TenantAtlas/tests/Feature/Rbac/TenantResourceAuthorizationTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\TenantResource;
use App\Models\Tenant;
use App\Models\User;

describe('Tenant resource authorization', function () {
    it('cannot be created by non-members', function () {
        $user = User::factory()->create();

        $this->actingAs($user);

        expect(TenantResource::canCreate())->toBeFalse();
    });

    it('cannot be created via CRUD (onboarding wizard is the only path)', function () {
        [$user] = createUserWithTenant(role: 'manager');

        $this->actingAs($user);

        expect(TenantResource::canCreate())->toBeFalse();
    });

    it('can be edited by managers (TENANT_MANAGE)', function () {
        [$user, $tenant] = createUserWithTenant(role: 'manager');

        $this->actingAs($user);

        expect(TenantResource::canEdit($tenant))->toBeTrue();
    });

    it('cannot be deleted by managers (TENANT_DELETE)', function () {
        [$user, $tenant] = createUserWithTenant(role: 'manager');

        $this->actingAs($user);

        expect(TenantResource::canDelete($tenant))->toBeFalse();
    });

    it('can be deleted by owners (TENANT_DELETE)', function () {
        [$user, $tenant] = createUserWithTenant(role: 'owner');

        $this->actingAs($user);

        expect(TenantResource::canDelete($tenant))->toBeTrue();
    });

    it('cannot edit tenants it cannot access', function () {
        [$user] = createUserWithTenant(role: 'manager');
        $otherTenant = Tenant::factory()->create();

        $this->actingAs($user);

        expect(TenantResource::canEdit($otherTenant))->toBeFalse();
    });
});