144 lines
5.2 KiB
PHP
144 lines
5.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Pages\BaselineCompareLanding;
|
|
use App\Filament\Resources\BaselineProfileResource;
|
|
use App\Filament\Resources\FindingResource;
|
|
use App\Models\User;
|
|
use App\Services\Auth\CapabilityResolver;
|
|
use App\Services\Auth\WorkspaceCapabilityResolver;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Navigation\CanonicalNavigationContext;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Gate;
|
|
use Livewire\Livewire;
|
|
use Tests\Feature\Concerns\BuildsBaselineCompareMatrixFixtures;
|
|
|
|
uses(RefreshDatabase::class, BuildsBaselineCompareMatrixFixtures::class);
|
|
|
|
it('returns 404 for non-members on the workspace baseline compare matrix', function (): void {
|
|
$fixture = $this->makeBaselineCompareMatrixFixture();
|
|
$nonMember = User::factory()->create();
|
|
|
|
$this->actingAs($nonMember)->withSession([
|
|
\App\Support\Workspaces\WorkspaceContext::SESSION_KEY => (int) $fixture['workspace']->getKey(),
|
|
]);
|
|
|
|
$this->get(BaselineProfileResource::compareMatrixUrl($fixture['profile']))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('returns 403 for workspace members missing baseline view capability on the matrix route', function (): void {
|
|
$fixture = $this->makeBaselineCompareMatrixFixture();
|
|
$viewer = User::factory()->create();
|
|
|
|
\App\Models\WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $fixture['workspace']->getKey(),
|
|
'user_id' => (int) $viewer->getKey(),
|
|
'role' => 'readonly',
|
|
]);
|
|
|
|
$resolver = \Mockery::mock(WorkspaceCapabilityResolver::class);
|
|
$resolver->shouldReceive('isMember')->andReturnTrue();
|
|
$resolver->shouldReceive('can')->andReturnFalse();
|
|
app()->instance(WorkspaceCapabilityResolver::class, $resolver);
|
|
|
|
$this->actingAs($viewer)->withSession([
|
|
\App\Support\Workspaces\WorkspaceContext::SESSION_KEY => (int) $fixture['workspace']->getKey(),
|
|
]);
|
|
|
|
$this->get(BaselineProfileResource::compareMatrixUrl($fixture['profile']))
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('returns 404 for matrix tenant drilldowns when the actor is not a tenant member', function (): void {
|
|
$fixture = $this->makeBaselineCompareMatrixFixture();
|
|
$nonMember = User::factory()->create();
|
|
|
|
$this->actingAs($nonMember)->withSession([
|
|
\App\Support\Workspaces\WorkspaceContext::SESSION_KEY => (int) $fixture['workspace']->getKey(),
|
|
]);
|
|
|
|
$query = CanonicalNavigationContext::forBaselineCompareMatrix(
|
|
$fixture['profile'],
|
|
subjectKey: 'wifi-corp-profile',
|
|
)->toQuery();
|
|
|
|
$this->get(BaselineCompareLanding::getUrl(parameters: $query, panel: 'tenant', tenant: $fixture['visibleTenant']))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('returns 403 for matrix tenant drilldowns when tenant view capability is missing', function (): void {
|
|
$fixture = $this->makeBaselineCompareMatrixFixture();
|
|
|
|
$resolver = \Mockery::mock(CapabilityResolver::class);
|
|
$resolver->shouldReceive('isMember')->andReturnTrue();
|
|
$resolver->shouldReceive('can')->andReturnFalse();
|
|
app()->instance(CapabilityResolver::class, $resolver);
|
|
|
|
$this->actingAs($fixture['user']);
|
|
$fixture['visibleTenant']->makeCurrent();
|
|
|
|
$query = CanonicalNavigationContext::forBaselineCompareMatrix(
|
|
$fixture['profile'],
|
|
subjectKey: 'wifi-corp-profile',
|
|
tenant: $fixture['visibleTenant'],
|
|
)->toQuery();
|
|
|
|
$this->get(BaselineCompareLanding::getUrl(parameters: $query, panel: 'tenant', tenant: $fixture['visibleTenant']))
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('returns 403 for matrix finding drilldowns when findings view capability is missing', function (): void {
|
|
$fixture = $this->makeBaselineCompareMatrixFixture();
|
|
|
|
$run = $this->makeBaselineCompareMatrixRun(
|
|
$fixture['visibleTenant'],
|
|
$fixture['profile'],
|
|
$fixture['snapshot'],
|
|
);
|
|
|
|
$finding = $this->makeBaselineCompareMatrixFinding(
|
|
$fixture['visibleTenant'],
|
|
$fixture['profile'],
|
|
$run,
|
|
'wifi-corp-profile',
|
|
);
|
|
|
|
$this->actingAs($fixture['user']);
|
|
$fixture['visibleTenant']->makeCurrent();
|
|
|
|
Gate::define(Capabilities::TENANT_FINDINGS_VIEW, fn (): bool => false);
|
|
|
|
$query = CanonicalNavigationContext::forBaselineCompareMatrix(
|
|
$fixture['profile'],
|
|
subjectKey: 'wifi-corp-profile',
|
|
tenant: $fixture['visibleTenant'],
|
|
)->toQuery();
|
|
|
|
$this->get(FindingResource::getUrl('view', [
|
|
'record' => $finding,
|
|
...$query,
|
|
], tenant: $fixture['visibleTenant']))
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('drops foreign compare-context launch data instead of leaking another workspace profile', function (): void {
|
|
$fixture = $this->makeBaselineCompareMatrixFixture();
|
|
|
|
$foreignProfile = \App\Models\BaselineProfile::factory()->create();
|
|
|
|
$this->actingAs($fixture['user']);
|
|
$fixture['visibleTenant']->makeCurrent();
|
|
|
|
$component = Livewire::withQueryParams([
|
|
'baseline_profile_id' => (int) $foreignProfile->getKey(),
|
|
'subject_key' => 'wifi-corp-profile',
|
|
])->test(BaselineCompareLanding::class);
|
|
|
|
expect($component->instance()->openCompareMatrixUrl())
|
|
->toStartWith(BaselineProfileResource::compareMatrixUrl($fixture['profile']))
|
|
->not->toContain((string) $foreignProfile->getKey());
|
|
});
|