fix(projects): restrict delete to admin or project-manager owner

Author: Diogo-Ferraz

src/TaskManagement.Api/Features/Projects/Commands/Handlers/DeleteProjectCommandHandler.cs

@@ -42,7 +42,10 @@ public async Task Handle(DeleteProjectCommand request, CancellationToken cancell
             var isAdmin = _currentUserService.IsInRole(Roles.Administrator);
             var isProjectManager = _currentUserService.IsInRole(Roles.ProjectManager);
 
-            if (!isAdmin && !isProjectManager && project.OwnerUserId != currentUserId)
+            var canDeleteAsProjectManagerOwner =
+                isProjectManager && string.Equals(project.OwnerUserId, currentUserId, StringComparison.Ordinal);
+
+            if (!isAdmin && !canDeleteAsProjectManagerOwner)
             {
                 throw new ForbiddenAccessException("User is not authorized to delete this project.");
             }

tests/TaskManagement.Api.Tests/IntegrationTests/Features/Projects/DeleteProjectEndpointTests.cs

@@ -76,10 +76,10 @@ private void SetAuthenticatedUser(string userId, string? roles = null)
         }
 
         [Fact]
-        public async Task DeleteProject_WhenUserIsOwner_ShouldReturnNoContentAndDeleteProject()
+        public async Task DeleteProject_WhenUserIsProjectManagerOwner_ShouldReturnNoContentAndDeleteProject()
         {
             // Arrange
-            SetAuthenticatedUser(_ownerUserId);
+            SetAuthenticatedUser(_ownerUserId, Roles.ProjectManager);
             int initialProjectCount;
             using (var scope = _factory.Services.CreateScope())
             {
@@ -107,7 +107,7 @@ public async Task DeleteProject_WhenUserIsOwner_ShouldReturnNoContentAndDeletePr
         }
 
         [Fact]
-        public async Task DeleteProject_WhenUserIsProjectManagerButNotOwner_ShouldReturnNoContent()
+        public async Task DeleteProject_WhenUserIsProjectManagerButNotOwner_ShouldReturnForbidden()
         {
             // Arrange
             SetAuthenticatedUser(_otherUserId, Roles.ProjectManager);
@@ -122,15 +122,15 @@ public async Task DeleteProject_WhenUserIsProjectManagerButNotOwner_ShouldReturn
             var response = await _client.DeleteAsync($"/api/projects/{_projectToDeleteId}");
 
             // Assert
-            response.StatusCode.Should().Be(HttpStatusCode.NoContent);
+            response.StatusCode.Should().Be(HttpStatusCode.Forbidden);
 
             // Assert
             using (var scope = _factory.Services.CreateScope())
             {
                 var dbContext = scope.ServiceProvider.GetRequiredService<TaskManagementDbContext>();
                 var projectInDb = await dbContext.Projects.FindAsync(_projectToDeleteId);
-                projectInDb.Should().BeNull();
-                (await dbContext.Projects.CountAsync()).Should().Be(initialProjectCount - 1);
+                projectInDb.Should().NotBeNull();
+                (await dbContext.Projects.CountAsync()).Should().Be(initialProjectCount);
             }
         }
 

tests/TaskManagement.Api.Tests/UnitTests/Features/Projects/Commands/DeleteProjectCommandHandlerTests.cs

@@ -62,11 +62,12 @@ private void SeedDatabase()
         }
 
         [Fact]
-        public async Task Handle_ShouldRemoveProject_WhenRequestIsValidAndUserIsOwner()
+        public async Task Handle_ShouldRemoveProject_WhenRequestIsValidAndUserIsProjectManagerOwner()
         {
             // Arrange
             var command = new DeleteProjectCommand { Id = _projectIdToDelete };
             _mockCurrentUser.Setup(u => u.Id).Returns(_ownerUserId);
+            _mockCurrentUser.Setup(u => u.IsInRole(Roles.ProjectManager)).Returns(true);
             int initialCount = await _dbContext.Projects.CountAsync();
 
             // Act
@@ -114,19 +115,22 @@ public async Task Handle_ShouldThrowForbiddenAccessException_WhenUserIsNotOwner(
         }
 
         [Fact]
-        public async Task Handle_ShouldRemoveProject_WhenUserIsProjectManager()
+        public async Task Handle_ShouldThrowForbiddenAccessException_WhenUserIsProjectManagerButNotOwner()
         {
             // Arrange
             var command = new DeleteProjectCommand { Id = _projectIdToDelete };
             _mockCurrentUser.Setup(u => u.Id).Returns(_otherUserId);
             _mockCurrentUser.Setup(u => u.IsInRole(Roles.ProjectManager)).Returns(true);
 
             // Act
-            await _handler.Handle(command, CancellationToken.None);
+            Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
 
             // Assert
-            var deletedProject = await _dbContext.Projects.FindAsync(_projectIdToDelete);
-            deletedProject.Should().BeNull();
+            await act.Should().ThrowAsync<ForbiddenAccessException>()
+                .WithMessage("*not authorized to delete this project*");
+
+            var existingProject = await _dbContext.Projects.FindAsync(_projectIdToDelete);
+            existingProject.Should().NotBeNull();
         }
 
         [Fact]