<?php

declare(strict_types=1);

use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;

it('returns 403 for a member without managed-tenant manage capability when accessing edit', function (): void {
    $tenant = Tenant::factory()->create();
    [$user] = createUserWithTenant($tenant, role: 'readonly');

    $this->actingAs($user)
        ->get("/admin/t/{$tenant->external_id}/tenants/{$tenant->id}/edit")
        ->assertForbidden();
});

it('returns 404 for a non-member attempting to access a workspace managed-tenant list', function (): void {
    $workspace = Workspace::factory()->create();
    Tenant::factory()->create(['workspace_id' => $workspace->getKey()]);

    $user = User::factory()->create();

    $otherWorkspace = Workspace::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => $otherWorkspace->getKey(),
        'user_id' => $user->getKey(),
        'role' => 'readonly',
    ]);

    $user->forceFill(['last_workspace_id' => $otherWorkspace->getKey()])->save();

    $this->actingAs($user)
        ->get('/admin/w/'.$workspace->slug.'/managed-tenants')
        ->assertNotFound();
});