create(); $user = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $user->getKey(), 'role' => 'owner', ]); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey()); $this->actingAs($user) ->get(route('admin.onboarding.draft', ['onboardingDraft' => 999999])) ->assertNotFound(); }); it('returns 404 when a draft is requested from a different selected workspace', function (): void { $workspaceA = Workspace::factory()->create(); $workspaceB = Workspace::factory()->create(); $ownerA = User::factory()->create(); $userB = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspaceA->getKey(), 'user_id' => (int) $ownerA->getKey(), 'role' => 'owner', ]); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspaceB->getKey(), 'user_id' => (int) $userB->getKey(), 'role' => 'owner', ]); $draft = createOnboardingDraft([ 'workspace' => $workspaceA, 'started_by' => $ownerA, 'updated_by' => $ownerA, ]); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspaceB->getKey()); $this->actingAs($userB) ->get(route('admin.onboarding.draft', ['onboardingDraft' => $draft->getKey()])) ->assertNotFound(); }); it('returns 404 when a non-member requests an onboarding draft route', function (): void { $workspace = Workspace::factory()->create(); $owner = User::factory()->create(); $nonMember = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $owner->getKey(), 'role' => 'owner', ]); $draft = createOnboardingDraft([ 'workspace' => $workspace, 'started_by' => $owner, 'updated_by' => $owner, ]); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey()); $this->actingAs($nonMember) ->get(route('admin.onboarding.draft', ['onboardingDraft' => $draft->getKey()])) ->assertNotFound(); }); it('returns 404 when the actor can access the workspace but lacks tenant entitlement for an identified draft', function (): void { $workspace = Workspace::factory()->create(); $tenant = Tenant::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'status' => Tenant::STATUS_ONBOARDING, ]); $owner = User::factory()->create(); $workspaceOnlyUser = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $owner->getKey(), 'role' => 'owner', ]); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $workspaceOnlyUser->getKey(), 'role' => 'owner', ]); $draft = createOnboardingDraft([ 'workspace' => $workspace, 'tenant' => $tenant, 'started_by' => $owner, 'updated_by' => $owner, ]); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey()); $this->actingAs($workspaceOnlyUser) ->get(route('admin.onboarding.draft', ['onboardingDraft' => $draft->getKey()])) ->assertNotFound(); }); it('returns 403 for an in-scope member with tenant entitlement but without onboarding capability', function (): void { $workspace = Workspace::factory()->create(); $tenant = Tenant::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'status' => Tenant::STATUS_ONBOARDING, ]); $readonlyUser = User::factory()->create(); createUserWithTenant( tenant: $tenant, user: $readonlyUser, role: 'readonly', workspaceRole: 'readonly', ensureDefaultMicrosoftProviderConnection: false, ); $draft = createOnboardingDraft([ 'workspace' => $workspace, 'tenant' => $tenant, 'started_by' => $readonlyUser, 'updated_by' => $readonlyUser, ]); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey()); $this->actingAs($readonlyUser) ->get(route('admin.onboarding.draft', ['onboardingDraft' => $draft->getKey()])) ->assertForbidden(); });