* Asserts the condition matches null-workspace rows tied to the organization * via metadata or the organization resource itself.
(condition: MockCondition, organizationId: string)
| 35 | * via metadata or the organization resource itself. |
| 36 | */ |
| 37 | function expectOrgLevelCondition(condition: MockCondition, organizationId: string): void { |
| 38 | expect(condition.type).toBe('and') |
| 39 | const [nullCheck, orgLink] = condition.conditions! |
| 40 | expect(nullCheck).toMatchObject({ type: 'isNull', column: 'workspaceId' }) |
| 41 | |
| 42 | expect(orgLink.type).toBe('or') |
| 43 | const [metadataMatch, orgResourceMatch] = orgLink.conditions! |
| 44 | expect(metadataMatch.strings?.join('?')).toContain("->>'organizationId' =") |
| 45 | expect(metadataMatch.values).toContain(organizationId) |
| 46 | |
| 47 | expect(orgResourceMatch.type).toBe('and') |
| 48 | expect(orgResourceMatch.conditions).toEqual([ |
| 49 | expect.objectContaining({ type: 'eq', left: 'resourceType', right: 'organization' }), |
| 50 | expect.objectContaining({ type: 'eq', left: 'resourceId', right: organizationId }), |
| 51 | ]) |
| 52 | } |
| 53 | |
| 54 | describe('buildOrgScopeCondition', () => { |
| 55 | it('never uses actor membership as a standalone boundary (default scope)', () => { |