TenantAtlas/apps/platform/tests/Feature/ProviderConnections/AuthorizationSemanticsTest.php

<?php

declare(strict_types=1);

use App\Models\ManagedEnvironment;
use App\Models\ProviderConnection;
use App\Models\User;

it('enforces 404 for non-members and 403 for missing manage capability on mutations', function (): void {
    $tenant = ManagedEnvironment::factory()->create();

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
    ]);

    // Non-member outsider is redirected by workspace middleware (no workspace membership).
    $outsider = User::factory()->create();

    $this->actingAs($outsider)
        ->get('/admin/provider-connections/'.$connection->getKey().'/edit')
        ->assertRedirect();

    [$readonly] = createUserWithTenant(tenant: $tenant, role: 'readonly');

    $this->actingAs($readonly)
        ->get('/admin/provider-connections/create?environment_id='.(int) $tenant->getKey())
        ->assertForbidden();
});