package web
import (
"context"
"errors"
"net/http"
"net/http/httptest"
"net/url"
"os"
"strings"
"testing"
"time"
"backend/internal/auth"
"backend/internal/db/sqlc"
"backend/templates"
"github.com/google/uuid"
"github.com/jackc/pgx/v5"
"github.com/jackc/pgx/v5/pgtype"
)
func newEventTestRouter(q *sqlc.Queries, store *auth.Store) http.Handler {
authDeps := AuthDeps{Queries: q, Store: store, Secure: false}
tabloDeps := TablosDeps{Queries: q}
taskDeps := TasksDeps{Queries: q}
etapeDeps := EtapesDeps{Queries: q}
eventDeps := EventsDeps{Queries: q}
router, err := NewRouter(stubPinger{}, os.DirFS("./static"), authDeps, tabloDeps, taskDeps, etapeDeps, eventDeps, FilesDeps{Queries: q}, testCSRFKey, "dev", "localhost")
if err != nil {
panic("newEventTestRouter: " + err.Error())
}
return router
}
func insertEventTestTablo(t *testing.T, ctx context.Context, q *sqlc.Queries, user sqlc.User, title string) sqlc.Tablo {
t.Helper()
tablo, err := q.InsertTablo(ctx, sqlc.InsertTabloParams{
UserID: user.ID,
Title: title,
Description: pgtype.Text{Valid: false},
Color: pgtype.Text{Valid: false},
})
if err != nil {
t.Fatalf("InsertTablo: %v", err)
}
return tablo
}
func sessionCookieForUser(t *testing.T, ctx context.Context, store *auth.Store, user sqlc.User) *http.Cookie {
t.Helper()
cookieVal, _, err := store.Create(ctx, user.ID)
if err != nil {
t.Fatalf("store.Create: %v", err)
}
return &http.Cookie{Name: auth.SessionCookieName, Value: cookieVal}
}
func eventTestDate(t *testing.T, raw string) pgtype.Date {
t.Helper()
parsed, err := time.Parse("2006-01-02", raw)
if err != nil {
t.Fatalf("eventTestDate(%q): %v", raw, err)
}
return pgtype.Date{Time: parsed, Valid: true}
}
func eventTestTime(t *testing.T, raw string) pgtype.Time {
t.Helper()
parsed, err := time.Parse("15:04", raw)
if err != nil {
t.Fatalf("eventTestTime(%q): %v", raw, err)
}
micros := int64(parsed.Hour())*int64(time.Hour/time.Microsecond) + int64(parsed.Minute())*int64(time.Minute/time.Microsecond)
return pgtype.Time{Microseconds: micros, Valid: true}
}
func insertEventTestEvent(t *testing.T, ctx context.Context, q *sqlc.Queries, tabloID uuid.UUID, title, date, start, end, location, description string) sqlc.Event {
t.Helper()
var endTime pgtype.Time
if end != "" {
endTime = eventTestTime(t, end)
}
event, err := q.CreateEvent(ctx, sqlc.CreateEventParams{
TabloID: tabloID,
Title: title,
EventDate: eventTestDate(t, date),
StartTime: eventTestTime(t, start),
EndTime: endTime,
Description: pgtype.Text{String: description, Valid: description != ""},
Location: pgtype.Text{String: location, Valid: location != ""},
})
if err != nil {
t.Fatalf("CreateEvent: %v", err)
}
return event
}
func TestEventsTabRendersMonthGrid(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventsgrid@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Events Grid Tablo")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", nil)
req.Header.Set("HX-Request", "true")
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET /tablos/{id}/events status = %d; want 200", rec.Code)
}
body := rec.Body.String()
for _, want := range []string{"Events", "May 2026", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", "Sun", "New event"} {
if !strings.Contains(body, want) {
t.Errorf("events calendar missing %q; body: %.800s", want, body)
}
}
}
func TestEventCreateRendersTitleInCalendar(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventcreate@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Event Create Tablo")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
csrfToken, csrfCookies := getCSRFToken(t, router, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", []*http.Cookie{sessionCookie})
form := url.Values{
"title": {"Kickoff"},
"event_date": {"2026-05-20"},
"start_time": {"09:30"},
"end_time": {""},
"location": {"Office"},
"description": {"Planning"},
"_csrf": {csrfToken},
}
req := httptest.NewRequest(http.MethodPost, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", strings.NewReader(form.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
for _, c := range csrfCookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("POST /tablos/{id}/events status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
if !strings.Contains(rec.Body.String(), "Kickoff") {
t.Fatalf("created event title missing from refreshed calendar; body: %.800s", rec.Body.String())
}
}
func TestEventCreateRejectsEndTimeBeforeOrEqualStart(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventinvalid@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Event Invalid Tablo")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
csrfToken, csrfCookies := getCSRFToken(t, router, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", []*http.Cookie{sessionCookie})
form := url.Values{
"title": {"Invalid"},
"event_date": {"2026-05-20"},
"start_time": {"10:00"},
"end_time": {"10:00"},
"_csrf": {csrfToken},
}
req := httptest.NewRequest(http.MethodPost, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", strings.NewReader(form.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
for _, c := range csrfCookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusUnprocessableEntity {
t.Fatalf("invalid event create status = %d; want 422", rec.Code)
}
if !strings.Contains(rec.Body.String(), "End time must be after the start time.") {
t.Fatalf("validation copy missing; body: %.800s", rec.Body.String())
}
}
func TestEventsTabOwnershipReturns404(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
owner := preInsertUser(t, ctx, q, "eventsowner@example.com", "correct-horse-12")
nonOwner := preInsertUser(t, ctx, q, "eventsnonowner@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, owner, "Private Events Tablo")
nonOwnerCookie := sessionCookieForUser(t, ctx, store, nonOwner)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", nil)
req.AddCookie(nonOwnerCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusNotFound {
t.Fatalf("non-owner GET /tablos/{id}/events status = %d; want 404", rec.Code)
}
}
func TestEventEditRendersInlineForm(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventedit@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Event Edit Tablo")
event := insertEventTestEvent(t, ctx, q, tablo.ID, "Planning Review", "2026-05-21", "09:30", "10:30", "Studio", "Discuss schedule")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events/"+event.ID.String()+"/edit?month=2026-05", nil)
req.Header.Set("HX-Request", "true")
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET event edit status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
body := rec.Body.String()
for _, want := range []string{"Save event changes", "Planning Review", "2026-05-21", "09:30", "Studio", "Discuss schedule"} {
if !strings.Contains(body, want) {
t.Errorf("edit form missing %q; body: %.800s", want, body)
}
}
}
func TestEventUpdateChangesCalendarPlacement(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventupdate@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Event Update Tablo")
event := insertEventTestEvent(t, ctx, q, tablo.ID, "Original Review", "2026-05-21", "09:30", "", "Studio", "Discuss schedule")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
csrfToken, csrfCookies := getCSRFToken(t, router, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", []*http.Cookie{sessionCookie})
form := url.Values{
"title": {"Moved Review"},
"event_date": {"2026-05-24"},
"start_time": {"14:15"},
"end_time": {"15:00"},
"location": {"HQ"},
"description": {"Updated details"},
"_csrf": {csrfToken},
}
req := httptest.NewRequest(http.MethodPost, "/tablos/"+tablo.ID.String()+"/events/"+event.ID.String()+"?month=2026-05", strings.NewReader(form.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
for _, c := range csrfCookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("POST event update status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
body := rec.Body.String()
if !strings.Contains(body, "Moved Review") {
t.Fatalf("updated event title missing from refreshed calendar; body: %.800s", body)
}
if strings.Contains(body, "Original Review") {
t.Fatalf("old event title still present after update; body: %.800s", body)
}
}
func TestEventUpdateRejectsInvalidEndTime(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventupdateinvalid@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Event Update Invalid Tablo")
event := insertEventTestEvent(t, ctx, q, tablo.ID, "Invalid Update", "2026-05-21", "09:30", "", "", "")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
csrfToken, csrfCookies := getCSRFToken(t, router, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", []*http.Cookie{sessionCookie})
form := url.Values{
"title": {"Invalid Update"},
"event_date": {"2026-05-21"},
"start_time": {"10:00"},
"end_time": {"10:00"},
"_csrf": {csrfToken},
}
req := httptest.NewRequest(http.MethodPost, "/tablos/"+tablo.ID.String()+"/events/"+event.ID.String()+"?month=2026-05", strings.NewReader(form.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
for _, c := range csrfCookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusUnprocessableEntity {
t.Fatalf("invalid event update status = %d; want 422", rec.Code)
}
if !strings.Contains(rec.Body.String(), "End time must be after the start time.") {
t.Fatalf("validation copy missing; body: %.800s", rec.Body.String())
}
}
func TestEventDeleteRemovesFromCalendarAndDatabase(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventdelete@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Event Delete Tablo")
event := insertEventTestEvent(t, ctx, q, tablo.ID, "Delete Me", "2026-05-21", "09:30", "", "", "")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
csrfToken, csrfCookies := getCSRFToken(t, router, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", []*http.Cookie{sessionCookie})
confirmReq := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events/"+event.ID.String()+"/delete-confirm?month=2026-05", nil)
confirmReq.Header.Set("HX-Request", "true")
confirmReq.AddCookie(sessionCookie)
confirmRec := httptest.NewRecorder()
router.ServeHTTP(confirmRec, confirmReq)
if confirmRec.Code != http.StatusOK {
t.Fatalf("GET delete confirm status = %d; want 200; body: %.500s", confirmRec.Code, confirmRec.Body.String())
}
if !strings.Contains(confirmRec.Body.String(), "Delete event?") {
t.Fatalf("delete confirmation copy missing; body: %.800s", confirmRec.Body.String())
}
form := url.Values{"_csrf": {csrfToken}}
req := httptest.NewRequest(http.MethodPost, "/tablos/"+tablo.ID.String()+"/events/"+event.ID.String()+"/delete?month=2026-05", strings.NewReader(form.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
for _, c := range csrfCookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("POST event delete status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
if strings.Contains(rec.Body.String(), "Delete Me") {
t.Fatalf("deleted event title still present in refreshed calendar; body: %.800s", rec.Body.String())
}
_, err := q.GetEventByID(ctx, sqlc.GetEventByIDParams{ID: event.ID, TabloID: tablo.ID})
if !errors.Is(err, pgx.ErrNoRows) {
t.Fatalf("GetEventByID after delete err = %v; want pgx.ErrNoRows", err)
}
}
func TestEventMutationOwnershipReturns404(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
owner := preInsertUser(t, ctx, q, "eventmutationowner@example.com", "correct-horse-12")
nonOwner := preInsertUser(t, ctx, q, "eventmutationnonowner@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, owner, "Private Mutation Tablo")
event := insertEventTestEvent(t, ctx, q, tablo.ID, "Private Event", "2026-05-21", "09:30", "", "", "")
nonOwnerCookie := sessionCookieForUser(t, ctx, store, nonOwner)
csrfToken, csrfCookies := getCSRFToken(t, router, "/tablos/new", []*http.Cookie{nonOwnerCookie})
getPaths := []string{
"/tablos/" + tablo.ID.String() + "/events/" + event.ID.String() + "/edit?month=2026-05",
"/tablos/" + tablo.ID.String() + "/events/" + event.ID.String() + "/delete-confirm?month=2026-05",
}
for _, path := range getPaths {
req := httptest.NewRequest(http.MethodGet, path, nil)
req.AddCookie(nonOwnerCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusNotFound {
t.Fatalf("non-owner GET %s status = %d; want 404", path, rec.Code)
}
}
postBodies := map[string]url.Values{
"/tablos/" + tablo.ID.String() + "/events/" + event.ID.String() + "?month=2026-05": {
"title": {"Private Event"},
"event_date": {"2026-05-21"},
"start_time": {"09:30"},
"_csrf": {csrfToken},
},
"/tablos/" + tablo.ID.String() + "/events/" + event.ID.String() + "/delete?month=2026-05": {
"_csrf": {csrfToken},
},
}
for path, form := range postBodies {
req := httptest.NewRequest(http.MethodPost, path, strings.NewReader(form.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
for _, c := range csrfCookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusNotFound {
t.Fatalf("non-owner POST %s status = %d; want 404", path, rec.Code)
}
}
}
func TestEventsMonthNavigationPushesMonthParam(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventnav@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Event Navigation Tablo")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", nil)
req.Header.Set("HX-Request", "true")
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET events month status = %d; want 200", rec.Code)
}
body := rec.Body.String()
for _, want := range []string{"month=2026-04", "month=2026-06", "Previous month: April 2026", "Next month: June 2026"} {
if !strings.Contains(body, want) {
t.Errorf("month navigation missing %q; body: %.800s", want, body)
}
}
}
func TestEventNewFromDayPrefillsDate(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventprefill@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Event Prefill Tablo")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events/new?date=2026-05-20&month=2026-05", nil)
req.Header.Set("HX-Request", "true")
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET event new status = %d; want 200", rec.Code)
}
if !strings.Contains(rec.Body.String(), `value="2026-05-20"`) {
t.Fatalf("date input was not prefilled from day query; body: %.800s", rec.Body.String())
}
}
func TestEventCreateSubmittedDateOverridesQueryDefault(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventsubmitteddate@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Submitted Date Tablo")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
csrfToken, csrfCookies := getCSRFToken(t, router, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", []*http.Cookie{sessionCookie})
form := url.Values{
"title": {"Submitted Date"},
"event_date": {"2026-05-21"},
"start_time": {"09:30"},
"_csrf": {csrfToken},
}
req := httptest.NewRequest(http.MethodPost, "/tablos/"+tablo.ID.String()+"/events?date=2026-05-20&month=2026-05", strings.NewReader(form.Encode()))
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
for _, c := range csrfCookies {
req.AddCookie(c)
}
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("POST event create status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
events, err := q.ListEventsByTabloRange(ctx, sqlc.ListEventsByTabloRangeParams{
TabloID: tablo.ID,
EventDate: eventTestDate(t, "2026-05-01"),
EventDate_2: eventTestDate(t, "2026-05-31"),
})
if err != nil {
t.Fatalf("ListEventsByTabloRange: %v", err)
}
if len(events) != 1 {
t.Fatalf("events len = %d; want 1", len(events))
}
if got := templates.FormatEventDate(events[0].EventDate); got != "2026-05-21" {
t.Fatalf("stored event date = %s; want 2026-05-21", got)
}
}
func TestEventsCalendarShowsMoreIndicator(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventoverflow@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Overflow Tablo")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
for i, title := range []string{"Overflow 1", "Overflow 2", "Overflow 3", "Overflow 4"} {
insertEventTestEvent(t, ctx, q, tablo.ID, title, "2026-05-20", "09:0"+string(rune('0'+i)), "", "", "")
}
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", nil)
req.Header.Set("HX-Request", "true")
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET events overflow status = %d; want 200", rec.Code)
}
body := rec.Body.String()
for _, want := range []string{"Overflow 1", "Overflow 2", "Overflow 3", "+1 more"} {
if !strings.Contains(body, want) {
t.Errorf("overflow calendar missing %q; body: %.800s", want, body)
}
}
if strings.Contains(body, "Overflow 4") {
t.Fatalf("fourth event title should be hidden behind overflow indicator; body: %.800s", body)
}
}
func TestListUserEventsRangeReturnsOnlyOwnedTablos(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
owner := preInsertUser(t, ctx, q, "eventrangeowner@example.com", "correct-horse-12")
other := preInsertUser(t, ctx, q, "eventrangeother@example.com", "correct-horse-12")
ownedTablo, err := q.InsertTablo(ctx, sqlc.InsertTabloParams{
UserID: owner.ID,
Title: "Owned Calendar",
Description: pgtype.Text{Valid: false},
Color: pgtype.Text{String: "#123abc", Valid: true},
})
if err != nil {
t.Fatalf("InsertTablo owned: %v", err)
}
foreignTablo := insertEventTestTablo(t, ctx, q, other, "Foreign Calendar")
insertEventTestEvent(t, ctx, q, ownedTablo.ID, "Owned Range Event", "2026-05-20", "09:30", "", "", "")
insertEventTestEvent(t, ctx, q, foreignTablo.ID, "Foreign Range Event", "2026-05-20", "09:30", "", "", "")
rows, err := q.ListUserEventsRange(ctx, sqlc.ListUserEventsRangeParams{
UserID: owner.ID,
StartDate: eventTestDate(t, "2026-05-01"),
EndDate: eventTestDate(t, "2026-05-31"),
})
if err != nil {
t.Fatalf("ListUserEventsRange: %v", err)
}
if len(rows) != 1 {
t.Fatalf("rows len = %d; want 1", len(rows))
}
row := rows[0]
if row.Title != "Owned Range Event" {
t.Fatalf("row title = %q; want Owned Range Event", row.Title)
}
if row.TabloTitle != "Owned Calendar" {
t.Fatalf("row tablo title = %q; want Owned Calendar", row.TabloTitle)
}
if !row.TabloColor.Valid || row.TabloColor.String != "#123abc" {
t.Fatalf("row tablo color = %#v; want #123abc", row.TabloColor)
}
}
func TestTabloDetailEventsTabFullPageFallback(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventfullpage@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Events Full Page Tablo")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", nil)
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET full events page status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
body := rec.Body.String()
for _, want := range []string{"Back to tablos", "Overview", "Tasks", "Files", "Events", "May 2026", `id="tab-content"`} {
if !strings.Contains(body, want) {
t.Errorf("full events page missing %q; body: %.800s", want, body)
}
}
}
func TestEventContentIsEscaped(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventescaped@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Escaped Event Tablo")
insertEventTestEvent(t, ctx, q, tablo.ID, "", "2026-05-20", "09:30", "", "", "")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", nil)
req.Header.Set("HX-Request", "true")
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET escaped event status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
body := rec.Body.String()
if strings.Contains(body, "") {
t.Fatalf("event title rendered as raw script; body: %.800s", body)
}
if !strings.Contains(body, "<script>alert(1)</script>") {
t.Fatalf("escaped event title missing; body: %.800s", body)
}
}
func TestEventWithoutEndTimeDisplaysOnlyStartTime(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventnoend@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "No End Event Tablo")
event := insertEventTestEvent(t, ctx, q, tablo.ID, "Open End", "2026-05-20", "09:30", "", "", "")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events/"+event.ID.String()+"/edit?month=2026-05", nil)
req.Header.Set("HX-Request", "true")
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET event edit status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
body := rec.Body.String()
if !strings.Contains(body, `name="start_time" value="09:30"`) {
t.Fatalf("start time missing for event without end time; body: %.800s", body)
}
if strings.Contains(body, "09:30-") || strings.Contains(body, "09:30 –") {
t.Fatalf("event without end time rendered an inferred range; body: %.800s", body)
}
}
func TestEventsOrderedByStartTimeThenTitle(t *testing.T) {
pool, cleanup := setupTestDB(t)
defer cleanup()
ctx := context.Background()
q := sqlc.New(pool)
store := auth.NewStore(q)
router := newEventTestRouter(q, store)
user := preInsertUser(t, ctx, q, "eventorder@example.com", "correct-horse-12")
tablo := insertEventTestTablo(t, ctx, q, user, "Ordered Events Tablo")
insertEventTestEvent(t, ctx, q, tablo.ID, "Beta", "2026-05-20", "10:00", "", "", "")
insertEventTestEvent(t, ctx, q, tablo.ID, "Gamma", "2026-05-20", "09:00", "", "", "")
insertEventTestEvent(t, ctx, q, tablo.ID, "Alpha", "2026-05-20", "09:00", "", "", "")
sessionCookie := sessionCookieForUser(t, ctx, store, user)
req := httptest.NewRequest(http.MethodGet, "/tablos/"+tablo.ID.String()+"/events?month=2026-05", nil)
req.Header.Set("HX-Request", "true")
req.AddCookie(sessionCookie)
rec := httptest.NewRecorder()
router.ServeHTTP(rec, req)
if rec.Code != http.StatusOK {
t.Fatalf("GET ordered events status = %d; want 200; body: %.500s", rec.Code, rec.Body.String())
}
body := rec.Body.String()
alpha := strings.Index(body, "Alpha")
gamma := strings.Index(body, "Gamma")
beta := strings.Index(body, "Beta")
if alpha == -1 || gamma == -1 || beta == -1 {
t.Fatalf("ordered event titles missing; Alpha=%d Gamma=%d Beta=%d body: %.800s", alpha, gamma, beta, body)
}
if !(alpha < gamma && gamma < beta) {
t.Fatalf("events not ordered by start time then title; Alpha=%d Gamma=%d Beta=%d body: %.800s", alpha, gamma, beta, body)
}
}