TenantAtlas/tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;
use Livewire\Livewire;

it('returns 404 for non-members when visiting /admin/onboarding with a selected workspace', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $this->actingAs($user)
        ->get('/admin/onboarding')
        ->assertNotFound();
});

it('allows workspace members without onboarding capability to view the page but denies action attempts with 403', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'readonly',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $this->actingAs($user)
        ->get('/admin/onboarding')
        ->assertSuccessful();

    Livewire::actingAs($user)
        ->test(ManagedTenantOnboardingWizard::class)
        ->call('identifyManagedTenant', [
            'entra_tenant_id' => '11111111-1111-1111-1111-111111111111',
            'environment' => 'prod',
            'name' => 'Acme',
        ])
        ->assertStatus(403);
});