Lock down emergency-contact edits with a shared automated test
Canadian Elite Volleyball Academy — Development Update • April 24, 2026
--- title: Lock down emergency-contact edits with a shared automated test ---
Lock down emergency-contact edits with a shared automated test
## What & Why The unified GET route is now covered by an integration test (task #256), but the matching write routes — POST (create), PATCH (update), and DELETE — don't have a server-side test pinning down who is allowed to mutate emergency contacts. Without coverage, a future refactor could accidentally let an unrelated viewer or a parent-of-connected-athlete add or delete entries on someone else's profile.
## Done looks like - An automated test exercises POST, PATCH, and DELETE on ) for the owner, an allowed coordinator/coach viewer, and a denied viewer - The denied viewer never reaches the storage layer (mocks aren't called) and receives 403
## Relevant files - (POST ~line 8385, PATCH ~line 8420, DELETE ~line 8457) - (use as a template — same mock setup, same viewer fixtures)
Canadian Elite Volleyball Academy
elitevolleyball.training
No comments:
Post a Comment