create(); $user = User::factory()->create(); $this->actingAs($user) ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()]) ->get(CustomerReviewWorkspace::getUrl(panel: 'admin')) ->assertNotFound(); }); it('returns 404 for workspace members that have no tenant review visibility in the active workspace', function (): void { $workspace = Workspace::factory()->create(); $user = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $user->getKey(), 'role' => 'owner', ]); $this->actingAs($user) ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()]) ->get(CustomerReviewWorkspace::getUrl(panel: 'admin')) ->assertNotFound(); }); it('allows entitled workspace members to access the customer review workspace', function (): void { $tenant = Tenant::factory()->create(); [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly'); $this->actingAs($user) ->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id]) ->get(CustomerReviewWorkspace::getUrl(panel: 'admin')) ->assertOk(); }); it('returns 404 for explicit out-of-scope tenant targeting on the customer review workspace', function (): void { $tenantAllowed = Tenant::factory()->create(['name' => 'Allowed Tenant']); [$user, $tenantAllowed] = createUserWithTenant(tenant: $tenantAllowed, role: 'readonly'); $tenantDenied = Tenant::factory()->create([ 'workspace_id' => (int) $tenantAllowed->workspace_id, 'name' => 'Denied Tenant', ]); $otherOwner = User::factory()->create(); createUserWithTenant(tenant: $tenantDenied, user: $otherOwner, role: 'owner'); $this->actingAs($user) ->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantAllowed->workspace_id]) ->get(CustomerReviewWorkspace::getUrl(panel: 'admin').'?tenant='.(string) $tenantDenied->getKey()) ->assertNotFound(); });