TenantAtlas/tests/Feature/Rbac/PolicyVersionsRestoreToIntuneUiEnforcementTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\PolicyResource\Pages\ViewPolicy;
use App\Filament\Resources\PolicyResource\RelationManagers\VersionsRelationManager;
use App\Models\Policy;
use App\Models\PolicyVersion;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;

uses(RefreshDatabase::class);

describe('Policy versions relation manager restore-to-Intune UI enforcement', function () {
    it('disables restore action for readonly members', function (): void {
        [$user, $tenant] = createUserWithTenant(role: 'readonly');

        $tenant->makeCurrent();
        Filament::setTenant($tenant, true);

        $policy = Policy::factory()->create([
            'tenant_id' => $tenant->id,
        ]);

        $version = PolicyVersion::factory()->create([
            'tenant_id' => $tenant->id,
            'policy_id' => $policy->id,
            'metadata' => [],
        ]);

        Livewire::actingAs($user)
            ->test(VersionsRelationManager::class, [
                'ownerRecord' => $policy,
                'pageClass' => ViewPolicy::class,
            ])
            ->assertTableActionDisabled('restore_to_intune', $version);
    });

    it('disables restore action for metadata-only snapshots', function (): void {
        [$user, $tenant] = createUserWithTenant(role: 'owner');

        $tenant->makeCurrent();
        Filament::setTenant($tenant, true);

        $policy = Policy::factory()->create([
            'tenant_id' => $tenant->id,
        ]);

        $version = PolicyVersion::factory()->create([
            'tenant_id' => $tenant->id,
            'policy_id' => $policy->id,
            'metadata' => ['source' => 'metadata_only'],
        ]);

        Livewire::actingAs($user)
            ->test(VersionsRelationManager::class, [
                'ownerRecord' => $policy,
                'pageClass' => ViewPolicy::class,
            ])
            ->assertTableActionDisabled('restore_to_intune', $version);
    });

    it('hides restore action after membership is revoked mid-session', function (): void {
        [$user, $tenant] = createUserWithTenant(role: 'owner');

        $tenant->makeCurrent();
        Filament::setTenant($tenant, true);

        $policy = Policy::factory()->create([
            'tenant_id' => $tenant->id,
        ]);

        $version = PolicyVersion::factory()->create([
            'tenant_id' => $tenant->id,
            'policy_id' => $policy->id,
            'metadata' => [],
        ]);

        $component = Livewire::actingAs($user)
            ->test(VersionsRelationManager::class, [
                'ownerRecord' => $policy,
                'pageClass' => ViewPolicy::class,
            ]);

        $user->tenants()->detach($tenant->getKey());
        app(\App\Services\Auth\CapabilityResolver::class)->clearCache();

        $component
            ->call('$refresh')
            ->assertTableActionHidden('restore_to_intune', $version);
    });
});