TenantAtlas/apps/platform/tests/Feature/Filament/AdminTenantSurfaceParityTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\BackupSetResource;
use App\Filament\Resources\PolicyResource;
use App\Filament\Resources\PolicyVersionResource;
use App\Models\BackupSet;
use App\Models\Policy;
use App\Models\PolicyVersion;
use App\Models\Tenant;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

it('returns not found for admin direct record access outside the remembered canonical tenant', function (): void {
    $tenantA = Tenant::factory()->create();
    [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
    $tenantB = Tenant::factory()->create(['workspace_id' => (int) $tenantA->workspace_id]);
    createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner');

    $allowedPolicy = Policy::factory()->for($tenantA)->create();
    $blockedBackupSet = BackupSet::factory()->for($tenantB)->create();

    $this->actingAs($user);
    Filament::setCurrentPanel('admin');
    Filament::setTenant(null, true);
    Filament::bootCurrentPanel();

    $session = [
        WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id,
        WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [
            (string) $tenantA->workspace_id => (int) $tenantA->getKey(),
        ],
    ];

    session()->put(WorkspaceContext::SESSION_KEY, $session[WorkspaceContext::SESSION_KEY]);
    session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, $session[WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY]);

    expect(PolicyResource::getEloquentQuery()->whereKey($allowedPolicy->getKey())->exists())->toBeTrue();
    expect(BackupSetResource::getEloquentQuery()->whereKey($blockedBackupSet->getKey())->exists())->toBeFalse();
});

it('keeps admin direct policy-version resolution inside the remembered canonical tenant', function (): void {
    $tenantA = Tenant::factory()->create();
    [$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
    $tenantB = Tenant::factory()->create(['workspace_id' => (int) $tenantA->workspace_id]);
    createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner');

    $policyA = Policy::factory()->for($tenantA)->create();
    $policyB = Policy::factory()->for($tenantB)->create();

    $allowedVersion = PolicyVersion::factory()->for($tenantA)->for($policyA)->create();
    $blockedVersion = PolicyVersion::factory()->for($tenantB)->for($policyB)->create();

    $this->actingAs($user);
    Filament::setCurrentPanel('admin');
    Filament::setTenant(null, true);
    Filament::bootCurrentPanel();

    $session = [
        WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id,
        WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY => [
            (string) $tenantA->workspace_id => (int) $tenantA->getKey(),
        ],
    ];

    session()->put(WorkspaceContext::SESSION_KEY, $session[WorkspaceContext::SESSION_KEY]);
    session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, $session[WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY]);

    expect(PolicyVersionResource::getEloquentQuery()->whereKey($allowedVersion->getKey())->exists())->toBeTrue();
    expect(PolicyVersionResource::getEloquentQuery()->whereKey($blockedVersion->getKey())->exists())->toBeFalse();
});