ahmido
360d20e881
## Summary - retire the tenant panel runtime and converge operator routing on the workspace-first admin shell - update tenant, operations, and required-permissions navigation helpers to use canonical workspace-scoped URLs - repair the focused feature coverage, add the Spec 280 browser smoke, and record the implementation close-out in the requirements checklist ## Validation - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Feature/WorkspaceFoundation tests/Feature/Workspaces tests/Feature/ManagedEnvironment tests/Feature/RequiredPermissions tests/Feature/Operations tests/Feature/MonitoringOperationsTest.php` - `cd apps/platform && ./vendor/bin/sail artisan test --compact tests/Browser/Spec280WorkspaceTenancyEnvironmentRoutingSmokeTest.php` - `cd apps/platform && ./vendor/bin/sail bin pint --dirty --format agent` ## Note - `origin/platform` is not present on the remote; `platform-dev` is the clean base branch that limits this PR to the Spec 280 prep commit plus the implementation commit. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #340
194 lines
7.2 KiB
PHP
194 lines
7.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
use App\Filament\Pages\TenantDashboard;
|
|
use App\Models\ManagedEnvironment;
|
|
use App\Models\User;
|
|
use App\Models\Workspace;
|
|
use App\Models\WorkspaceMembership;
|
|
use App\Support\Links\RequiredPermissionsLinks;
|
|
use App\Support\Workspaces\WorkspaceContext;
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| T001 — Sidebar context tests for Required Permissions page
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| Verifies that the Required Permissions page (a workspace-scoped page
|
|
| that uses {tenant} for data display only) always renders the workspace
|
|
| sidebar — never the tenant sidebar. Also verifies FR-002: authorization
|
|
| (404 for non-members) still works after the middleware change.
|
|
|
|
|
*/
|
|
|
|
it('renders workspace navigation items on the required permissions page', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$response = $this->actingAs($user)
|
|
->get(RequiredPermissionsLinks::requiredPermissions($tenant));
|
|
|
|
$response->assertOk();
|
|
|
|
// Workspace nav items from configureNavigationForRequest() workspace builder
|
|
$response->assertSee('Operations', false);
|
|
$response->assertSee('Audit Log', false);
|
|
});
|
|
|
|
it('does not render tenant navigation items on the required permissions page', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$response = $this->actingAs($user)
|
|
->get(RequiredPermissionsLinks::requiredPermissions($tenant));
|
|
|
|
$response->assertOk();
|
|
|
|
// ManagedEnvironment-scoped nav groups/items must NOT appear
|
|
$response->assertDontSee('>Inventory</span>', false);
|
|
$response->assertDontSee('>Backups & Restore</span>', false);
|
|
});
|
|
|
|
it('shows workspace sidebar when navigating directly via URL', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$response = $this->actingAs($user)
|
|
->get(RequiredPermissionsLinks::requiredPermissions($tenant));
|
|
|
|
$response->assertOk();
|
|
|
|
// Workspace nav present (Operations is always visible in workspace nav)
|
|
$response->assertSee('Operations', false);
|
|
$response->assertSee('Audit Log', false);
|
|
|
|
// ManagedEnvironment nav absent
|
|
$response->assertDontSee('>Directory</span>', false);
|
|
$response->assertDontSee('>Governance</span>', false);
|
|
});
|
|
|
|
it('returns 404 for non-workspace-members with stale session (FR-002 regression guard)', function (): void {
|
|
$user = User::factory()->create();
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = ManagedEnvironment::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
]);
|
|
|
|
// User is NOT a workspace member, so the canonical route is deny-as-not-found.
|
|
$this->actingAs($user)
|
|
->withSession([
|
|
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
|
])
|
|
->get(RequiredPermissionsLinks::requiredPermissions($tenant))
|
|
->assertNotFound();
|
|
});
|
|
|
|
it('returns 404 for workspace members without tenant entitlement after middleware change (FR-002 regression guard)', function (): void {
|
|
$user = User::factory()->create();
|
|
$workspace = Workspace::factory()->create();
|
|
$tenant = ManagedEnvironment::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
]);
|
|
|
|
WorkspaceMembership::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'user_id' => (int) $user->getKey(),
|
|
'role' => 'owner',
|
|
]);
|
|
|
|
// User IS a workspace member but NOT entitled to this tenant
|
|
$this->actingAs($user)
|
|
->withSession([
|
|
WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
|
|
])
|
|
->get(RequiredPermissionsLinks::requiredPermissions($tenant))
|
|
->assertNotFound();
|
|
});
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| T002 — Regression: tenant-scoped pages still show tenant sidebar
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| Verifies that the middleware change does NOT affect environment-scoped pages.
|
|
| Workspace-first environment pages must continue to show tenant sidebar.
|
|
|
|
|
*/
|
|
|
|
it('still renders tenant sidebar on tenant-scoped pages (regression guard)', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'owner');
|
|
|
|
// Use the managed-environment dashboard — a known environment-scoped URL
|
|
$response = $this->actingAs($user)
|
|
->get(TenantDashboard::getUrl(tenant: $tenant));
|
|
|
|
$response->assertOk();
|
|
|
|
// Environment-scoped affordances must still be present on tenant pages.
|
|
$response->assertSee('Switch tenant', false)
|
|
->assertSee('Clear tenant scope', false);
|
|
});
|
|
|
|
/*
|
|
|--------------------------------------------------------------------------
|
|
| T007 — Context bar: tenant name is visible on the page
|
|
|--------------------------------------------------------------------------
|
|
|
|
|
| The page's $scopedTenant is resolved from the route param via
|
|
| resolveScopedTenant() — NOT from Filament::getTenant(). So the tenant
|
|
| data is available even though Filament::setTenant() is skipped.
|
|
| Verify the page renders successfully and that the tenant's data is used.
|
|
|
|
|
*/
|
|
|
|
it('resolves scoped tenant correctly with workspace sidebar (context bar / US2)', function (): void {
|
|
[$user, $tenant] = createUserWithTenant(role: 'readonly');
|
|
|
|
$response = $this->actingAs($user)
|
|
->get(RequiredPermissionsLinks::requiredPermissions($tenant));
|
|
|
|
$response->assertOk();
|
|
|
|
// The page resolves $scopedTenant from route param and uses it for visible page context.
|
|
$response->assertSee($tenant->getFilamentName(), false);
|
|
$response->assertSee('Required permissions', false);
|
|
|
|
// The page uses $scopedTenant for links (e.g., "Re-run verification" links back to TenantResource)
|
|
// If $scopedTenant were null, the page would abort(404) in mount().
|
|
// The fact that we get 200 proves $scopedTenant resolved correctly despite setTenant() being skipped.
|
|
|
|
// Workspace nav present (sidebar fix working)
|
|
$response->assertSee('Operations', false);
|
|
|
|
// ManagedEnvironment nav absent (sidebar fix working)
|
|
$response->assertDontSee('>Inventory</span>', false);
|
|
});
|
|
|
|
it('shows the routed tenant context even when another tenant is current', function (): void {
|
|
$workspace = Workspace::factory()->create();
|
|
$user = User::factory()->create();
|
|
|
|
$currentTenant = ManagedEnvironment::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'name' => 'YPTW2',
|
|
'environment' => 'dev',
|
|
'status' => 'active',
|
|
]);
|
|
|
|
$routedTenant = ManagedEnvironment::factory()->create([
|
|
'workspace_id' => (int) $workspace->getKey(),
|
|
'name' => 'Phoenicon',
|
|
'environment' => 'dev',
|
|
'status' => 'active',
|
|
]);
|
|
|
|
createUserWithTenant($currentTenant, $user, role: 'owner');
|
|
createUserWithTenant($routedTenant, $user, role: 'owner');
|
|
|
|
$currentTenant->makeCurrent();
|
|
|
|
$this->actingAs($user)
|
|
->get(RequiredPermissionsLinks::requiredPermissions($routedTenant))
|
|
->assertOk()
|
|
->assertSee($routedTenant->getFilamentName(), false)
|
|
->assertSee('Required permissions', false);
|
|
});
|