public void GetCustomer() { var mockData = Utils.CreateAdminAndUser(); mockData.Customers = new List <Customer> { new Customer { code = "c1", address6 = "" }, new Customer { code = "c2", invoice_customer = "c3" }, new Customer { code = "c3" } }; mockData.Users.Add(new User { id = 3, customer_code = "c3", Roles = new List <Role> { new Role { id = Role.BranchAdmin } } }); mockData.Users.Add(new User { id = 4, Roles = new List <Role> { new Role { id = Role.User } }, isInternal = true }); unitOfWork.Data = mockData; controller.Request.Headers.Authorization = new AuthenticationHeaderValue("jwt", "1"); var customer = controller.GetCustomer("c1 "); Assert.IsNotNull(customer); customer = controller.GetCustomer("c4"); Assert.IsNull(customer); //User can get only its customer controller.Request.Headers.Authorization = new AuthenticationHeaderValue("jwt", "2"); var regularUser = mockData.Users[1]; var branchAdmin = mockData.Users[2]; customer = controller.GetCustomer( mockData.Users.FirstOrDefault(u => u.customer_code != regularUser.customer_code)?.customer_code); Assert.IsNull(customer); customer = controller.GetCustomer(regularUser.customer_code); Assert.IsNotNull(customer); //Check if admin can reach any customer controller.Request.Headers.Authorization = new AuthenticationHeaderValue("jwt", "1"); Assert.IsTrue(mockData.Customers.All(c => controller.GetCustomer(c.code) != null)); //Branch admin should get customer 2 and 3 controller.Request.Headers.Authorization = new AuthenticationHeaderValue("jwt", "3"); Assert.IsNotNull(controller.GetCustomer(branchAdmin.customer_code)); Assert.IsNotNull(controller.GetCustomer(regularUser.customer_code)); Assert.IsNull(controller.GetCustomer(mockData.Users[0].customer_code)); //Internal user can get any customer like admin controller.Request.Headers.Authorization = new AuthenticationHeaderValue("jwt", "4"); Assert.IsTrue(mockData.Customers.All(c => controller.GetCustomer(c.code) != null)); }