TenantAtlas/apps/platform/tests/Feature/Findings/FindingExceptionAuthorizationTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\FindingExceptionResource;
use App\Filament\Resources\FindingResource\Pages\ViewFinding;
use App\Models\Finding;
use App\Models\FindingException;
use Filament\Facades\Filament;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;

uses(RefreshDatabase::class);

it('disables request exception for readonly members and denies canonical queue access without approval capability', function (): void {
    [$readonly, $tenant] = createUserWithTenant(role: 'readonly');
    $finding = Finding::factory()->for($tenant)->create(['status' => Finding::STATUS_NEW]);

    $this->actingAs($readonly);
    Filament::setTenant($tenant, true);

    Livewire::test(ViewFinding::class, ['record' => $finding->getKey()])
        ->assertActionVisible('request_exception')
        ->assertActionDisabled('request_exception');

    Filament::setCurrentPanel('admin');
    Filament::setTenant(null, true);
    Filament::bootCurrentPanel();
    session()->put(\App\Support\Workspaces\WorkspaceContext::SESSION_KEY, (int) $tenant->workspace_id);

    $this->get('/admin/finding-exceptions/queue')->assertForbidden();
});

it('returns 404 for non-members on tenant exception routes', function (): void {
    [$owner, $tenant] = createUserWithTenant(role: 'owner');
    $tenantInSameWorkspace = \App\Models\ManagedEnvironment::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
    ]);
    [$outsider] = createUserWithTenant(tenant: $tenantInSameWorkspace, role: 'owner');

    $finding = Finding::factory()->for($tenant)->create();

    $exception = FindingException::query()->create([
        'managed_environment_id' => (int) $tenant->getKey(),
        'finding_id' => (int) $finding->getKey(),
        'requested_by_user_id' => (int) $owner->getKey(),
        'owner_user_id' => (int) $owner->getKey(),
        'status' => FindingException::STATUS_PENDING,
        'current_validity_state' => FindingException::VALIDITY_MISSING_SUPPORT,
        'request_reason' => 'Temporary governance request',
        'requested_at' => now(),
        'review_due_at' => now()->addDays(7),
        'evidence_summary' => ['reference_count' => 0],
    ]);

    $this->actingAs($outsider)
        ->get(FindingExceptionResource::getUrl('index', tenant: $tenant))
        ->assertNotFound();

    $this->actingAs($outsider)
        ->get(FindingExceptionResource::getUrl('view', ['record' => $exception], tenant: $tenant))
        ->assertNotFound();
});