159 lines
4.8 KiB
PHP
159 lines
4.8 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Models\OperationRun;
|
|
use App\Models\PlatformUser;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Support\Auth\PlatformCapabilities;
|
|
use App\Support\System\SystemDirectoryLinks;
|
|
use App\Support\System\SystemOperationRunLinks;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
it('returns 404 when a tenant session accesses system panel routes', function (string $url) {
|
|
$user = User::factory()->create();
|
|
|
|
$this->actingAs($user)->get($url)->assertNotFound();
|
|
})->with([
|
|
'/system/login',
|
|
'/system',
|
|
'/system/ops/runbooks',
|
|
'/system/ops/runs',
|
|
]);
|
|
|
|
it('returns 403 when a platform user lacks the required capability on system pages', function (string $url) {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get($url)
|
|
->assertForbidden();
|
|
})->with([
|
|
'/system',
|
|
'/system/ops/runbooks',
|
|
'/system/ops/runs',
|
|
]);
|
|
|
|
it('returns 404 when a tenant session accesses a system operation detail route', function () {
|
|
$user = User::factory()->create();
|
|
$run = OperationRun::factory()->create();
|
|
|
|
$this->actingAs($user)
|
|
->get(SystemOperationRunLinks::view($run))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('returns 403 when a platform user lacks operations capability on system operation detail', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create();
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get(SystemOperationRunLinks::view($run))
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('returns 200 on system operation detail when a platform user has operations capability', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::OPERATIONS_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$run = OperationRun::factory()->create();
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get(SystemOperationRunLinks::view($run))
|
|
->assertSuccessful();
|
|
});
|
|
|
|
it('returns 200 when a platform user has the required capability', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::CONSOLE_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get('/system')
|
|
->assertSuccessful();
|
|
});
|
|
|
|
it('returns 403 on runbooks when a platform user lacks the runbooks view capability even with system access', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::OPS_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get('/system/ops/runbooks')
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('returns 200 on runbooks when a platform user has the required runbooks capability set', function () {
|
|
$platformUser = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::OPS_VIEW,
|
|
PlatformCapabilities::RUNBOOKS_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformUser, 'platform')
|
|
->get('/system/ops/runbooks')
|
|
->assertSuccessful();
|
|
});
|
|
|
|
it('keeps system workspace detail route semantics separate from commercial business-state blocks', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
|
|
$this->actingAs(User::factory()->create())
|
|
->get(SystemDirectoryLinks::workspaceDetail($workspace))
|
|
->assertNotFound();
|
|
|
|
auth()->guard('web')->logout();
|
|
|
|
$platformWithoutDirectoryView = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($platformWithoutDirectoryView, 'platform')
|
|
->get(SystemDirectoryLinks::workspaceDetail($workspace))
|
|
->assertForbidden();
|
|
|
|
$directoryViewer = PlatformUser::factory()->create([
|
|
'capabilities' => [
|
|
PlatformCapabilities::ACCESS_SYSTEM_PANEL,
|
|
PlatformCapabilities::DIRECTORY_VIEW,
|
|
],
|
|
'is_active' => true,
|
|
]);
|
|
|
|
$this->actingAs($directoryViewer, 'platform')
|
|
->get(SystemDirectoryLinks::workspaceDetail($workspace))
|
|
->assertSuccessful()
|
|
->assertSee('Commercial lifecycle')
|
|
->assertDontSee('Change commercial state');
|
|
});
|