ahmido
ec71c2d4e7
## Summary - harden finding lifecycle changes behind the canonical `FindingWorkflowService` gateway - route automated resolve and reopen flows through the same audited workflow path - tighten tenant and workspace scope checks on finding actions and audit visibility - add focused spec artifacts, workflow regression coverage, automation coverage, and audit visibility tests - update legacy finding model tests to use the workflow service after direct lifecycle mutators were removed ## Testing - `vendor/bin/sail bin pint --dirty --format agent` - focused findings and audit slices passed during implementation - `vendor/bin/sail artisan test --compact tests/Feature/Models/FindingResolvedTest.php` - full repository suite passed: `2757 passed`, `8 skipped`, `14448 assertions` ## Notes - Livewire v4.0+ compliance preserved - no new Filament assets or panel providers introduced; provider registration remains in `bootstrap/providers.php` - findings stay on existing Filament action surfaces, with destructive actions still confirmation-gated - no global search behavior was changed for findings resources Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #181
91 lines
3.7 KiB
PHP
91 lines
3.7 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\FindingResource\Pages\ListFindings;
|
|
use App\Filament\Resources\FindingResource\Pages\ViewFinding;
|
|
use App\Models\Finding;
|
|
use App\Models\Tenant;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Filament\Facades\Filament;
|
|
use Livewire\Livewire;
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
|
|
it('keeps readonly workflow actions visible but disabled on list and view surfaces', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
$this->actingAs($user);
|
|
Filament::setTenant($tenant, true);
|
|
|
|
$finding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);
|
|
|
|
Livewire::test(ListFindings::class)
|
|
->assertTableActionVisible('triage', $finding)
|
|
->assertTableActionDisabled('triage', $finding)
|
|
->assertTableActionVisible('resolve', $finding)
|
|
->assertTableActionDisabled('resolve', $finding);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
|
|
->assertActionVisible('triage')
|
|
->assertActionDisabled('triage')
|
|
->assertActionVisible('resolve')
|
|
->assertActionDisabled('resolve');
|
|
});
|
|
|
|
it('preserves the expected workflow action surface by finding status', function (): void {
|
|
[$user, $tenant] = $this->actingAsFindingOperator('owner');
|
|
|
|
$newFinding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_NEW);
|
|
$triagedFinding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_TRIAGED);
|
|
$resolvedFinding = $this->makeFindingForWorkflow($tenant, Finding::STATUS_RESOLVED);
|
|
|
|
Livewire::test(ListFindings::class)
|
|
->assertTableActionVisible('triage', $newFinding)
|
|
->assertTableActionHidden('start_progress', $newFinding)
|
|
->assertTableActionVisible('start_progress', $triagedFinding)
|
|
->assertTableActionHidden('reopen', $triagedFinding)
|
|
->filterTable('open', false)
|
|
->assertTableActionVisible('reopen', $resolvedFinding)
|
|
->assertTableActionHidden('triage', $resolvedFinding)
|
|
->assertTableActionHidden('close', $resolvedFinding)
|
|
->assertTableActionHidden('risk_accept', $resolvedFinding);
|
|
|
|
Livewire::test(ViewFinding::class, ['record' => $resolvedFinding->getKey()])
|
|
->assertActionVisible('reopen')
|
|
->assertActionHidden('triage')
|
|
->assertActionHidden('close')
|
|
->assertActionHidden('risk_accept');
|
|
});
|
|
|
|
it('returns 404 when forged foreign-tenant workflow actions are mounted for protected actions', function (): void {
|
|
$tenantA = Tenant::factory()->create();
|
|
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
|
|
|
|
$tenantB = Tenant::factory()->create([
|
|
'workspace_id' => (int) $tenantA->workspace_id,
|
|
]);
|
|
|
|
createUserWithTenant(tenant: $tenantB, user: $user, role: 'owner');
|
|
|
|
$foreignFinding = $this->makeFindingForWorkflow($tenantB, Finding::STATUS_TRIAGED);
|
|
|
|
$this->actingAs($user);
|
|
Filament::setCurrentPanel('admin');
|
|
Filament::setTenant(null, true);
|
|
Filament::bootCurrentPanel();
|
|
|
|
session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantA->workspace_id);
|
|
session()->put(WorkspaceContext::LAST_TENANT_IDS_SESSION_KEY, [
|
|
(string) $tenantA->workspace_id => (int) $tenantA->getKey(),
|
|
]);
|
|
|
|
$component = Livewire::actingAs($user)->test(ListFindings::class);
|
|
|
|
expect(fn () => $component->instance()->mountTableAction('start_progress', (string) $foreignFinding->getKey()))
|
|
->toThrow(NotFoundHttpException::class);
|
|
|
|
expect(fn () => $component->instance()->mountTableAction('risk_accept', (string) $foreignFinding->getKey()))
|
|
->toThrow(NotFoundHttpException::class);
|
|
|
|
expect($foreignFinding->refresh()->status)->toBe(Finding::STATUS_TRIAGED);
|
|
});
|