TenantAtlas/apps/platform/tests/Feature/Auth/SessionSeparationSmokeTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\TenantDashboard;
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('does not allow a non-member user to access tenant-scoped admin routes', function () {
    [$member, $tenant] = createUserWithTenant(
        tenant: Tenant::factory()->create(['status' => 'active']),
        user: User::factory()->create(),
        role: 'owner',
    );

    $workspace = Workspace::query()->whereKey($tenant->workspace_id)->firstOrFail();

    $nonMember = User::factory()->create();
    WorkspaceMembership::factory()->create([
        'workspace_id' => $workspace->getKey(),
        'user_id' => $nonMember->getKey(),
        'role' => 'owner',
    ]);

    $this->actingAs($nonMember)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
        ->get(TenantDashboard::getUrl(tenant: $tenant))
        ->assertNotFound();

    $this->actingAs($member)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
        ->get(TenantDashboard::getUrl(tenant: $tenant))
        ->assertSuccessful();

    $this->get('/system')->assertNotFound();
});