fix: scope organization access by membership

backend/tests/Socialize.Tests/Security/AccessScopeServiceTests.cs

@@ -0,0 +1,49 @@
+using System.Security.Claims;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.Identity.Contracts;
+
+namespace Socialize.Tests.Security;
+
+public class AccessScopeServiceTests
+{
+    [Fact]
+    public void Manager_role_does_not_grant_workspace_access_without_workspace_scope()
+    {
+        Guid workspaceId = Guid.NewGuid();
+        ClaimsPrincipal user = CreateUser(KnownRoles.Manager);
+
+        Assert.False(AccessScopeService.CanAccessWorkspace(user, workspaceId));
+        Assert.False(AccessScopeService.CanManageWorkspace(user, workspaceId));
+    }
+
+    [Fact]
+    public void Administrator_role_does_not_grant_workspace_access_without_workspace_scope()
+    {
+        Guid workspaceId = Guid.NewGuid();
+        ClaimsPrincipal user = CreateUser(KnownRoles.Administrator);
+
+        Assert.False(AccessScopeService.CanAccessWorkspace(user, workspaceId));
+        Assert.False(AccessScopeService.CanManageWorkspace(user, workspaceId));
+    }
+
+    [Fact]
+    public void Manager_can_manage_only_workspaces_in_scope()
+    {
+        Guid workspaceId = Guid.NewGuid();
+        ClaimsPrincipal user = CreateUser(KnownRoles.Manager, new Claim(KnownClaims.WorkspaceScope, workspaceId.ToString()));
+
+        Assert.True(AccessScopeService.CanAccessWorkspace(user, workspaceId));
+        Assert.True(AccessScopeService.CanManageWorkspace(user, workspaceId));
+    }
+
+    private static ClaimsPrincipal CreateUser(string role, params Claim[] claims)
+    {
+        Claim[] baseClaims =
+        [
+            new(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString()),
+            new(ClaimTypes.Role, role),
+        ];
+
+        return new ClaimsPrincipal(new ClaimsIdentity(baseClaims.Concat(claims), "Test"));
+    }
+}