ahmido
acc8947384
## Summary - add the Spec 194 governance action catalog, friction classes, reason policies, and regression guards - align exception, review, evidence, finding, tenant, provider connection, and system run actions to the shared semantics model - add focused feature, RBAC, audit, unit, and browser coverage, including the tenant detail triage header consistency update ## Verification - ran the focused Spec 194 verification pack from the quickstart and task plan - ran targeted tenant triage coverage after the detail-header update - ran `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` ## Filament Notes - Filament v5 / Livewire v4 compliance preserved - provider registration remains in `apps/platform/bootstrap/providers.php` - globally searchable resources were not changed - destructive actions remain confirmation-gated and server-authorized - no new Filament assets were introduced; the existing `cd apps/platform && php artisan filament:assets` deploy step stays unchanged Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #229
157 lines
5.6 KiB
PHP
157 lines
5.6 KiB
PHP
<?php
|
|
|
|
use App\Filament\Pages\ChooseTenant;
|
|
use App\Filament\Pages\TenantDashboard;
|
|
use App\Filament\Resources\TenantResource\Pages\ListTenants;
|
|
use App\Models\Tenant;
|
|
use App\Support\Auth\UiTooltips;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Gate;
|
|
use Illuminate\Support\Facades\Http;
|
|
use Livewire\Livewire;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
beforeEach(function (): void {
|
|
Http::preventStrayRequests();
|
|
});
|
|
|
|
test('readonly users may switch current tenant via ChooseTenant', function () {
|
|
[$user, $tenantA] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
'is_current' => false,
|
|
]);
|
|
|
|
$user->tenants()->syncWithoutDetaching([
|
|
$tenantB->getKey() => ['role' => 'readonly'],
|
|
]);
|
|
|
|
$tenantB->makeCurrent();
|
|
|
|
expect($tenantA->fresh()->is_current)->toBeFalse();
|
|
expect($tenantB->fresh()->is_current)->toBeTrue();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ChooseTenant::class)
|
|
->call('selectTenant', $tenantA->getKey())
|
|
->assertRedirect(TenantDashboard::getUrl(tenant: $tenantA));
|
|
});
|
|
|
|
test('users cannot switch to a tenant they are not a member of', function () {
|
|
[$user] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenant = Tenant::factory()->create([
|
|
'status' => 'active',
|
|
]);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ChooseTenant::class)
|
|
->call('selectTenant', $tenant->getKey())
|
|
->assertStatus(404);
|
|
});
|
|
|
|
test('readonly users cannot archive tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('archive', $tenant)
|
|
->assertTableActionExists('archive', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('archive', $tenant, [
|
|
'archive_reason' => 'Readonly users should not be able to archive tenants.',
|
|
]);
|
|
|
|
expect($tenant->fresh()->trashed())->toBeFalse();
|
|
});
|
|
|
|
test('readonly users cannot force delete tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$tenant->delete();
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_DELETE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('forceDelete', $tenant)
|
|
->assertTableActionExists('forceDelete', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('forceDelete', $tenant);
|
|
|
|
expect(Tenant::withTrashed()->find($tenant->getKey()))->not->toBeNull();
|
|
});
|
|
|
|
test('readonly users cannot verify tenant configuration', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('verify', $tenant)
|
|
->assertTableActionExists('verify', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant)
|
|
->callTableAction('verify', $tenant);
|
|
});
|
|
|
|
test('readonly users cannot setup intune rbac', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('setup_rbac', $tenant);
|
|
});
|
|
|
|
test('readonly users cannot edit tenants', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('edit', $tenant)
|
|
->assertTableActionExists('edit', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|
|
|
|
test('readonly users cannot open admin consent', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(\App\Filament\Resources\TenantResource::adminConsentUrl($tenant))->not->toBeNull();
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_MANAGE, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('admin_consent', $tenant)
|
|
->assertTableActionExists('admin_consent', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|
|
|
|
test('readonly users cannot start tenant sync from tenant menu', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
Filament::setTenant($tenant, true);
|
|
|
|
expect(Gate::forUser($user)->allows(\App\Support\Auth\Capabilities::TENANT_SYNC, $tenant))->toBeFalse();
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenants::class)
|
|
->assertTableActionDisabled('syncTenant', $tenant)
|
|
->assertTableActionExists('syncTenant', fn ($action): bool => $action->getTooltip() === UiTooltips::insufficientPermission(), $tenant);
|
|
});
|