ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
439248ba15
TenantAtlas/tests/Feature/Rbac/UiEnforcementNonMemberHiddenTest.php
ahmido 6a86c5901a 066-rbac-ui-enforcement-helper (#81) 
Kontext / Ziel
Diese PR standardisiert Tenant‑RBAC Enforcement in der Filament‑UI: statt ad-hoc Gate::*, abort_if/abort_unless und kopierten ->visible()/->disabled()‑Closures gibt es jetzt eine zentrale, wiederverwendbare Implementierung für Actions (Header/Table/Bulk).

Links zur Spec:

spec.md
plan.md
quickstart.md
Was ist drin
Neue zentrale Helper-API: UiEnforcement (Tenant-plane RBAC‑UX “source of truth” für Filament Actions)
Standardisierte Tooltip-Texte und Context-DTO (UiTooltips, TenantAccessContext)
Migration vieler tenant‑scoped Filament Action-Surfaces auf das Standardpattern (ohne ad-hoc Auth-Patterns)
CI‑Guard (Test) gegen neue ad-hoc Patterns in app/Filament/**:
verbietet Gate::allows/denies/check/authorize, use Illuminate\Support\Facades\Gate, abort_if/abort_unless
Legacy-Allowlist ist aktuell leer (neue Verstöße failen sofort)
RBAC-UX Semantik (konsequent & testbar)
Non-member: UI Actions hidden (kein Tenant‑Leak); Execution wird blockiert (Filament hidden→disabled chain), Defense‑in‑depth enthält zusätzlich serverseitige Guards.
Member ohne Capability: Action visible aber disabled + Standard-Tooltip; Execution wird blockiert (keine Side Effects).
Member mit Capability: Action enabled und ausführbar.
Destructive actions: über ->destructive() immer mit ->requiresConfirmation() + klare Warntexte (Execution bleibt über ->action(...)).
Wichtig: In Filament v5 sind hidden/disabled Actions typischerweise “silently blocked” (200, keine Ausführung). Die Tests prüfen daher UI‑State + “no side effects”, nicht nur HTTP‑Statuscodes.

Sicherheit / Scope
Keine neuen DB-Tabellen, keine Migrations, keine Microsoft Graph Calls (DB‑only bei Render; kein outbound HTTP).
Tenant Isolation bleibt Isolation‑Boundary (deny-as-not-found auf Tenant‑Ebene, Capability erst nach Membership).
Kein Asset-Setup erforderlich; keine neuen Filament Assets.
Compliance Notes (Repo-Regeln)
Filament v5 / Livewire v4.0+ kompatibel.
Keine Änderungen an Provider‑Registrierung (Laravel 11+/12: providers.php bleibt der Ort; hier unverändert).
Global Search: keine gezielte Änderung am Global‑Search-Verhalten in dieser PR.
Tests / Qualität
Pest Feature/Unit Tests für Member/Non-member/Tooltip/Destructive/Regression‑Guard.
Guard-Test: “No ad-hoc Filament auth patterns”.
Full suite laut Tasks: vendor/bin/sail artisan test --compact → 837 passed, 5 skipped.
Checklist: requirements.md vollständig (16/16).
Review-Fokus
API‑Usage in neuen/angepassten Filament Actions: UiEnforcement::forAction/forTableAction/forBulkAction(...)->requireCapability(...)->apply()
Guard-Test soll “red” werden, sobald jemand neue ad-hoc Auth‑Patterns einführt (by design).

Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box>
Reviewed-on: #81
2026-01-30 16:58:02 +00:00

153 lines
5.2 KiB
PHP
Raw Blame History

<?php
use App\Filament\Resources\PolicyResource\Pages\ListPolicies;
use App\Models\OperationRun;
use App\Models\Tenant;
use App\Models\User;
use Filament\Facades\Filament;
use Illuminate\Support\Facades\Queue;
use Livewire\Livewire;
/**
* Tests for US2: Non-members cannot infer tenant resources
*
* These tests verify that UiEnforcement correctly handles:
* - Non-members → action hidden in UI (prevents discovery)
* - Non-members → action blocked from execution (no side effects)
* - Membership revoked mid-session → still enforces protection
*
* Note on 404 behavior:
* In Filament v5, hidden actions are treated as disabled and return 200 (no execution)
* rather than 404. This is because Filament's action system doesn't support custom
* HTTP status codes for blocked actions. The security guarantee is:
* - Non-members cannot discover actions (hidden in UI)
* - Non-members cannot execute actions (blocked by Filament's isHidden check)
* - No side effects occur (jobs not pushed, data not modified)
*
* True 404 enforcement happens at the page/routing level via tenant middleware.
*/
describe('US2: Non-member sees action hidden in UI', function () {
beforeEach(function () {
Queue::fake();
});
it('hides sync action for users who are not members of the tenant', function () {
// Create user without membership to the tenant
$user = User::factory()->create();
$tenant = Tenant::factory()->create();
// No membership created
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
Livewire::test(ListPolicies::class)
->assertActionHidden('sync');
Queue::assertNothingPushed();
});
it('hides sync action for authenticated users accessing wrong tenant', function () {
// User is member of tenantA but accessing tenantB
[$user, $tenantA] = createUserWithTenant(role: 'owner');
$tenantB = Tenant::factory()->create();
// User has no membership to tenantB
$this->actingAs($user);
$tenantB->makeCurrent();
Filament::setTenant($tenantB, true);
Livewire::test(ListPolicies::class)
->assertActionHidden('sync');
Queue::assertNothingPushed();
});
});
describe('US2: Non-member action execution is blocked', function () {
beforeEach(function () {
Queue::fake();
});
it('blocks action execution for non-members (no side effects)', function () {
$user = User::factory()->create();
$tenant = Tenant::factory()->create();
// No membership
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
// Hidden actions are treated as disabled by Filament
// The action call returns 200 but no execution occurs
Livewire::test(ListPolicies::class)
->mountAction('sync')
->callMountedAction()
->assertSuccessful();
// Verify no side effects
Queue::assertNothingPushed();
expect(OperationRun::query()->where('tenant_id', $tenant->getKey())->count())->toBe(0);
});
});
describe('US2: Membership revoked mid-session still enforces protection', function () {
beforeEach(function () {
Queue::fake();
});
it('blocks action execution when membership is revoked between page load and action click', function () {
bindFailHardGraphClient();
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
// Start the test - action should be visible for member
$component = Livewire::test(ListPolicies::class)
->assertActionVisible('sync')
->assertActionEnabled('sync');
// Simulate membership revocation mid-session
$user->tenants()->detach($tenant->getKey());
// Clear capability cache to ensure fresh check
app(\App\Services\Auth\CapabilityResolver::class)->clearCache();
// Now try to execute - action is now hidden (via fresh isVisible evaluation)
// Filament blocks execution (returns 200 but no side effects)
$component
->mountAction('sync')
->callMountedAction()
->assertSuccessful();
// Verify no side effects
Queue::assertNothingPushed();
expect(OperationRun::query()->where('tenant_id', $tenant->getKey())->count())->toBe(0);
});
it('hides action in UI after membership revocation on re-render', function () {
[$user, $tenant] = createUserWithTenant(role: 'owner');
$this->actingAs($user);
$tenant->makeCurrent();
Filament::setTenant($tenant, true);
// Initial state - action visible
Livewire::test(ListPolicies::class)
->assertActionVisible('sync');
// Revoke membership
$user->tenants()->detach($tenant->getKey());
app(\App\Services\Auth\CapabilityResolver::class)->clearCache();
// New component instance (simulates page refresh)
Livewire::test(ListPolicies::class)
->assertActionHidden('sync');
Queue::assertNothingPushed();
});
});
Reference in New Issue View Git Blame Copy Permalink