create([ 'status' => 'active', 'is_current' => false, ]); $user->tenants()->syncWithoutDetaching([ $tenantB->getKey() => ['role' => 'readonly'], ]); $tenantB->makeCurrent(); expect($tenantA->fresh()->is_current)->toBeFalse(); expect($tenantB->fresh()->is_current)->toBeTrue(); Livewire::actingAs($user) ->test(ChooseTenant::class) ->call('selectTenant', $tenantA->getKey()) ->assertRedirect(TenantDashboard::getUrl(tenant: $tenantA)); }); test('users cannot switch to a tenant they are not a member of', function () { [$user] = createUserWithTenant(role: 'readonly'); $tenant = Tenant::factory()->create([ 'status' => 'active', ]); Livewire::actingAs($user) ->test(ChooseTenant::class) ->call('selectTenant', $tenant->getKey()) ->assertStatus(404); }); test('readonly users cannot deactivate tenants (archive)', function () { [$user, $tenant] = createUserWithTenant(role: 'readonly'); Filament::setTenant($tenant, true); expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse(); Livewire::actingAs($user) ->test(ListTenants::class) ->assertTableActionDisabled('archive', $tenant) ->callTableAction('archive', $tenant); expect($tenant->fresh()->trashed())->toBeFalse(); }); test('readonly users cannot force delete tenants', function () { [$user, $tenant] = createUserWithTenant(role: 'readonly'); $tenant->delete(); Filament::setTenant($tenant, true); expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse(); Livewire::actingAs($user) ->test(ListTenants::class) ->assertTableActionDisabled('forceDelete', $tenant) ->callTableAction('forceDelete', $tenant); expect(Tenant::withTrashed()->find($tenant->getKey()))->not->toBeNull(); }); test('readonly users cannot verify tenant configuration', function () { [$user, $tenant] = createUserWithTenant(role: 'readonly'); Filament::setTenant($tenant, true); expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse(); Livewire::actingAs($user) ->test(ListTenants::class) ->assertTableActionDisabled('verify', $tenant) ->callTableAction('verify', $tenant); }); test('readonly users cannot setup intune rbac', function () { [$user, $tenant] = createUserWithTenant(role: 'readonly'); Filament::setTenant($tenant, true); expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse(); Livewire::actingAs($user) ->test(ListTenants::class) ->assertTableActionDisabled('setup_rbac', $tenant); }); test('readonly users cannot edit tenants', function () { [$user, $tenant] = createUserWithTenant(role: 'readonly'); Filament::setTenant($tenant, true); expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse(); Livewire::actingAs($user) ->test(ListTenants::class) ->assertTableActionDisabled('edit', $tenant); }); test('readonly users cannot open admin consent', function () { [$user, $tenant] = createUserWithTenant(role: 'readonly'); Filament::setTenant($tenant, true); expect(\App\Filament\Resources\TenantResource::adminConsentUrl($tenant))->not->toBeNull(); expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse(); Livewire::actingAs($user) ->test(ListTenants::class) ->assertTableActionDisabled('admin_consent', $tenant); }); test('readonly users cannot start tenant sync from tenant menu', function () { [$user, $tenant] = createUserWithTenant(role: 'readonly'); Filament::setTenant($tenant, true); expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_SYNC, $tenant))->toBeFalse(); Livewire::actingAs($user) ->test(ListTenants::class) ->assertTableActionDisabled('syncTenant', $tenant); });