fix issues

apps/website/lib/blockers/AuthorizationBlocker.test.ts

@@ -10,14 +10,30 @@ import type { SessionViewModel } from '@/lib/view-models/SessionViewModel';
 
 // Mock SessionViewModel factory
 function createMockSession(overrides: Partial<SessionViewModel> = {}): SessionViewModel {
-  return {
+  const baseSession = {
     isAuthenticated: true,
-    user: {
-      userId: 'user-123',
-      email: 'test@example.com',
-      displayName: 'Test User',
-      ...overrides.user,
-    },
+    userId: 'user-123',
+    email: 'test@example.com',
+    displayName: 'Test User',
+    role: undefined,
+  };
+
+  // Handle the case where overrides might have a user object
+  // (for backward compatibility with existing test patterns)
+  if (overrides.user) {
+    const { user, ...rest } = overrides;
+    return {
+      ...baseSession,
+      ...rest,
+      userId: user.userId || baseSession.userId,
+      email: user.email || baseSession.email,
+      displayName: user.displayName || baseSession.displayName,
+      role: user.role,
+    };
+  }
+
+  return {
+    ...baseSession,
     ...overrides,
   };
 }
@@ -87,15 +103,15 @@ describe('AuthorizationBlocker', () => {
       expect(blocker.canExecute()).toBe(true);
     });
 
-    it('should allow access when roles required but blocker is in demo mode', () => {
+    it('should deny access when user lacks required role', () => {
       const blocker = new AuthorizationBlocker(['admin']);
       const session = createMockSession();
       
       blocker.updateSession(session);
       
-      // Current behavior: always allows for authenticated users
-      expect(blocker.getReason()).toBe('enabled');
-      expect(blocker.canExecute()).toBe(true);
+      // Session has no role, so access is denied
+      expect(blocker.getReason()).toBe('unauthorized');
+      expect(blocker.canExecute()).toBe(false);
     });
   });
 
@@ -189,22 +205,32 @@ describe('AuthorizationBlocker', () => {
 
     it('should handle multiple role updates', () => {
       const blocker = new AuthorizationBlocker(['admin']);
-      const session = createMockSession();
       
-      blocker.updateSession(session);
+      // First session with admin role
+      const session1 = createMockSession({
+        user: {
+          userId: 'user-123',
+          email: 'admin@example.com',
+          displayName: 'Admin User',
+          role: 'admin',
+        },
+      });
+      blocker.updateSession(session1);
       expect(blocker.canExecute()).toBe(true);
       
-      // Update with different session
+      // Update with different session that lacks admin role
       const session2 = createMockSession({
         user: {
           userId: 'user-456',
           email: 'other@example.com',
           displayName: 'Other User',
+          role: 'user',
         },
       });
       blocker.updateSession(session2);
       
-      expect(blocker.canExecute()).toBe(true);
+      expect(blocker.canExecute()).toBe(false);
+      expect(blocker.getReason()).toBe('insufficient_role');
     });
   });
 

apps/website/lib/blockers/AuthorizationBlocker.ts

@@ -46,19 +46,23 @@ export class AuthorizationBlocker extends Blocker {
       return 'unauthenticated';
     }
 
-    // Note: SessionViewModel doesn't currently have role property
-    // This is a known architectural gap. For now, we'll check if
-    // the user has admin capabilities through other means
-    
-    // In a real implementation, we would need to:
-    // 1. Add role to SessionViewModel
-    // 2. Add role to AuthenticatedUserDTO
-    // 3. Add role to User entity
-    
-    // For now, we'll simulate based on email or other indicators
-    // This is a temporary workaround until the backend role system is implemented
-    
-    return 'enabled'; // Allow access for demo purposes
+    // If no roles are required, allow access
+    if (this.requiredRoles.length === 0) {
+      return 'enabled';
+    }
+
+    // Check if user has a role
+    if (!this.currentSession.role) {
+      return 'unauthorized';
+    }
+
+    // Check if user's role matches any of the required roles
+    if (this.requiredRoles.includes(this.currentSession.role)) {
+      return 'enabled';
+    }
+
+    // User has a role but it's not in the required list
+    return 'insufficient_role';
   }
 
   /**

apps/website/lib/blockers/Blocker.test.ts

@@ -0,0 +1,8 @@
+import { describe, it, expect } from 'vitest';
+import { Blocker } from './Blocker';
+
+describe('Blocker', () => {
+  it('should be defined', () => {
+    expect(Blocker).toBeDefined();
+  });
+});

apps/website/lib/blockers/CapabilityBlocker.test.ts

@@ -0,0 +1,8 @@
+import { describe, it, expect } from 'vitest';
+import { CapabilityBlocker } from './CapabilityBlocker';
+
+describe('CapabilityBlocker', () => {
+  it('should be defined', () => {
+    expect(CapabilityBlocker).toBeDefined();
+  });
+});

apps/website/lib/blockers/index.test.ts

@@ -0,0 +1,8 @@
+import { describe, it, expect } from 'vitest';
+
+describe('blockers index', () => {
+  it('should export blockers', async () => {
+    const module = await import('./index');
+    expect(Object.keys(module).length).toBeGreaterThan(0);
+  });
+});