{ "ursId": "URS-008", "title": "Restrict Reps from Editing Accounts Outside Assigned Organization", "timestamp": "2026-04-23T03:35:29.564Z", "durationMs": 44350, "config": { "inboxUrl": "http://localhost:62393", "dbHost": "localhost", "dbPort": 62394, "dbName": "cc_repinbox_dev" }, "setup": { "status": "pass" }, "scenarios": [ { "name": "Step 1: Rep login", "status": "pass", "description": "Step 1: Rep login", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/screenshots/step-01-rep-logged-in.png" ], "explanation": "Establishes the authenticated session for Bob Kauffman (StellarTech sales rep, role downgraded by setup). A successful login is the precondition for every subsequent step — without it, cross-organization failures would be indistinguishable from an unauthenticated redirect.", "expectedAuditActions": [ "user_log:user:login" ], "startedAt": "2026-04-23T03:35:37.851Z", "finishedAt": "2026-04-23T03:35:37.851Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/videos/step-01-rep-login.webm" }, { "name": "Step 2: Foreign-org account absent from list", "status": "pass", "description": "Step 2: Foreign-org account absent from list", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/screenshots/step-02-rep-accounts-list.png" ], "explanation": "Navigates to /sales-accounts and asserts that the foreign-organization account's name and UUID do not appear anywhere on the page. The list query filters by the caller's organization, so a StellarTech rep must see only StellarTech-owned accounts. Proving absence-from-list closes the first half of the isolation story: the foreign account cannot be discovered through the app's normal navigation.", "startedAt": "2026-04-23T03:35:46.284Z", "finishedAt": "2026-04-23T03:35:46.284Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/videos/step-02-rep-accounts-list.webm" }, { "name": "Step 3: In-organization account detail loads", "status": "pass", "description": "Step 3: In-organization account detail loads", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/screenshots/step-03-in-org-account-detail.png" ], "explanation": "Loads the BOSS account detail page — BOSS is owned by Bob's own organization (StellarTech). Confirming this page renders normally rules out the scenario where the Step 4 failure is caused by a broad access bug. It is the \"negative control\" that bounds the cross-org check.", "startedAt": "2026-04-23T03:35:54.091Z", "finishedAt": "2026-04-23T03:35:54.091Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/videos/step-03-rep-in-org-account.webm" }, { "name": "Step 4: Rep receives 404 on foreign-org account URL", "status": "pass", "description": "Step 4: Rep receives 404 on foreign-org account URL", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/screenshots/step-04-rep-foreign-org-404.png" ], "explanation": "Navigates the rep directly to the foreign-organization account URL. The server-side route resolves through `getSalesAccountWithOrgCheck`, which returns null when the user's organization matches neither the account's distributor nor manufacturer; the route then throws a 404. Asserting both the HTTP status and the rendered error text proves the block is enforced on the server, not only in the UI.", "startedAt": "2026-04-23T03:36:01.788Z", "finishedAt": "2026-04-23T03:36:01.788Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/videos/step-04-rep-foreign-org-404.webm" }, { "name": "Step 5: Admin also blocked — org-scoped, not role-scoped", "status": "pass", "description": "Step 5: Admin also blocked — org-scoped, not role-scoped", "screenshots": [ "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/screenshots/step-05-admin-foreign-org-404.png" ], "explanation": "Repeats Step 4 as Dan Distributor (StellarTech admin). The admin has sales_accounts:manage but is still in StellarTech, so the organization filter must still return null and the route must still 404. Proving this isolates the restriction as organization-scoped — the URS requirement is met by organization membership, not by role.", "expectedAuditActions": [ "user_log:user:login" ], "startedAt": "2026-04-23T03:36:11.164Z", "finishedAt": "2026-04-23T03:36:11.164Z", "videoPath": "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z/videos/step-05-admin-foreign-org-404.webm" } ], "dbValidations": [ { "name": "Rep has Sales Representative role", "query": "SELECT u.email, u.name, r.name as role_name, r.id as role_id\n FROM users u\n JOIN user_roles ur ON ur.user_id = u.id\n JOIN roles r ON r.id = ur.role_id\n WHERE u.id = $1 AND ur.organization_id = $2", "status": "pass", "rows": [ { "email": "bob.kauffman@stellartech.com", "name": "Bob Kauffman", "role_name": "Sales Representative", "role_id": "d2e3f4a5-b6c7-8901-def0-123456789abc" } ], "assertion": "Bob Kauffman should have the Sales Representative role in StellarTech so the test exercises a \"rep\" per the URS wording" }, { "name": "Sales Rep role has sales_accounts:view", "query": "SELECT p.permission\n FROM permissions p\n WHERE p.actor_id = $1\n AND p.permission = 'sales_accounts:view'", "status": "pass", "rows": [ { "permission": "sales_accounts:view" } ], "assertion": "The Sales Representative role must include sales_accounts:view so that absence-from-list is an organization scoping effect, not a permission gap" }, { "name": "Rep belongs only to StellarTech", "query": "SELECT ur.organization_id, o.name\n FROM user_roles ur\n JOIN organizations o ON o.id = ur.organization_id\n WHERE ur.user_id = $1", "status": "pass", "rows": [ { "organization_id": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "name": "StellarTech Medical Solutions" } ], "assertion": "Bob Kauffman must have exactly one organization membership — StellarTech — so visiting the foreign-owned account cannot succeed via a second membership" }, { "name": "Foreign distributor organization exists", "query": "SELECT id, name, active FROM organizations WHERE id = $1", "status": "pass", "rows": [ { "id": "f0f0f0f0-0008-4f00-af00-000000000008", "name": "Acme Distribution Partners (URS-008 Fixture)", "active": true } ], "assertion": "The ephemeral foreign organization inserted by setup must exist and be distinct from StellarTech, providing the target for the cross-org isolation proof" }, { "name": "Foreign sales account owned entirely by foreign org", "query": "SELECT id, name, status,\n organization_id,\n distributor_organization_id,\n manufacturer_organization_id\n FROM sales_accounts\n WHERE id = $1", "status": "pass", "rows": [ { "id": "f0f0f0f0-0008-4f00-acc0-000000000008", "name": "Acme Diagnostics Center", "status": "active", "organization_id": "f0f0f0f0-0008-4f00-af00-000000000008", "distributor_organization_id": "f0f0f0f0-0008-4f00-af00-000000000008", "manufacturer_organization_id": "f0f0f0f0-0008-4f00-af00-000000000008" } ], "assertion": "The foreign sales account must set organization_id, distributor_organization_id, and manufacturer_organization_id all to the foreign org — no StellarTech linkage exists on any scoping column" }, { "name": "Rep has no assignment to foreign sales account", "query": "SELECT id, active, representative_type, organization_id\n FROM sales_account_user_assignments\n WHERE user_id = $1 AND sales_account_id = $2", "status": "pass", "rows": [], "assertion": "Bob Kauffman must not have any assignment row — active or inactive — linking him to the foreign-owned sales account" } ], "overallStatus": "pass", "outputDir": "/Users/jason/projects/casecohort/code/validation_test_results/urs-008-restrict-rep-account-edit/2026-04-23T03-35-29-562Z", "auditStartTime": "2026-04-23T03:35:27.651Z", "auditEventEvidence": [ { "createdAt": "2026-04-23T03:35:35.760Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:35:40.772Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:35:48.942Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:35:57.091Z", "eventType": "user_log", "action": "user:login", "userEmail": "bob.kauffman@stellartech.com", "userId": "17b8c9d0-e1f2-3456-1234-567890123456", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "bob.kauffman@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" }, { "createdAt": "2026-04-23T03:36:08.693Z", "eventType": "user_log", "action": "user:login", "userEmail": "dan.distributor@stellartech.com", "userId": "c3d4e5f6-a7b8-9012-cdef-123456789012", "organizationName": "StellarTech Medical Solutions", "organizationId": "b2c3d4e5-f6a7-8901-bcde-f12345678901", "objectId": null, "secondaryObjectId": null, "payload": { "email": "dan.distributor@stellartech.com" }, "route": "/login", "traceId": "00000000000000000000000000000000" } ], "auditQuery": "SELECT\n ae.created_at,\n ae.event_type,\n ae.action,\n ae.user_id,\n u.email AS user_email,\n ae.organization_id,\n o.name AS organization_name,\n ae.object_id,\n ae.secondary_object_id,\n ae.payload,\n ae.route,\n ae.trace_id\n FROM audit_events ae\n LEFT JOIN users u ON u.id = ae.user_id\n LEFT JOIN organizations o ON o.id = ae.organization_id\n WHERE ae.created_at >= $1\n AND ae.organization_id = ANY($2::uuid[])\n ORDER BY ae.created_at ASC", "auditAssertions": [ { "stepName": "Step 1: Rep login", "expectedAction": "user_log:user:login", "found": true }, { "stepName": "Step 5: Admin also blocked — org-scoped, not role-scoped", "expectedAction": "user_log:user:login", "found": true } ], "emailAssertions": [] }