TenantAtlas/tests/Feature/Rbac/TenantRequiredPermissionsTrustedStateTest.php

<?php

declare(strict_types=1);

use App\Models\Tenant;
use App\Models\TenantPermission;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;

it('keeps the route tenant authoritative when tenant-like query values are present', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $otherTenant = Tenant::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'name' => 'Foreign Query Tenant',
        'external_id' => 'foreign-query-tenant',
    ]);

    $response = $this->actingAs($user)
        ->get("/admin/tenants/{$tenant->external_id}/required-permissions?tenant={$otherTenant->external_id}&tenant_id={$otherTenant->getKey()}&status=all")
        ->assertSuccessful();

    $response
        ->assertSee($tenant->getFilamentName())
        ->assertDontSee($otherTenant->name);
});

it('keeps filter state usable without redefining tenant scope', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    config()->set('intune_permissions.permissions', [
        [
            'key' => 'Tenant.Read.All',
            'type' => 'application',
            'description' => 'Tenant read permission',
            'features' => ['backup'],
        ],
    ]);
    config()->set('entra_permissions.permissions', []);

    TenantPermission::create([
        'tenant_id' => (int) $tenant->getKey(),
        'permission_key' => 'Tenant.Read.All',
        'status' => 'granted',
        'details' => ['source' => 'db'],
        'last_checked_at' => now(),
    ]);

    $response = $this->actingAs($user)
        ->get("/admin/tenants/{$tenant->external_id}/required-permissions?status=present&type=application&search=Tenant")
        ->assertSuccessful();

    $response
        ->assertSee($tenant->getFilamentName())
        ->assertSee('data-permission-key="Tenant.Read.All"', false);
});

it('returns 404 when the current workspace no longer matches the tenant route scope', function (): void {
    $workspaceA = Workspace::factory()->create();
    $workspaceB = Workspace::factory()->create();
    $user = User::factory()->create();

    $tenant = Tenant::factory()->create([
        'workspace_id' => (int) $workspaceA->getKey(),
        'external_id' => 'tenant-required-permissions-404',
    ]);

    createUserWithTenant(
        tenant: $tenant,
        user: $user,
        role: 'readonly',
        workspaceRole: 'readonly',
    );

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspaceB->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'readonly',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspaceB->getKey());

    $this->actingAs($user)
        ->get('/admin/tenants/'.$tenant->external_id.'/required-permissions')
        ->assertNotFound();
});