TenantAtlas/tests/Feature/RequiredPermissions/RequiredPermissionsRbacTest.php

<?php

use App\Models\Tenant;
use App\Services\Auth\CapabilityResolver;
use App\Support\Auth\Capabilities;

it('returns 404 for non-members accessing required permissions', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $otherTenant = Tenant::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
    ]);

    $this->actingAs($user)
        ->get("/admin/t/{$otherTenant->external_id}/required-permissions")
        ->assertNotFound();
});

it('returns 403 for members without tenant.view capability accessing required permissions', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $this->mock(CapabilityResolver::class, function ($mock): void {
        $mock->shouldReceive('isMember')
            ->andReturn(true);

        $mock->shouldReceive('can')
            ->andReturnUsing(fn ($user, $tenant, $capability): bool => $capability !== Capabilities::TENANT_VIEW);
    });

    $this->actingAs($user)
        ->get("/admin/t/{$tenant->external_id}/required-permissions")
        ->assertForbidden();
});