TenantAtlas/apps/platform/tests/Feature/TenantRBAC/TenantDiagnosticsAccessTest.php

<?php

use App\Filament\Pages\TenantDiagnostics;
use App\Models\ManagedEnvironmentMembership;
use App\Support\Rbac\UiTooltips;
use Filament\Actions\Action;
use Filament\Facades\Filament;
use App\Models\ManagedEnvironment;
use App\Models\User;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Schema;
use Livewire\Livewire;

uses(RefreshDatabase::class);

it('returns 404 for the retired tenant diagnostics route', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $this->actingAs($user)
        ->get("/admin/t/{$tenant->external_id}/diagnostics")
        ->assertNotFound();
});

it('returns 404 for non-members on the tenant diagnostics page', function () {
    $tenant = ManagedEnvironment::factory()->create(['external_id' => 'tenant-diag-a']);
    $user = User::factory()->create();

    $this->actingAs($user)
        ->get("/admin/t/{$tenant->external_id}/diagnostics")
        ->assertNotFound();
});

it('shows disabled duplicate-scope repair affordances to readonly members when a defect exists', function () {
    [$user, $tenant] = createUserWithTenant(role: 'readonly');

    $this->actingAs($user);
    Filament::setTenant($tenant, true);

    Schema::table('managed_environment_memberships', function (Blueprint $table): void {
        $table->dropUnique(['managed_environment_id', 'user_id']);
    });

    ManagedEnvironmentMembership::query()->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'readonly',
        'source' => 'manual',
        'created_by_user_id' => (int) $user->getKey(),
    ]);

    Livewire::test(TenantDiagnostics::class)
        ->assertActionVisible('mergeDuplicateMemberships')
        ->assertActionDisabled('mergeDuplicateMemberships')
        ->assertActionExists('mergeDuplicateMemberships', function (Action $action): bool {
            return $action->getTooltip() === UiTooltips::INSUFFICIENT_PERMISSION;
        });
});