TenantAtlas/apps/platform/tests/Feature/ProviderConnections/ManageCapabilityEnforcementTest.php

<?php

declare(strict_types=1);

use App\Models\ProviderConnection;

it('returns 403 for tenant members without PROVIDER_MANAGE capability on create and edit', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $connection = ProviderConnection::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'managed_environment_id' => (int) $tenant->getKey(),
        'provider' => 'microsoft',
    ]);

    $this->actingAs($user)
        ->get('/admin/provider-connections/create?managed_environment_id='.(string) $tenant->external_id)
        ->assertForbidden();

    $this->actingAs($user)
        ->get('/admin/provider-connections/'.$connection->getKey())
        ->assertOk();

    $this->actingAs($user)
        ->get('/admin/provider-connections/'.$connection->getKey().'/edit')
        ->assertForbidden();
});