ahmido
440e63edff
## Summary
Implements Spec 145 for tenant action taxonomy and lifecycle-safe visibility.
This PR:
- adds a central tenant action policy surface and supporting value objects
- aligns tenant list, detail, edit, onboarding, and widget surfaces around lifecycle-safe actions
- standardizes operator-facing lifecycle wording around View, Resume onboarding, Archive, Restore, and Complete onboarding
- tightens onboarding and tenant lifecycle authorization semantics, including honest 404 vs 403 behavior
- updates related regression coverage and spec artifacts for Spec 145
- fixes follow-on full-suite regressions uncovered during validation, including onboarding browser flows, provider consent fixtures, workspace redirect DI expectations, and critical table/action/UI expectation drift
## Validation
Executed and passed:
- vendor/bin/sail bin pint --dirty --format agent
- vendor/bin/sail artisan test --compact
Result:
- 2581 passed
- 8 skipped
- 13534 assertions
## Notes
- Base branch: dev
- Feature branch commit: a33a41b
- Filament v5 / Livewire v4 compliance preserved
- No panel provider registration changes; Laravel 12 provider registration remains in bootstrap/providers.php
- No new globally searchable resource behavior added in this slice
- Destructive lifecycle actions remain confirmation-gated and authorization-protected
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #174
155 lines
5.5 KiB
PHP
155 lines
5.5 KiB
PHP
<?php
|
|
|
|
use App\Filament\Pages\ChooseTenant;
|
|
use App\Filament\Pages\TenantDashboard;
|
|
use App\Filament\Resources\TenantResource\Pages\ListTenants;
|
|
use App\Models\Tenant;
|
|
use App\Support\Auth\UiTooltips;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Gate;
|
|
use Illuminate\Support\Facades\Http;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
beforeEach(function (): void {
|
|
Http::preventStrayRequests();
|
|
});
|
|
|
|
test('readonly users may switch current tenant via ChooseTenant', function () {
|
|
[$user, $tenantA] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
'is_current' => false,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenantB->getKey() => ['role' => 'readonly'],
|
|
]);
|
|
|
|
$tenantB->makeCurrent();
|
|
|
|
expect($tenantA->fresh()->is_current)->toBeFalse();
|
|
expect($tenantB->fresh()->is_current)->toBeTrue();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ChooseTenant::class)
|
|
->call('selectTenant', $tenantA->getKey())
|
|
->assertRedirect(TenantDashboard::getUrl(tenant: $tenantA));
|
|
});
|
|
|
|
test('users cannot switch to a tenant they are not a member of', function () {
|
|
[$user] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
]);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ChooseTenant::class)
|
|
->call('selectTenant', $tenant->getKey())
|
|
->assertStatus(404);
|
|
});
|
|
|
|
test('readonly users cannot archive tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('archive', $tenant)
|
|
->assertTableActionExists('archive', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('archive', $tenant);
|
|
|
|
expect($tenant->fresh()->trashed())->toBeFalse();
|
|
});
|
|
|
|
test('readonly users cannot force delete tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenant->delete();
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('forceDelete', $tenant)
|
|
->assertTableActionExists('forceDelete', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('forceDelete', $tenant);
|
|
|
|
expect(Tenant::withTrashed()->find($tenant->getKey()))->not->toBeNull();
|
|
});
|
|
|
|
test('readonly users cannot verify tenant configuration', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('verify', $tenant)
|
|
->assertTableActionExists('verify', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('verify', $tenant);
|
|
});
|
|
|
|
test('readonly users cannot setup intune rbac', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('setup_rbac', $tenant);
|
|
});
|
|
|
|
test('readonly users cannot edit tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('edit', $tenant)
|
|
->assertTableActionExists('edit', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|
|
|
|
test('readonly users cannot open admin consent', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(\App\Filament\Resources\TenantResource::adminConsentUrl($tenant))->not->toBeNull();
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('admin_consent', $tenant)
|
|
->assertTableActionExists('admin_consent', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|
|
|
|
test('readonly users cannot start tenant sync from tenant menu', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_SYNC, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('syncTenant', $tenant)
|
|
->assertTableActionExists('syncTenant', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|