test(policy): guard createMongoAbility builder + clarify v7 migration note

PierreBrisorgueil · PierreBrisorgueil · commit 3039d2c4c733 · 2026-05-22T15:24:43.000+02:00
Review (Copilot): the policy unit-test mock did not export createMongoAbility nor assert the builder is seeded with it, so the #3693 auth regression could silently return. Mock createMongoAbility + assert new AbilityBuilder(createMongoAbility). Also corrects the MIGRATIONS wording: v7 renames PureAbility→Ability (the class isn't removed); only its default conditions matcher is dropped.
diff --git a/MIGRATIONS.md b/MIGRATIONS.md
@@ -10,7 +10,7 @@ Breaking changes and upgrade notes for downstream projects.
 
 ### What changed (this repo)
 
-- **`lib/middlewares/policy.js`** — v7 renames `PureAbility` to `Ability` and **drops the default conditions matcher** from it; the historical MongoDB-matching `Ability` class no longer exists. `defineAbilityFor()` now builds via `createMongoAbility`:
+- **`lib/middlewares/policy.js`** — v7 renames `PureAbility` to `Ability` and **drops its default conditions matcher**, so the `Ability` export no longer does MongoDB-style condition matching out of the box (`createMongoAbility` is the replacement for the old behavior). `defineAbilityFor()` now builds via `createMongoAbility`:
   ```js
   // before (v6)
   const { AbilityBuilder, Ability } = await import('@casl/ability');
diff --git a/lib/middlewares/tests/policy.unit.tests.js b/lib/middlewares/tests/policy.unit.tests.js
@@ -24,6 +24,7 @@ jest.unstable_mockModule('@casl/ability', () => ({
     build: jest.fn().mockReturnValue({ can: jest.fn().mockReturnValue(true) }),
   })),
   Ability: jest.fn(),
+  createMongoAbility: jest.fn(),
   subject: jest.fn((type, doc) => doc),
 }));
 
@@ -69,4 +70,12 @@ describe('policy discoverPolicies unit tests:', () => {
       expect.stringContaining('exports abilities/guestAbilities but no SubjectRegistration'),
     );
   });
+
+  test('defineAbilityFor builds via createMongoAbility (v7 — guards the #3693 auth regression)', async () => {
+    // v7 drops the conditions matcher from the `Ability` export; the builder must be
+    // seeded with createMongoAbility or Mongo-style conditions ({ _id }, ...) stop matching.
+    const { AbilityBuilder, createMongoAbility } = await import('@casl/ability');
+    await policy.defineAbilityFor({ _id: 'u1', roles: ['user'] }, null);
+    expect(AbilityBuilder).toHaveBeenCalledWith(createMongoAbility);
+  });
 });
