create(); $user = User::factory()->create(); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey()); $this->actingAs($user) ->get('/admin/onboarding') ->assertNotFound(); }); it('forbids workspace members without onboarding capability from loading the page or executing actions', function (): void { $workspace = Workspace::factory()->create(); $user = User::factory()->create(); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspace->getKey(), 'user_id' => (int) $user->getKey(), 'role' => 'readonly', ]); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey()); $this->actingAs($user) ->get('/admin/onboarding') ->assertForbidden(); Livewire::actingAs($user) ->test(ManagedTenantOnboardingWizard::class) ->assertForbidden(); }); it('returns 404 for trusted actions when the selected workspace changes after mount', function (): void { $workspaceA = Workspace::factory()->create(); $workspaceB = Workspace::factory()->create(); $user = User::factory()->create(); $tenant = Tenant::factory()->create([ 'workspace_id' => (int) $workspaceA->getKey(), 'status' => Tenant::STATUS_ONBOARDING, ]); createUserWithTenant( tenant: $tenant, user: $user, role: 'owner', workspaceRole: 'owner', ensureDefaultMicrosoftProviderConnection: false, ); WorkspaceMembership::factory()->create([ 'workspace_id' => (int) $workspaceB->getKey(), 'user_id' => (int) $user->getKey(), 'role' => 'owner', ]); $firstConnection = ProviderConnection::factory()->create([ 'workspace_id' => (int) $workspaceA->getKey(), 'tenant_id' => (int) $tenant->getKey(), 'provider' => 'microsoft', 'entra_tenant_id' => (string) $tenant->tenant_id, 'display_name' => 'First connection', 'is_default' => true, ]); $secondConnection = ProviderConnection::factory()->create([ 'workspace_id' => (int) $workspaceA->getKey(), 'tenant_id' => (int) $tenant->getKey(), 'provider' => 'dummy', 'entra_tenant_id' => (string) $tenant->tenant_id, 'display_name' => 'Second connection', 'is_default' => false, ]); $draft = createOnboardingDraft([ 'workspace' => $workspaceA, 'tenant' => $tenant, 'started_by' => $user, 'updated_by' => $user, 'current_step' => 'connection', 'state' => [ 'entra_tenant_id' => (string) $tenant->tenant_id, 'tenant_name' => (string) $tenant->name, 'provider_connection_id' => (int) $firstConnection->getKey(), ], ]); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspaceA->getKey()); $component = Livewire::actingAs($user)->test(ManagedTenantOnboardingWizard::class, [ 'onboardingDraft' => (int) $draft->getKey(), ]); session()->put(WorkspaceContext::SESSION_KEY, (int) $workspaceB->getKey()); $component ->call('selectProviderConnection', (int) $secondConnection->getKey()) ->assertNotFound(); expect(($draft->fresh()->state['provider_connection_id'] ?? null))->toBe((int) $firstConnection->getKey()); });