ahmido
d1a9989037
Implementiert Feature 066: “RBAC UI Enforcement Helper v2” inkl. Migration der betroffenen Filament-Surfaces + Regression-Tests. Was ist drin Neuer Helper: UiEnforcement.php: mixed visibility (preserveVisibility, andVisibleWhen, andHiddenWhen), tenant resolver (tenantFromFilament, tenantFromRecord, tenantFrom(callable)), bulk preflight (preflightByCapability, preflightByTenantMembership, preflightSelection) + server-side authorizeOrAbort() / authorizeBulkSelectionOrAbort(). UiTooltips.php: standard Tooltip “Insufficient permission — ask a tenant Owner.” Filament migrations (weg von Gate::… / abort_* hin zu UiEnforcement): Backup/Restore (mixed visibility) TenantResource (record-scoped tenant actions + bulk preflight) Inventory/Entra/ProviderConnections (Tier-2 surfaces) Guardrails: NoAdHocFilamentAuthPatternsTest.php als CI-failing allowlist guard für app/Filament/**. Verhalten / Contract Non-member: deny-as-not-found (404) auf tenant routes; Actions hidden. Member ohne Capability: Action visible but disabled + standard tooltip; keine Ausführung. Member mit Capability: Action enabled; destructive/high-impact Actions bleiben confirmation-gated (->requiresConfirmation()). Server-side Enforcement bleibt vorhanden: Mutations/Operations rufen authorizeOrAbort() / authorizeBulkSelectionOrAbort(). Tests Neue/erweiterte Feature-Tests für RBAC UX inkl. Http::preventStrayRequests() (DB-only render): BackupSetUiEnforcementTest.php RestoreRunUiEnforcementTest.php ProviderConnectionsUiEnforcementTest.php diverse bestehende Filament Tests erweitert (Inventory/Entra/Tenant actions/bulk) Unit-Tests: UiEnforcementTest.php UiEnforcementBulkPreflightQueryCountTest.php Verification vendor/bin/sail bin pint --dirty ✅ vendor/bin/sail artisan test --compact tests/Unit/Auth tests/Feature/Filament tests/Feature/Guards tests/Feature/Rbac ✅ (185 passed, 5 skipped) Notes für Reviewer Filament v5 / Livewire v4 compliant. Destructive actions: weiterhin ->requiresConfirmation() + server-side auth. Bulk: authorization preflight ist set-based (Query-count test vorhanden). Co-authored-by: Ahmed Darrazi <ahmeddarrazi@MacBookPro.fritz.box> Reviewed-on: #83
78 lines
2.9 KiB
PHP
78 lines
2.9 KiB
PHP
<?php
|
|
|
|
use App\Filament\Resources\ProviderConnectionResource;
|
|
use App\Filament\Resources\ProviderConnectionResource\Pages\EditProviderConnection;
|
|
use App\Filament\Resources\ProviderConnectionResource\Pages\ListProviderConnections;
|
|
use App\Models\ProviderConnection;
|
|
use App\Models\Tenant;
|
|
use App\Support\Auth\UiTooltips;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Http;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
beforeEach(function (): void {
|
|
Http::preventStrayRequests();
|
|
});
|
|
|
|
test('non-members are denied access to provider connection tenant routes (404)', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
$otherTenant = Tenant::factory()->create();
|
|
|
|
[$user] = createUserWithTenant($otherTenant, role: 'owner');
|
|
|
|
$this->actingAs($user)
|
|
->get(ProviderConnectionResource::getUrl('index', tenant: $tenant))
|
|
->assertStatus(404);
|
|
});
|
|
|
|
test('members without capability see provider connection actions disabled with standard tooltip', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user] = createUserWithTenant($tenant, role: 'readonly');
|
|
|
|
$connection = ProviderConnection::factory()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'status' => 'needs_consent',
|
|
]);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListProviderConnections::class)
|
|
->assertTableActionVisible('check_connection', $connection)
|
|
->assertTableActionDisabled('check_connection', $connection)
|
|
->assertTableActionExists('check_connection', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $connection);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(EditProviderConnection::class, ['record' => $connection->getKey()])
|
|
->assertActionVisible('check_connection')
|
|
->assertActionDisabled('check_connection')
|
|
->assertActionExists('check_connection', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission());
|
|
});
|
|
|
|
test('members with capability can see provider connection actions enabled', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user] = createUserWithTenant($tenant, role: 'owner');
|
|
|
|
$connection = ProviderConnection::factory()->create([
|
|
'tenant_id' => $tenant->getKey(),
|
|
'status' => 'needs_consent',
|
|
]);
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListProviderConnections::class)
|
|
->assertTableActionVisible('check_connection', $connection)
|
|
->assertTableActionEnabled('check_connection', $connection);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(EditProviderConnection::class, ['record' => $connection->getKey()])
|
|
->assertActionVisible('check_connection')
|
|
->assertActionEnabled('check_connection');
|
|
});
|