TenantAtlas/tests/Feature/TenantReview/TenantReviewRegisterRbacTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\Reviews\ReviewRegister;
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;

it('returns 404 for users outside the active workspace on the canonical review register', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    $this->actingAs($user)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
        ->get(ReviewRegister::getUrl(panel: 'admin'))
        ->assertNotFound();
});

it('returns 404 for workspace members that have no tenant-review visibility in the active workspace', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'owner',
    ]);

    $this->actingAs($user)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
        ->get(ReviewRegister::getUrl(panel: 'admin'))
        ->assertNotFound();
});

it('allows entitled workspace members to access the canonical review register', function (): void {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
    composeTenantReviewForTest($tenant, $user);

    $this->actingAs($user)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
        ->get(ReviewRegister::getUrl(panel: 'admin'))
        ->assertOk();
});