TenantAtlas/apps/platform/tests/Feature/ProviderConnections/ScopeHardeningPolicyWorkspaceAuthorityTest.php

<?php

declare(strict_types=1);

use App\Models\ManagedEnvironment;
use App\Models\User;
use App\Policies\ProviderConnectionPolicy;
use App\Support\Workspaces\WorkspaceContext;
use Filament\Facades\Filament;
use Illuminate\Auth\Access\Response;

it('ScopeHardening does not derive workspace authority from Filament tenant in ProviderConnectionPolicy', function (): void {
    $environment = ManagedEnvironment::factory()->active()->create([
        'external_id' => 'spec339-scopehardening-policy-env',
    ]);

    [$user, $environment] = createUserWithTenant(tenant: $environment, role: 'owner');

    expect($user)->toBeInstanceOf(User::class);

    session()->forget(WorkspaceContext::SESSION_KEY);

    Filament::setTenant($environment, true);

    /** @var ProviderConnectionPolicy $policy */
    $policy = app(ProviderConnectionPolicy::class);

    $result = $policy->viewAny($user);

    expect($result)->toBeInstanceOf(Response::class);
    expect($result->denied())->toBeTrue();
});