ahmido
440e63edff
## Summary
Implements Spec 145 for tenant action taxonomy and lifecycle-safe visibility.
This PR:
- adds a central tenant action policy surface and supporting value objects
- aligns tenant list, detail, edit, onboarding, and widget surfaces around lifecycle-safe actions
- standardizes operator-facing lifecycle wording around View, Resume onboarding, Archive, Restore, and Complete onboarding
- tightens onboarding and tenant lifecycle authorization semantics, including honest 404 vs 403 behavior
- updates related regression coverage and spec artifacts for Spec 145
- fixes follow-on full-suite regressions uncovered during validation, including onboarding browser flows, provider consent fixtures, workspace redirect DI expectations, and critical table/action/UI expectation drift
## Validation
Executed and passed:
- vendor/bin/sail bin pint --dirty --format agent
- vendor/bin/sail artisan test --compact
Result:
- 2581 passed
- 8 skipped
- 13534 assertions
## Notes
- Base branch: dev
- Feature branch commit: a33a41b
- Filament v5 / Livewire v4 compliance preserved
- No panel provider registration changes; Laravel 12 provider registration remains in bootstrap/providers.php
- No new globally searchable resource behavior added in this slice
- Destructive lifecycle actions remain confirmation-gated and authorization-protected
Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #174
169 lines
6.1 KiB
PHP
169 lines
6.1 KiB
PHP
<?php
|
|
|
|
use App\Filament\Resources\PolicyResource;
|
|
use App\Filament\Resources\PolicyResource\Pages\ListPolicies;
|
|
use App\Filament\Resources\TenantResource\Pages\ListTenants as ListTenantsPage;
|
|
use App\Models\OperationRun;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Support\Facades\Queue;
|
|
use Livewire\Livewire;
|
|
|
|
/**
|
|
* Tests for US2: Non-members cannot infer tenant resources
|
|
*
|
|
* These tests verify that UiEnforcement correctly handles:
|
|
* - Non-members → action hidden in UI (prevents discovery)
|
|
* - Non-members → action blocked from execution (no side effects)
|
|
* - Membership revoked mid-session → still enforces protection
|
|
*
|
|
* Note on 404 behavior:
|
|
* In Filament v5, hidden actions are treated as disabled and return 200 (no execution)
|
|
* rather than 404. This is because Filament's action system doesn't support custom
|
|
* HTTP status codes for blocked actions. The security guarantee is:
|
|
* - Non-members cannot discover actions (hidden in UI)
|
|
* - Non-members cannot execute actions (blocked by Filament's isHidden check)
|
|
* - No side effects occur (jobs not pushed, data not modified)
|
|
*
|
|
* True 404 enforcement happens at the page/routing level via tenant middleware.
|
|
*/
|
|
describe('US2: Non-member sees action hidden in UI', function () {
|
|
beforeEach(function () {
|
|
Queue::fake();
|
|
});
|
|
|
|
it('hides non-member tenants from the tenant management list before lifecycle actions can be discovered', function (): void {
|
|
$visibleTenant = Tenant::factory()->active()->create();
|
|
$hiddenTenant = Tenant::factory()->archived()->create([
|
|
'workspace_id' => (int) $visibleTenant->workspace_id,
|
|
]);
|
|
|
|
[$user, $visibleTenant] = createUserWithTenant(tenant: $visibleTenant, role: 'owner');
|
|
|
|
Filament::setTenant($visibleTenant, true);
|
|
|
|
Livewire::actingAs($user)
|
|
->test(ListTenantsPage::class)
|
|
->assertCanSeeTableRecords([$visibleTenant])
|
|
->assertCanNotSeeTableRecords([$hiddenTenant]);
|
|
|
|
$this->actingAs($user)
|
|
->get(PolicyResource::getUrl('index', tenant: $hiddenTenant))
|
|
->assertNotFound();
|
|
|
|
Queue::assertNothingPushed();
|
|
});
|
|
|
|
it('hides sync action for users who are not members of the tenant', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
$otherTenant = Tenant::factory()->create();
|
|
|
|
// Create user with a valid workspace context, but without membership to $tenant
|
|
[$user] = createUserWithTenant(tenant: $otherTenant, role: 'owner');
|
|
|
|
$this->actingAs($user)
|
|
->get(PolicyResource::getUrl('index', tenant: $tenant))
|
|
->assertNotFound();
|
|
|
|
Queue::assertNothingPushed();
|
|
});
|
|
|
|
it('hides sync action for authenticated users accessing wrong tenant', function () {
|
|
// User is member of tenantA but accessing tenantB
|
|
[$user, $tenantA] = createUserWithTenant(role: 'owner');
|
|
$tenantB = Tenant::factory()->create();
|
|
// User has no membership to tenantB
|
|
|
|
$this->actingAs($user)
|
|
->get(PolicyResource::getUrl('index', tenant: $tenantB))
|
|
->assertNotFound();
|
|
|
|
Queue::assertNothingPushed();
|
|
});
|
|
});
|
|
|
|
describe('US2: Non-member action execution is blocked', function () {
|
|
beforeEach(function () {
|
|
Queue::fake();
|
|
});
|
|
|
|
it('blocks action execution for non-members (no side effects)', function () {
|
|
$tenant = Tenant::factory()->create();
|
|
$otherTenant = Tenant::factory()->create();
|
|
|
|
// Create user with a valid workspace context, but without membership to $tenant
|
|
[$user] = createUserWithTenant(tenant: $otherTenant, role: 'owner');
|
|
// No membership
|
|
|
|
$this->actingAs($user)
|
|
->get(PolicyResource::getUrl('index', tenant: $tenant))
|
|
->assertNotFound();
|
|
|
|
// Verify no side effects
|
|
Queue::assertNothingPushed();
|
|
expect(OperationRun::query()->where('tenant_id', $tenant->getKey())->count())->toBe(0);
|
|
});
|
|
});
|
|
|
|
describe('US2: Membership revoked mid-session still enforces protection', function () {
|
|
beforeEach(function () {
|
|
Queue::fake();
|
|
});
|
|
|
|
it('blocks action execution when membership is revoked between page load and action click', function () {
|
|
bindFailHardGraphClient();
|
|
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
// Start the test - action should be visible for member
|
|
$component = Livewire::actingAs($user)
|
|
->test(ListPolicies::class)
|
|
->assertActionVisible('sync')
|
|
->assertActionEnabled('sync');
|
|
|
|
// Simulate membership revocation mid-session
|
|
$user->tenants()->detach($tenant->getKey());
|
|
|
|
// Clear capability cache to ensure fresh check
|
|
app(\App\Services\Auth\CapabilityResolver::class)->clearCache();
|
|
|
|
// Now try to execute - action is now hidden (via fresh isVisible evaluation)
|
|
// Filament blocks execution (returns 200 but no side effects)
|
|
$component
|
|
->mountAction('sync')
|
|
->callMountedAction()
|
|
->assertSuccessful();
|
|
|
|
// Verify no side effects
|
|
Queue::assertNothingPushed();
|
|
expect(OperationRun::query()->where('tenant_id', $tenant->getKey())->count())->toBe(0);
|
|
});
|
|
|
|
it('hides action in UI after membership revocation on re-render', function () {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
$tenant->makeCurrent();
|
|
Filament::setTenant($tenant, true);
|
|
|
|
// Initial state - action visible
|
|
Livewire::actingAs($user)
|
|
->test(ListPolicies::class)
|
|
->assertActionVisible('sync');
|
|
|
|
// Revoke membership
|
|
$user->tenants()->detach($tenant->getKey());
|
|
app(\App\Services\Auth\CapabilityResolver::class)->clearCache();
|
|
|
|
// New request (simulates page refresh) should now be tenant-denied
|
|
$this->actingAs($user)
|
|
->get(PolicyResource::getUrl('index', tenant: $tenant))
|
|
->assertNotFound();
|
|
|
|
Queue::assertNothingPushed();
|
|
});
|
|
});
|