).to.include('Restricted data');
-      } finally {
-        await clearStagingTable(request);
-      }
-    });
-
     it('should delete all created projects', async function () {
       // Query for test projects by orgUid and TEST- prefix
       // This works even when DELETE runs in a separate process
