110 lines
4.3 KiB
PHP
110 lines
4.3 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Resources\EvidenceSnapshotResource;
|
|
use App\Filament\Resources\TenantResource;
|
|
use App\Models\EvidenceSnapshot;
|
|
use App\Models\Tenant;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Support\Auth\Capabilities;
|
|
use App\Support\Evidence\EvidenceCompletenessState;
|
|
use App\Support\Evidence\EvidenceSnapshotStatus;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
use Illuminate\Support\Facades\Gate;
|
|
|
|
it('returns 403 for a member without managed-tenant manage capability when accessing edit', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user] = createUserWithTenant($tenant, role: 'readonly');
|
|
|
|
$this->actingAs($user)
|
|
->get(TenantResource::getUrl('edit', ['record' => $tenant]))
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('returns 404 for a non-member attempting to access a workspace managed-tenant list', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
Tenant::factory()->create(['workspace_id' => $workspace->getKey()]);
|
|
|
|
$user = User::factory()->create();
|
|
|
|
$otherWorkspace = Workspace::factory()->create();
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => $otherWorkspace->getKey(),
|
|
'user_id' => $user->getKey(),
|
|
'role' => 'readonly',
|
|
]);
|
|
|
|
$user->forceFill(['last_workspace_id' => $otherWorkspace->getKey()])->save();
|
|
|
|
$this->actingAs($user)
|
|
->get('/admin/w/'.$workspace->slug.'/managed-tenants')
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('returns 403 for an in-scope tenant member without evidence view capability on the evidence list', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
[$user] = createUserWithTenant($tenant, role: 'owner');
|
|
|
|
Gate::define(Capabilities::EVIDENCE_VIEW, fn (): bool => false);
|
|
|
|
$this->actingAs($user)
|
|
->get(EvidenceSnapshotResource::getUrl('index', tenant: $tenant))
|
|
->assertForbidden();
|
|
});
|
|
|
|
it('returns 404 for a non-member attempting to access an evidence snapshot detail route', function (): void {
|
|
$tenant = Tenant::factory()->create();
|
|
$snapshot = EvidenceSnapshot::query()->create([
|
|
'tenant_id' => (int) $tenant->getKey(),
|
|
'workspace_id' => (int) $tenant->workspace_id,
|
|
'status' => EvidenceSnapshotStatus::Active->value,
|
|
'completeness_state' => EvidenceCompletenessState::Complete->value,
|
|
'summary' => [],
|
|
'generated_at' => now(),
|
|
]);
|
|
|
|
[$user] = createUserWithTenant(role: 'owner');
|
|
|
|
$this->actingAs($user)
|
|
->get(EvidenceSnapshotResource::getUrl('view', ['record' => $snapshot], tenant: $tenant))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('suppresses non-entitled tenants from the workspace evidence overview', function (): void {
|
|
$tenantA = Tenant::factory()->create();
|
|
[$user, $tenantA] = createUserWithTenant(tenant: $tenantA, role: 'owner');
|
|
$tenantDenied = Tenant::factory()->create(['workspace_id' => (int) $tenantA->workspace_id]);
|
|
createUserWithTenant(tenant: $tenantDenied, user: $user, role: 'owner');
|
|
|
|
Gate::define(Capabilities::EVIDENCE_VIEW, fn (User $actor, Tenant $tenant): bool => (int) $tenant->getKey() === (int) $tenantA->getKey());
|
|
|
|
EvidenceSnapshot::query()->create([
|
|
'tenant_id' => (int) $tenantA->getKey(),
|
|
'workspace_id' => (int) $tenantA->workspace_id,
|
|
'status' => EvidenceSnapshotStatus::Active->value,
|
|
'completeness_state' => EvidenceCompletenessState::Complete->value,
|
|
'summary' => ['missing_dimensions' => 0, 'stale_dimensions' => 0],
|
|
'generated_at' => now(),
|
|
]);
|
|
|
|
EvidenceSnapshot::query()->create([
|
|
'tenant_id' => (int) $tenantDenied->getKey(),
|
|
'workspace_id' => (int) $tenantDenied->workspace_id,
|
|
'status' => EvidenceSnapshotStatus::Active->value,
|
|
'completeness_state' => EvidenceCompletenessState::Missing->value,
|
|
'summary' => ['missing_dimensions' => 2, 'stale_dimensions' => 0],
|
|
'generated_at' => now(),
|
|
]);
|
|
|
|
$this->actingAs($user)
|
|
->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id])
|
|
->get(route('admin.evidence.overview'))
|
|
->assertOk()
|
|
->assertSee(EvidenceSnapshotResource::getUrl('index', tenant: $tenantA))
|
|
->assertDontSee(EvidenceSnapshotResource::getUrl('index', tenant: $tenantDenied));
|
|
});
|