actingAs($user); Filament::setTenant(null, true); expect(EntraGroupResource::getUrl(panel: 'admin')) ->not->toContain('/entra-groups'); $this->withSession([ WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id, ])->get('/admin/entra-groups') ->assertNotFound(); }); it('scopes the admin group list to the canonical tenant context', function (): void { $tenantA = ManagedEnvironment::factory()->create(); [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner'); $tenantB = ManagedEnvironment::factory()->create([ 'workspace_id' => (int) $tenantA->workspace_id, ]); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); $groupA = EntraGroup::factory()->for($tenantA)->create([ 'display_name' => 'Remembered tenant group', ]); EntraGroup::factory()->for($tenantB)->create([ 'display_name' => 'Other tenant group', ]); $this->actingAs($user); Filament::setTenant(null, true); $url = EntraGroupResource::getUrl(panel: 'admin', tenant: $tenantA); expect($url) ->toContain('/admin/workspaces/') ->toContain('/environments/') ->toContain('/entra-groups') ->not->toContain('/admin/t/') ->not->toBe('/admin/entra-groups'); $this->withSession([ WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id, WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [ (string) $tenantA->workspace_id => (int) $tenantA->getKey(), ], ])->get($url) ->assertOk() ->assertSee((string) $groupA->display_name) ->assertDontSee('Other tenant group'); }); it('returns not found for admin direct group detail outside the canonical tenant scope', function (): void { $tenantA = ManagedEnvironment::factory()->create(); [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner'); $tenantB = ManagedEnvironment::factory()->create([ 'workspace_id' => (int) $tenantA->workspace_id, ]); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); $groupA = EntraGroup::factory()->for($tenantA)->create(); $groupB = EntraGroup::factory()->for($tenantB)->create(); $this->actingAs($user); Filament::setTenant(null, true); $session = [ WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id, WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [ (string) $tenantA->workspace_id => (int) $tenantA->getKey(), ], ]; $groupAUrl = EntraGroupResource::getUrl('view', ['record' => $groupA], panel: 'admin', tenant: $tenantA); $groupBUrl = EntraGroupResource::getUrl('view', ['record' => $groupB], panel: 'admin', tenant: $tenantA); expect($groupAUrl) ->toContain('/admin/workspaces/') ->toContain('/environments/') ->not->toContain('/admin/t/'); $this->withSession($session) ->get($groupAUrl) ->assertOk(); $this->withSession($session) ->get($groupBUrl) ->assertNotFound(); }); it('returns not found when the remembered admin tenant belongs to another workspace', function (): void { $tenantA = ManagedEnvironment::factory()->create(); [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner'); $tenantB = ManagedEnvironment::factory()->create(); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); EntraGroup::factory()->for($tenantB)->create([ 'display_name' => 'Cross workspace remembered group', ]); $this->actingAs($user); Filament::setTenant(null, true); $mismatchedWorkspaceUrl = EntraGroupResource::getUrl( parameters: ['workspace' => $tenantA->workspace], panel: 'admin', tenant: $tenantB, ); expect($mismatchedWorkspaceUrl) ->toContain('/entra-groups') ->not->toContain('/admin/t/'); $this->withSession([ WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id, WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [ (string) $tenantA->workspace_id => (int) $tenantB->getKey(), ], ])->get($mismatchedWorkspaceUrl) ->assertNotFound(); }); it('keeps persisted admin group search inside the remembered canonical tenant after tenant changes', function (): void { $tenantA = ManagedEnvironment::factory()->create(); [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner'); $tenantB = ManagedEnvironment::factory()->create([ 'workspace_id' => (int) $tenantA->workspace_id, ]); createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner'); $groupA = EntraGroup::factory()->for($tenantA)->create([ 'display_name' => 'Shared Search Group', ]); $groupB = EntraGroup::factory()->for($tenantB)->create([ 'display_name' => 'Shared Search Group', ]); $this->actingAs($user); Filament::setCurrentPanel('admin'); Filament::setTenant(null, true); Filament::bootCurrentPanel(); session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id); session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [ (string) $tenantA->workspace_id => (int) $tenantA->getKey(), ]); Livewire::actingAs($user)->test(ListEntraGroups::class) ->searchTable('Shared Search') ->assertCanSeeTableRecords([$groupA]) ->assertCanNotSeeTableRecords([$groupB]); session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [ (string) $tenantA->workspace_id => (int) $tenantB->getKey(), ]); Livewire::actingAs($user)->test(ListEntraGroups::class) ->assertSet('tableSearch', 'Shared Search') ->assertCanSeeTableRecords([$groupB]) ->assertCanNotSeeTableRecords([$groupA]); });