TenantAtlas/apps/platform/tests/Feature/TenantReview/TenantReviewRbacTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\TenantReviewResource;
use App\Filament\Resources\TenantReviewResource\Pages\ListTenantReviews;
use App\Filament\Resources\TenantReviewResource\Pages\ViewTenantReview;
use App\Models\Tenant;
use App\Models\User;
use App\Support\Auth\UiTooltips;
use Livewire\Livewire;

it('returns not found for non-members on the tenant review library and detail routes', function (): void {
    $targetTenant = Tenant::factory()->create();
    [$member] = createUserWithTenant(role: 'owner');
    $reviewOwner = User::factory()->create();
    createUserWithTenant(tenant: $targetTenant, user: $reviewOwner, role: 'owner');
    $review = composeTenantReviewForTest($targetTenant, $reviewOwner);

    $this->actingAs($member)
        ->get(TenantReviewResource::tenantScopedUrl('index', tenant: $targetTenant))
        ->assertNotFound();

    $this->actingAs($member)
        ->get(TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $targetTenant))
        ->assertNotFound();
});

it('allows readonly members to inspect reviews but keeps create actions disabled', function (): void {
    $tenant = Tenant::factory()->create();
    [$owner, $tenant] = createUserWithTenant(tenant: $tenant, role: 'owner');
    [$readonly] = createUserWithTenant(tenant: $tenant, user: User::factory()->create(), role: 'readonly');
    $review = composeTenantReviewForTest($tenant, $owner);

    $this->actingAs($readonly)
        ->get(TenantReviewResource::tenantScopedUrl('view', ['record' => $review], $tenant))
        ->assertOk();

    setTenantPanelContext($tenant);

    Livewire::actingAs($readonly)
        ->test(ListTenantReviews::class)
        ->assertActionVisible('create_review')
        ->assertActionDisabled('create_review')
        ->assertActionExists('create_review', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission());

    Livewire::actingAs($readonly)
        ->test(ViewTenantReview::class, ['record' => $review->getKey()])
        ->assertActionVisible('publish_review')
        ->assertActionDisabled('publish_review')
        ->assertActionVisible('archive_review')
        ->assertActionDisabled('archive_review');
});