TenantAtlas/tests/Feature/Onboarding/OnboardingRbacSemanticsTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\Workspaces\ManagedTenantOnboardingWizard;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;
use Livewire\Livewire;

it('returns 404 for non-members when visiting /admin/onboarding with a selected workspace', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $this->actingAs($user)
        ->get('/admin/onboarding')
        ->assertNotFound();
});

it('forbids workspace members without onboarding capability from loading the page or executing actions', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'readonly',
    ]);

    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $this->actingAs($user)
        ->get('/admin/onboarding')
        ->assertForbidden();

    Livewire::actingAs($user)
        ->test(ManagedTenantOnboardingWizard::class)
        ->assertForbidden();
});