test node controller ownership checks

add failing tests asserting 403 when a non-owner tries to
read or write nodes on another user's text, plus admin
bypass. existing tests now attach a session user to mirror
the new controller signature.

tests/e2e/Controllers/BulkCreateNodesControllerTest.php

@@ -7,6 +7,7 @@ use App\Node\NodeController;
 use App\Node\UseCases\BulkCreateNodes;
 use App\Text\CreateTextDto;
 use App\User\UseCases\CreateUserDto;
+use App\User\User;
 use App\ValueObjects\EmailAddress;
 use PHPUnit\Framework\TestCase;
 use Psr\Http\Message\ServerRequestInterface;
@@ -23,19 +24,32 @@ class BulkCreateNodesControllerTest extends TestCase
     private FakeNodeRepository $nodeRepo;
     private BulkCreateNodes $useCase;
     private NodeController $controller;
+    private User $user;
+    private User $otherUser;
+    private User $admin;
 
     public function setUp(): void
     {
         $userRepo = new FakeUserRepository();
-        $user = $userRepo->create(new CreateUserDto(
+        $this->user = $userRepo->create(new CreateUserDto(
             email: new EmailAddress('a@b.com'),
             passwordHash: '',
             isAdmin: false,
         ));
+        $this->otherUser = $userRepo->create(new CreateUserDto(
+            email: new EmailAddress('other@b.com'),
+            passwordHash: '',
+            isAdmin: false,
+        ));
+        $this->admin = $userRepo->create(new CreateUserDto(
+            email: new EmailAddress('admin@b.com'),
+            passwordHash: '',
+            isAdmin: true,
+        ));
         $this->textRepo = new FakeTextRepository();
         $text = $this->textRepo->create(new CreateTextDto(
             name: 'test text',
-            user: $user,
+            user: $this->user,
         ));
 
         $this->nodeRepo = new FakeNodeRepository();
@@ -54,13 +68,17 @@ class BulkCreateNodesControllerTest extends TestCase
         );
     }
 
-    private function makeRequest(array $data): ServerRequestInterface
-    {
+    private function makeRequest(
+        array $data,
+        ?User $user = null,
+    ): ServerRequestInterface {
         $body = new StreamFactory()->createStream(json_encode($data));
-        return new ServerRequestFactory()
+        $request = new ServerRequestFactory()
             ->createServerRequest('POST', 'http://localhost/api/nodes/bulk')
             ->withHeader('Content-Type', 'application/json')
             ->withBody($body);
+        $sessionUser = $user ?? $this->user;
+        return $request->withAttribute('user', $sessionUser);
     }
 
     public function test_bulk_create_nodes_returns_201_with_created_nodes(): void
@@ -227,4 +245,42 @@ class BulkCreateNodesControllerTest extends TestCase
 
         $this->assertEquals(404, $response->getStatusCode());
     }
+
+    public function test_bulk_create_nodes_returns_403_when_not_owner(): void
+    {
+        $response = $this->controller->bulkCreateNodes(
+            $this->makeRequest(
+                [
+                    'textId' => 0,
+                    'parentNodeId' => 0,
+                    'titlePrefix' => 'Page',
+                    'count' => 3,
+                ],
+                $this->otherUser,
+            ),
+            new Response(),
+            $this->useCase,
+        );
+
+        $this->assertEquals(403, $response->getStatusCode());
+    }
+
+    public function test_bulk_create_nodes_allows_admin_on_any_text(): void
+    {
+        $response = $this->controller->bulkCreateNodes(
+            $this->makeRequest(
+                [
+                    'textId' => 0,
+                    'parentNodeId' => 0,
+                    'titlePrefix' => 'Page',
+                    'count' => 2,
+                ],
+                $this->admin,
+            ),
+            new Response(),
+            $this->useCase,
+        );
+
+        $this->assertEquals(201, $response->getStatusCode());
+    }
 }