ahmido
2fa8fc0f87
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 51s
## Summary - decommission the legacy findings lifecycle backfill substrate across command, job, service, and UI layers - remove related platform capabilities, operation catalog entries, and action surface exemptions - add regression and removal verification tests to ensure runtime integrity and surface absence - include spec, plan, tasks, and data-model artifacts for the removal slice ## Scope - active spec: specs/253-remove-findings-backfill-runtime-surfaces - target branch: dev ## Validation - integrated regression and removal verification tests for console, findings, and system ops surfaces - audit log and capability trace verification for the removal path Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #294
159 lines
4.8 KiB
PHP
159 lines
4.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\OperationRun;
|
|
use App\Models\PlatformUser;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Support\Auth\PlatformCapabilities;
|
|
use App\Support\System\SystemDirectoryLinks;
|
|
use App\Support\System\SystemOperationRunLinks;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('returns 404 when a tenant session accesses system panel routes', function (string $url) {
|
|
$user = User::factory()->create();
|
|
|
|
$this->actingAs($user)->get($url)->assertNotFound();
|
|
})->with([
|
|
'/system/login',
|
|
'/system',
|
|
'/system/ops/runbooks',
|
|
'/system/ops/runs',
|
|
]);
|
|
|
|
it('returns 403 when a platform user lacks the required capability on system pages', function (string $url) {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get($url)
|
|
->assertForbidden();
|
|
})->with([
|
|
'/system',
|
|
'/system/ops/runbooks',
|
|
'/system/ops/runs',
|
|
]);
|
|
|
|
it('returns 404 when a tenant session accesses a system operation detail route', function () {
|
|
$user = User::factory()->create();
|
|
$run = OperationRun::factory()->create();
|
|
|
|
$this->actingAs($user)
|
|
->get(SystemOperationRunLinks::view($run))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('returns 403 when a platform user lacks operations capability on system operation detail', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create();
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get(SystemOperationRunLinks::view($run))
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('returns 200 on system operation detail when a platform user has operations capability', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::OPERATIONS_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create();
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get(SystemOperationRunLinks::view($run))
|
|
->assertSuccessful();
|
|
});
|
|
|
|
it('returns 200 when a platform user has the required capability', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::CONSOLE_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get('/system')
|
|
->assertSuccessful();
|
|
});
|
|
|
|
it('returns 403 on runbooks when a platform user lacks the runbooks view capability even with system access', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::OPS_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get('/system/ops/runbooks')
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('returns 200 on runbooks when a platform user has the required runbooks capability set', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::OPS_VIEW,
|
|
PlatformCapabilities::RUNBOOKS_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get('/system/ops/runbooks')
|
|
->assertSuccessful();
|
|
});
|
|
|
|
it('keeps system workspace detail route semantics separate from commercial business-state blocks', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
|
|
$this->actingAs(User::factory()->create())
|
|
->get(SystemDirectoryLinks::workspaceDetail($workspace))
|
|
->assertNotFound();
|
|
|
|
auth()->guard('web')->logout();
|
|
|
|
$platformWithoutDirectoryView = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformWithoutDirectoryView, 'platform')
|
|
->get(SystemDirectoryLinks::workspaceDetail($workspace))
|
|
->assertForbidden();
|
|
|
|
$directoryViewer = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::DIRECTORY_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($directoryViewer, 'platform')
|
|
->get(SystemDirectoryLinks::workspaceDetail($workspace))
|
|
->assertSuccessful()
|
|
->assertSee('Commercial lifecycle')
|
|
->assertDontSee('Change commercial state');
|
|
});
|