@@ -25,6 +25,36 @@ import {
2525 getInvalidPicklistValue ,
2626} from './data/test-data-generators.js' ;
2727
28+ const findNonHomeProject = async ( request , homeOrgId ) => {
29+ let page = 1 ;
30+ const limit = 100 ;
31+
32+ while ( page <= 10 ) {
33+ const response = await request
34+ . get ( '/v2/project' )
35+ . query ( { page, limit } )
36+ . expect ( 200 ) ;
37+ const data = Array . isArray ( response . body ) ? response . body : ( response . body ?. data || [ ] ) ;
38+ const nonHomeProject = data . find ( record => record . orgUid && record . orgUid !== homeOrgId ) ;
39+ if ( nonHomeProject ) return nonHomeProject ;
40+
41+ const totalPages = response . body ?. pageCount || 1 ;
42+ if ( page >= totalPages || data . length < limit ) break ;
43+ page ++ ;
44+ }
45+
46+ return null ;
47+ } ;
48+
49+ const requireNonHomeProject = async ( request , homeOrgId ) => {
50+ const nonHomeProject = await findNonHomeProject ( request , homeOrgId ) ;
51+ expect (
52+ nonHomeProject ,
53+ 'Expected at least one synced project from another subscribed organization' ,
54+ ) . to . exist ;
55+ return nonHomeProject ;
56+ } ;
57+
2858describe ( 'Project Live API Validation Tests' , function ( ) {
2959 this . timeout ( 600000 ) ; // 10 minute timeout
3060 let request ;
@@ -178,6 +208,28 @@ describe('Project Live API Validation Tests', function () {
178208 } ) ;
179209 } ) ;
180210 describe ( 'Step 7: PUT Request Tests' , function ( ) {
211+ it ( 'should reject updating a project not owned by the home organization' , async function ( ) {
212+ const nonHomeProject = await requireNonHomeProject ( request , homeOrgId ) ;
213+
214+ const updateData = {
215+ projectName : `Should Not Update ${ Date . now ( ) } ,
216+ projectRegistryName : nonHomeProject . projectRegistryName ,
217+ projectId : nonHomeProject . projectId ,
218+ } ;
219+
220+ try {
221+ const response = await request
222+ . put ( `/v2/project/${ nonHomeProject . cadTrustProjectId } )
223+ . send ( updateData ) ;
224+
225+ expect ( response . status ) . to . equal ( 400 ) ;
226+ expect ( response . body . success ) . to . be . false ;
227+ expect ( response . body . error ) . to . include ( 'Restricted data' ) ;
228+ } finally {
229+ await clearStagingTable ( request ) ;
230+ }
231+ } ) ;
232+
181233 it ( 'should update a project' , async function ( ) {
182234 // Get ID from createdIds (if available) or query for test records we created
183235 let id = createdIds [ 0 ] ;
@@ -291,6 +343,11 @@ describe('Project Live API Validation Tests', function () {
291343 }
292344 } ) ;
293345
346+ it ( 'should include synced project data from another organization' , async function ( ) {
347+ const nonHomeProject = await requireNonHomeProject ( request , homeOrgId ) ;
348+ expect ( nonHomeProject . orgUid ) . to . not . equal ( homeOrgId ) ;
349+ } ) ;
350+
294351 it ( 'should support search functionality' , async function ( ) {
295352 // Test search if supported by endpoint
296353 const response = await request
@@ -302,6 +359,21 @@ describe('Project Live API Validation Tests', function () {
302359 } ) ;
303360 } ) ;
304361 describe ( 'Step 9: DELETE Request Tests' , function ( ) {
362+ it ( 'should reject deleting a project not owned by the home organization' , async function ( ) {
363+ const nonHomeProject = await requireNonHomeProject ( request , homeOrgId ) ;
364+
365+ try {
366+ const response = await request
367+ . delete ( `/v2/project/${ nonHomeProject . cadTrustProjectId } ) ;
368+
369+ expect ( response . status ) . to . equal ( 400 ) ;
370+ expect ( response . body . success ) . to . be . false ;
371+ expect ( response . body . error ) . to . include ( 'Restricted data' ) ;
372+ } finally {
373+ await clearStagingTable ( request ) ;
374+ }
375+ } ) ;
376+
305377 it ( 'should delete all created projects' , async function ( ) {
306378 // Query for test projects by orgUid and TEST- prefix
307379 // This works even when DELETE runs in a separate process
0 commit comments