create(); $tenantB = Tenant::factory()->create(); BulkOperationRun::factory()->create([ 'tenant_id' => $tenantA->getKey(), 'resource' => 'tenant_a', 'action' => 'alpha', ]); BulkOperationRun::factory()->create([ 'tenant_id' => $tenantB->getKey(), 'resource' => 'tenant_b', 'action' => 'beta', ]); $user = User::factory()->create(); $user->tenants()->syncWithoutDetaching([ $tenantA->getKey() => ['role' => 'owner'], $tenantB->getKey() => ['role' => 'owner'], ]); $this->actingAs($user) ->get(BulkOperationRunResource::getUrl('index', tenant: $tenantA)) ->assertOk() ->assertSee('tenant_a') ->assertDontSee('tenant_b'); }); test('bulk operation run view is forbidden cross-tenant (403)', function () { $tenantA = Tenant::factory()->create(); $tenantB = Tenant::factory()->create(); $runB = BulkOperationRun::factory()->create([ 'tenant_id' => $tenantB->getKey(), 'resource' => 'tenant_b', 'action' => 'beta', ]); $user = User::factory()->create(); $user->tenants()->syncWithoutDetaching([ $tenantA->getKey() => ['role' => 'owner'], $tenantB->getKey() => ['role' => 'owner'], ]); $this->actingAs($user) ->get(BulkOperationRunResource::getUrl('view', ['record' => $runB], tenant: $tenantA)) ->assertForbidden(); });