TenantAtlas/apps/platform/tests/Feature/Rbac/TenantMembershipsRelationManagerUiEnforcementTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\TenantResource\Pages\EditTenant;
use App\Filament\Resources\TenantResource\RelationManagers\TenantMembershipsRelationManager;
use App\Models\Tenant;
use App\Models\User;
use Filament\Actions\Action;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;

uses(RefreshDatabase::class);

describe('Tenant memberships relation manager UI enforcement', function () {
    it('shows membership actions as visible but disabled for manager members', function () {
        $tenant = Tenant::factory()->create();
        [$user] = createUserWithTenant(tenant: $tenant, role: 'manager');

        $this->actingAs($user);
        $tenant->makeCurrent();
        Filament::setTenant($tenant, true);

        $otherUser = User::factory()->create();
        createUserWithTenant(tenant: $tenant, user: $otherUser, role: 'readonly');

        Livewire::test(TenantMembershipsRelationManager::class, [
            'ownerRecord' => $tenant,
            'pageClass' => EditTenant::class,
        ])
            ->assertTableActionVisible('add_member')
            ->assertTableActionDisabled('add_member')
            ->assertTableActionExists('add_member', function (Action $action): bool {
                return $action->getTooltip() === 'You do not have permission to manage tenant memberships.';
            })
            ->assertTableActionVisible('change_role')
            ->assertTableActionDisabled('change_role')
            ->assertTableActionExists('change_role', function (Action $action): bool {
                return $action->getTooltip() === 'You do not have permission to manage tenant memberships.';
            })
            ->assertTableActionVisible('remove')
            ->assertTableActionDisabled('remove')
            ->assertTableActionExists('remove', function (Action $action): bool {
                return $action->getTooltip() === 'You do not have permission to manage tenant memberships.';
            });
    });
});