ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
2a856d2693
TenantAtlas/apps/platform/tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php
ahmido dd175c16a1 fix: tighten workspace RBAC access boundaries (#364) 
## Summary
- tighten workspace RBAC and panel access boundaries
- remove non-owner workspace membership management capability from workspace role mapping
- add focused boundary coverage for admin panel, managed environments, providers, review packs, operation runs, finding exceptions, and workspace role capabilities
- include spec artifacts for feature 309

## Testing
- cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/Auth/WorkspaceFirstManagedEnvironmentAccessTest.php tests/Feature/Rbac/RoleMatrix/ManagerAccessTest.php tests/Feature/Rbac/WorkspaceMembershipsRelationManagerUiEnforcementTest.php tests/Feature/Rbac/AdminPanelAccessBoundaryTest.php tests/Feature/Rbac/FindingExceptionLifecycleAccessBoundaryTest.php tests/Feature/Rbac/ManagedEnvironmentAccessBoundaryTest.php tests/Feature/Rbac/OperationRunAccessBoundaryTest.php tests/Feature/Rbac/ProviderConnectionAccessBoundaryTest.php tests/Feature/Rbac/ReviewPackAccessBoundaryTest.php tests/Feature/Rbac/SystemPanelAccessBoundaryTest.php tests/Feature/Rbac/WorkspaceRoleCapabilityBoundaryTest.php tests/Unit/Auth/CapabilityResolverTest.php tests/Unit/Auth/WorkspaceRoleCapabilityMapTest.php
- cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #364
2026-05-15 14:00:21 +00:00

36 lines
1.6 KiB
PHP
Raw Blame History

<?php
use App\Services\Auth\RoleCapabilityMap;
use App\Services\Auth\WorkspaceRoleCapabilityMap;
use App\Support\Auth\Capabilities;
use App\Support\Auth\WorkspaceRole;
use App\Support\TenantRole;
it('uses only canonical capabilities in workspace role grants', function (): void {
foreach (WorkspaceRole::cases() as $role) {
$capabilities = WorkspaceRoleCapabilityMap::getCapabilities($role);
expect($capabilities)
->toBe(array_values(array_unique($capabilities)));
foreach ($capabilities as $capability) {
expect(Capabilities::isKnown($capability))->toBeTrue();
}
}
});
it('keeps workspace and tenant membership management owner only', function (): void {
expect(WorkspaceRoleCapabilityMap::rolesWithCapability(Capabilities::WORKSPACE_MEMBERSHIP_MANAGE))
->toBe([WorkspaceRole::Owner->value]);
expect(WorkspaceRoleCapabilityMap::hasCapability(WorkspaceRole::Owner, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE))->toBeTrue();
expect(WorkspaceRoleCapabilityMap::hasCapability(WorkspaceRole::Owner, Capabilities::TENANT_MEMBERSHIP_MANAGE))->toBeTrue();
foreach ([WorkspaceRole::Manager, WorkspaceRole::Operator, WorkspaceRole::Readonly] as $role) {
expect(WorkspaceRoleCapabilityMap::hasCapability($role, Capabilities::WORKSPACE_MEMBERSHIP_MANAGE))->toBeFalse();
expect(WorkspaceRoleCapabilityMap::hasCapability($role, Capabilities::TENANT_MEMBERSHIP_MANAGE))->toBeFalse();
}
expect(RoleCapabilityMap::hasCapability(TenantRole::Manager, Capabilities::TENANT_MEMBERSHIP_MANAGE))->toBeFalse();
});
Reference in New Issue View Git Blame Copy Permalink