TenantAtlas/apps/platform/tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php

<?php

declare(strict_types=1);

use App\Models\ManagedEnvironment;
use App\Models\ManagedEnvironmentMembership;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Services\Auth\CapabilityResolver;
use App\Services\Auth\ManagedEnvironmentAccessScopeResolver;
use App\Support\Auth\Capabilities;
use App\Support\Workspaces\WorkspaceContext;
use Filament\PanelRegistry;

it('allows workspace members to access active environments without environment scope rows', function (): void {
    $workspace = Workspace::factory()->create();
    $tenantA = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'name' => 'Tenant A',
    ]);
    $tenantB = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'name' => 'Tenant B',
    ]);
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'readonly',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    /** @var \Filament\Panel $panel */
    $panel = app(PanelRegistry::class)->get('admin');
    $tenants = $user->getTenants($panel);

    expect($user->canAccessTenant($tenantA))->toBeTrue()
        ->and($user->canAccessTenant($tenantB))->toBeTrue()
        ->and($tenants->pluck('name')->all())->toEqual(['Tenant A', 'Tenant B']);
});

it('narrows tenant selection and clears stale remembered environment context', function (): void {
    $workspace = Workspace::factory()->create();
    $allowedTenant = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'name' => 'Allowed Tenant',
    ]);
    $deniedTenant = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'name' => 'Denied Tenant',
    ]);
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'manager',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    ManagedEnvironmentMembership::query()->create([
        'managed_environment_id' => (int) $allowedTenant->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'readonly',
        'source' => 'manual',
    ]);

    app(CapabilityResolver::class)->clearCache();
    app(ManagedEnvironmentAccessScopeResolver::class)->clearCache();

    app(WorkspaceContext::class)->rememberLastTenantId((int) $workspace->getKey(), (int) $deniedTenant->getKey());

    /** @var \Filament\Panel $panel */
    $panel = app(PanelRegistry::class)->get('admin');
    $allowedDecision = app(ManagedEnvironmentAccessScopeResolver::class)->decision($user, $allowedTenant, Capabilities::WORKSPACE_SETTINGS_VIEW);
    $defaultTenant = $user->getDefaultTenant($panel);
    $tenants = $user->getTenants($panel);

    expect($defaultTenant?->getKey())->toBe($allowedTenant->getKey())
        ->and($allowedDecision->workspaceRole)->toBe('manager')
        ->and($allowedDecision->capabilityAllowed)->toBeTrue()
        ->and(app(WorkspaceContext::class)->lastTenantId())->toBeNull()
        ->and($tenants)->toHaveCount(1)
        ->and($tenants->first()?->getKey())->toBe($allowedTenant->getKey());
});