TenantAtlas/tests/Feature/Rbac/CrossResourceNavigationAuthorizationTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\FindingResource;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\Finding;
use App\Services\Auth\WorkspaceCapabilityResolver;
use Filament\Facades\Filament;

it('renders an unavailable state when the related snapshot exists but workspace access is denied', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    $this->actingAs($user);
    Filament::setTenant($tenant, true);

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'name' => 'Security Baseline',
    ]);

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
    ]);

    $finding = Finding::factory()->for($tenant)->create([
        'evidence_jsonb' => [
            'provenance' => [
                'baseline_profile_id' => (int) $profile->getKey(),
                'baseline_snapshot_id' => (int) $snapshot->getKey(),
            ],
        ],
    ]);

    $resolver = \Mockery::mock(WorkspaceCapabilityResolver::class);
    $resolver->shouldReceive('isMember')->andReturnTrue();
    $resolver->shouldReceive('can')->andReturnFalse();
    app()->instance(WorkspaceCapabilityResolver::class, $resolver);

    $this->get(FindingResource::getUrl('view', ['record' => $finding], tenant: $tenant))
        ->assertOk()
        ->assertSee('Unavailable')
        ->assertSee('current scope');
});