TenantAtlas/apps/platform/tests/Feature/Rbac/ResolvedReferenceAuthorizationTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\FindingResource;
use App\Models\BaselineProfile;
use App\Models\BaselineSnapshot;
use App\Models\Finding;
use App\Services\Auth\WorkspaceCapabilityResolver;

it('renders inaccessible references without an actionable link', function (): void {
    [$user, $tenant] = createUserWithTenant(role: 'owner');
    $this->actingAs($user);

    $profile = BaselineProfile::factory()->active()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'name' => 'Security Baseline',
    ]);

    $snapshot = BaselineSnapshot::factory()->create([
        'workspace_id' => (int) $tenant->workspace_id,
        'baseline_profile_id' => (int) $profile->getKey(),
    ]);

    $finding = Finding::factory()->for($tenant)->create([
        'evidence_jsonb' => [
            'provenance' => [
                'baseline_profile_id' => (int) $profile->getKey(),
                'baseline_snapshot_id' => (int) $snapshot->getKey(),
            ],
        ],
    ]);

    $resolver = \Mockery::mock(WorkspaceCapabilityResolver::class);
    $resolver->shouldReceive('isMember')->andReturnTrue();
    $resolver->shouldReceive('can')->andReturnFalse();
    app()->instance(WorkspaceCapabilityResolver::class, $resolver);

    $response = $this->get(FindingResource::getUrl('view', ['record' => $finding], tenant: $tenant));

    $response->assertOk()
        ->assertSee('Access denied')
        ->assertDontSee('/admin/baseline-snapshots/'.$snapshot->getKey(), false);
});