create(); $user = User::factory()->create(); $tenant->users()->attach($user); $run = OperationRun::create([ 'tenant_id' => $tenant->id, 'type' => 'policy.sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'System', 'run_identity_hash' => 'hash123', ]); $this->actingAs($user) ->get(OperationRunResource::getUrl('index', tenant: $tenant)) ->assertSuccessful() ->assertSee('Policy sync'); }); it('renders monitoring pages DB-only (never calls Graph)', function () { $tenant = Tenant::factory()->create(); $user = User::factory()->create(); $tenant->users()->attach($user); $run = OperationRun::create([ 'tenant_id' => $tenant->id, 'type' => 'policy.sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'System', 'run_identity_hash' => 'hash123', ]); $this->mock(GraphClientInterface::class, function ($mock): void { $mock->shouldReceive('listPolicies')->never(); $mock->shouldReceive('getPolicy')->never(); $mock->shouldReceive('getOrganization')->never(); $mock->shouldReceive('applyPolicy')->never(); $mock->shouldReceive('getServicePrincipalPermissions')->never(); $mock->shouldReceive('request')->never(); }); $this->actingAs($user) ->get(OperationRunResource::getUrl('index', tenant: $tenant)) ->assertSuccessful(); $this->actingAs($user) ->get(OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant)) ->assertSuccessful(); }); it('shows runs only for current tenant', function () { $tenantA = Tenant::factory()->create(); $tenantB = Tenant::factory()->create(); $user = User::factory()->create(); $tenantA->users()->attach($user); // We must simulate being in tenant context $this->actingAs($user); // Filament::setTenant($tenantA); // This is usually handled by middleware on routes, but in Livewire test we might need manual set or route visit. // Easier approach: visit the page for tenantA OperationRun::create([ 'tenant_id' => $tenantA->id, 'type' => 'policy.sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'System', 'run_identity_hash' => 'hashA', ]); OperationRun::create([ 'tenant_id' => $tenantB->id, 'type' => 'inventory.sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'System', 'run_identity_hash' => 'hashB', ]); // Livewire::test needs to know the tenant if the component relies on it. // However, the component relies on `Filament::getTenant()`. // The cleanest way is to just GET the page URL, which runs middleware. $this->get(OperationRunResource::getUrl('index', tenant: $tenantA)) ->assertSee('Policy sync') ->assertDontSee('Inventory sync'); }); it('allows readonly users to view operations list and detail', function () { $tenant = Tenant::factory()->create(); $user = User::factory()->create(); $tenant->users()->attach($user, ['role' => 'readonly']); $run = OperationRun::create([ 'tenant_id' => $tenant->id, 'type' => 'policy.sync', 'status' => 'queued', 'outcome' => 'pending', 'initiator_name' => 'System', 'run_identity_hash' => 'hash123', ]); $this->actingAs($user) ->get(OperationRunResource::getUrl('index', tenant: $tenant)) ->assertSuccessful() ->assertSee('Policy sync'); $this->actingAs($user) ->get(OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant)) ->assertSuccessful() ->assertSee('Policy sync'); }); it('denies access to unauthorized users', function () { $tenant = Tenant::factory()->create(); $user = User::factory()->create(); // Not attached to tenant // In a multitenant app, if you try to access a tenant route you are not part of, // Filament typically returns 404 (Not Found) if it can't find the tenant-user relationship, or 403. // The previous fail said "Received 404". This confirms Filament couldn't find the tenant for this user scope or just hides it. // We should accept 404 or 403. $response = $this->actingAs($user) ->get(OperationRunResource::getUrl('index', tenant: $tenant)); // Allow either 403 or 404 as "Denied" $this->assertTrue(in_array($response->status(), [403, 404])); });