TenantAtlas/apps/platform/tests/Feature/RequiredPermissions/RequiredPermissionsSidebarTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\EnvironmentDashboard;
use App\Models\ManagedEnvironment;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Links\RequiredPermissionsLinks;
use App\Support\Workspaces\WorkspaceContext;

/*
|--------------------------------------------------------------------------
| T001 — Sidebar context tests for Required Permissions page
|--------------------------------------------------------------------------
|
| Verifies that the Required Permissions page (a workspace-scoped page
| that uses {tenant} for data display only) always renders the workspace
| sidebar — never the tenant sidebar. Also verifies FR-002: authorization
| (404 for non-members) still works after the middleware change.
|
*/

it('renders workspace navigation items on the required permissions page', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $response = $this->actingAs($user)
        ->get(RequiredPermissionsLinks::requiredPermissions($tenant));

    $response->assertOk();

    // Workspace nav items from configureNavigationForRequest() workspace builder
    $response->assertSee('Operations', false);
    $response->assertSee('Audit Log', false);
});

it('does not render tenant navigation items on the required permissions page', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $response = $this->actingAs($user)
        ->get(RequiredPermissionsLinks::requiredPermissions($tenant));

    $response->assertOk();

    // ManagedEnvironment-scoped nav groups/items must NOT appear
    $response->assertDontSee('>Inventory</span>', false);
    $response->assertDontSee('>Backups &amp; Restore</span>', false);
});

it('shows workspace sidebar when navigating directly via URL', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $response = $this->actingAs($user)
        ->get(RequiredPermissionsLinks::requiredPermissions($tenant));

    $response->assertOk();

    // Workspace nav present (Operations is always visible in workspace nav)
    $response->assertSee('Operations', false);
    $response->assertSee('Audit Log', false);

    // ManagedEnvironment nav absent
    $response->assertDontSee('>Directory</span>', false);
    $response->assertDontSee('>Governance</span>', false);
});

it('returns 404 for non-workspace-members with stale session (FR-002 regression guard)', function (): void {
    $user = User::factory()->create();
    $workspace = Workspace::factory()->create();
    $tenant = ManagedEnvironment::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
    ]);

    // User is NOT a workspace member, so the canonical route is deny-as-not-found.
    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
        ])
        ->get(RequiredPermissionsLinks::requiredPermissions($tenant))
        ->assertNotFound();
});

it('returns 404 for workspace members without tenant entitlement after middleware change (FR-002 regression guard)', function (): void {
    $user = User::factory()->create();
    $workspace = Workspace::factory()->create();
    $tenant = ManagedEnvironment::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
    ]);

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'owner',
    ]);
    createUserWithTenant(
        tenant: ManagedEnvironment::factory()->create(['workspace_id' => (int) $workspace->getKey()]),
        user: $user,
        role: 'owner',
    );

    // User IS a workspace member but NOT entitled to this tenant
    $this->actingAs($user)
        ->withSession([
            WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
        ])
        ->get(RequiredPermissionsLinks::requiredPermissions($tenant))
        ->assertNotFound();
});

/*
|--------------------------------------------------------------------------
| T002 — Regression: tenant-scoped pages still show tenant sidebar
|--------------------------------------------------------------------------
|
| Verifies that the middleware change does NOT affect environment-scoped pages.
| Workspace-first environment pages must continue to show tenant sidebar.
|
*/

it('still renders tenant sidebar on tenant-scoped pages (regression guard)', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');

    // Use the managed-environment dashboard — a known environment-scoped URL
    $response = $this->actingAs($user)
        ->get(EnvironmentDashboard::getUrl(tenant: $tenant));

    $response->assertOk();

    // Environment-scoped affordances must still be present on tenant pages.
    $response->assertSee(__('localization.shell.switch_environment'), false)
        ->assertSee(__('localization.shell.clear_environment_scope'), false);
});

/*
|--------------------------------------------------------------------------
| T007 — Context bar: tenant name is visible on the page
|--------------------------------------------------------------------------
|
| The page's $scopedTenant is resolved from the route param via
| resolveScopedTenant() — NOT from Filament::getTenant(). So the tenant
| data is available even though Filament::setTenant() is skipped.
| Verify the page renders successfully and that the tenant's data is used.
|
*/

it('resolves scoped tenant correctly with workspace sidebar (context bar / US2)', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $response = $this->actingAs($user)
        ->get(RequiredPermissionsLinks::requiredPermissions($tenant));

    $response->assertOk();

    // The page resolves $scopedTenant from route param and uses it for visible page context.
    $response->assertSee($tenant->getFilamentName(), false);
    $response->assertSee('Required permissions', false);

    // The page uses $scopedTenant for links (e.g., "Re-run verification" links back to ManagedEnvironmentResource)
    // If $scopedTenant were null, the page would abort(404) in mount().
    // The fact that we get 200 proves $scopedTenant resolved correctly despite setTenant() being skipped.

    // Workspace nav present (sidebar fix working)
    $response->assertSee('Operations', false);

    // ManagedEnvironment nav absent (sidebar fix working)
    $response->assertDontSee('>Inventory</span>', false);
});

it('shows the routed tenant context even when another tenant is current', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    $currentTenant = ManagedEnvironment::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'name' => 'YPTW2',
        'environment' => 'dev',
        'status' => 'active',
    ]);

    $routedTenant = ManagedEnvironment::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'name' => 'Phoenicon',
        'environment' => 'dev',
        'status' => 'active',
    ]);

    createUserWithTenant($currentTenant, $user, role: 'owner');
    createUserWithTenant($routedTenant, $user, role: 'owner');

    $currentTenant->makeCurrent();

    $this->actingAs($user)
        ->get(RequiredPermissionsLinks::requiredPermissions($routedTenant))
        ->assertOk()
        ->assertSee($routedTenant->getFilamentName(), false)
        ->assertSee('Required permissions', false);
});