ahmido
a97beefda3
Kurzbeschreibung Versteckt die Rerun-Row-Action für archivierte (soft-deleted) RestoreRuns und verhindert damit fehlerhafte Neu-Starts aus dem Archiv; ergänzt einen Regressionstest. Änderungen Code: RestoreRunResource.php — Sichtbarkeit der rerun-Action geprüft auf ! $record->trashed() und defensive Abbruchprüfung im Action-Handler. Tests: RestoreRunRerunTest.php — neuer Test rerun action is hidden for archived restore runs. Warum Archivierte RestoreRuns durften nicht neu gestartet werden; UI zeigte trotzdem die Option. Das führte zu verwirrendem Verhalten und möglichen Fehlern beim Enqueueing. Verifikation / QA Unit/Feature: ./vendor/bin/sail artisan test tests/Feature/RestoreRunRerunTest.php Stil/format: ./vendor/bin/pint --dirty Manuell (UI): Als Tenant-Admin Filament → Restore Runs öffnen. Filter Archived aktivieren (oder Trashed filter auswählen). Sicherstellen, dass für archivierte Einträge die Rerun-Action nicht sichtbar ist. Auf einem aktiven (nicht-archivierten) Run prüfen, dass Rerun sichtbar bleibt und wie erwartet eine neue RestoreRun erzeugt. Wichtige Hinweise Kein DB-Migration required. Diese PR enthält nur den UI-/Filament-Fix; die zuvor gemachten operative Fixes für Queue/adapter-Reconciliation bleiben ebenfalls auf dem Branch (z. B. frühere commits während der Debugging-Session). T055 (Schema squash) wurde bewusst zurückgestellt und ist nicht Teil dieses PRs. Merge-Checklist Tests lokal laufen (RestoreRunRerunTest grünt) Pint läuft ohne ungepatchte Fehler Branch gepusht: 056-remove-legacy-bulkops (PR-URL: https://git.cloudarix.de/ahmido/TenantAtlas/compare/dev...056-remove-legacy-bulkops) Co-authored-by: Ahmed Darrazi <ahmeddarrazi@adsmac.local> Reviewed-on: #65
141 lines
4.8 KiB
PHP
141 lines
4.8 KiB
PHP
<?php
|
|
|
|
use App\Filament\Resources\OperationRunResource;
|
|
use App\Models\OperationRun;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Services\Graph\GraphClientInterface;
|
|
|
|
it('allows access to monitoring page for tenant members', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
$user = User::factory()->create();
|
|
$tenant->users()->attach($user);
|
|
|
|
$run = OperationRun::create([
|
|
'tenant_id' => $tenant->id,
|
|
'type' => 'policy.sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'initiator_name' => 'System',
|
|
'run_identity_hash' => 'hash123',
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(OperationRunResource::getUrl('index', tenant: $tenant))
|
|
->assertSuccessful()
|
|
->assertSee('Policy sync');
|
|
});
|
|
|
|
it('renders monitoring pages DB-only (never calls Graph)', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
$user = User::factory()->create();
|
|
$tenant->users()->attach($user);
|
|
|
|
$run = OperationRun::create([
|
|
'tenant_id' => $tenant->id,
|
|
'type' => 'policy.sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'initiator_name' => 'System',
|
|
'run_identity_hash' => 'hash123',
|
|
]);
|
|
|
|
$this->mock(GraphClientInterface::class, function ($mock): void {
|
|
$mock->shouldReceive('listPolicies')->never();
|
|
$mock->shouldReceive('getPolicy')->never();
|
|
$mock->shouldReceive('getOrganization')->never();
|
|
$mock->shouldReceive('applyPolicy')->never();
|
|
$mock->shouldReceive('getServicePrincipalPermissions')->never();
|
|
$mock->shouldReceive('request')->never();
|
|
});
|
|
|
|
$this->actingAs($user)
|
|
->get(OperationRunResource::getUrl('index', tenant: $tenant))
|
|
->assertSuccessful();
|
|
|
|
$this->actingAs($user)
|
|
->get(OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant))
|
|
->assertSuccessful();
|
|
});
|
|
|
|
it('shows runs only for current tenant', function () {
|
|
$tenantA = Tenant::factory()->create();
|
|
$tenantB = Tenant::factory()->create();
|
|
$user = User::factory()->create();
|
|
$tenantA->users()->attach($user);
|
|
|
|
// We must simulate being in tenant context
|
|
$this->actingAs($user);
|
|
// Filament::setTenant($tenantA); // This is usually handled by middleware on routes, but in Livewire test we might need manual set or route visit.
|
|
|
|
// Easier approach: visit the page for tenantA
|
|
|
|
OperationRun::create([
|
|
'tenant_id' => $tenantA->id,
|
|
'type' => 'policy.sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'initiator_name' => 'System',
|
|
'run_identity_hash' => 'hashA',
|
|
]);
|
|
|
|
OperationRun::create([
|
|
'tenant_id' => $tenantB->id,
|
|
'type' => 'inventory.sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'initiator_name' => 'System',
|
|
'run_identity_hash' => 'hashB',
|
|
]);
|
|
|
|
// Livewire::test needs to know the tenant if the component relies on it.
|
|
// However, the component relies on `Filament::getTenant()`.
|
|
// The cleanest way is to just GET the page URL, which runs middleware.
|
|
|
|
$this->get(OperationRunResource::getUrl('index', tenant: $tenantA))
|
|
->assertSee('Policy sync')
|
|
->assertDontSee('Inventory sync');
|
|
});
|
|
|
|
it('allows readonly users to view operations list and detail', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
$user = User::factory()->create();
|
|
$tenant->users()->attach($user, ['role' => 'readonly']);
|
|
|
|
$run = OperationRun::create([
|
|
'tenant_id' => $tenant->id,
|
|
'type' => 'policy.sync',
|
|
'status' => 'queued',
|
|
'outcome' => 'pending',
|
|
'initiator_name' => 'System',
|
|
'run_identity_hash' => 'hash123',
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->get(OperationRunResource::getUrl('index', tenant: $tenant))
|
|
->assertSuccessful()
|
|
->assertSee('Policy sync');
|
|
|
|
$this->actingAs($user)
|
|
->get(OperationRunResource::getUrl('view', ['record' => $run], tenant: $tenant))
|
|
->assertSuccessful()
|
|
->assertSee('Policy sync');
|
|
});
|
|
|
|
it('denies access to unauthorized users', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
$user = User::factory()->create();
|
|
// Not attached to tenant
|
|
|
|
// In a multitenant app, if you try to access a tenant route you are not part of,
|
|
// Filament typically returns 404 (Not Found) if it can't find the tenant-user relationship, or 403.
|
|
// The previous fail said "Received 404". This confirms Filament couldn't find the tenant for this user scope or just hides it.
|
|
// We should accept 404 or 403.
|
|
|
|
$response = $this->actingAs($user)
|
|
->get(OperationRunResource::getUrl('index', tenant: $tenant));
|
|
|
|
// Allow either 403 or 404 as "Denied"
|
|
$this->assertTrue(in_array($response->status(), [403, 404]));
|
|
});
|