TenantAtlas/apps/platform/tests/Feature/Spec085/DenyAsNotFoundSemanticsTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\TenantDashboard;
use App\Models\OperationRun;
use App\Models\ManagedEnvironment;
use App\Models\User;
use App\Models\Workspace;
use App\Support\OperationRunOutcome;
use App\Support\OperationRunStatus;
use App\Support\Verification\VerificationReportWriter;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Http;

uses(RefreshDatabase::class);

beforeEach(function (): void {
    Http::preventStrayRequests();
});

it('redirects non-workspace-members on central operations index', function (): void {
    $user = User::factory()->create();

    $this->actingAs($user)
        ->get('/admin/operations')
        ->assertRedirect();
});

it('returns 404 for non-workspace-members on central operation run detail', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    session()->forget(WorkspaceContext::SESSION_KEY);

    $run = OperationRun::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'managed_environment_id' => null,
        'type' => 'provider.connection.check',
        'status' => OperationRunStatus::Queued->value,
        'outcome' => OperationRunOutcome::Pending->value,
        'context' => [
            'verification_report' => VerificationReportWriter::build('provider.connection.check', [
                [
                    'key' => 'provider_connection',
                    'title' => 'Provider connection preflight',
                    'status' => 'fail',
                    'severity' => 'critical',
                    'blocking' => true,
                    'reason_code' => 'provider_connection_missing',
                    'message' => 'No provider connection configured.',
                    'evidence' => [],
                    'next_steps' => [],
                ],
            ]),
        ],
    ]);

    $this->actingAs($user)
        ->get("/admin/operations/{$run->getKey()}")
        ->assertNotFound();
});

it('returns 404 for non-entitled users on tenant dashboard direct access', function (): void {
    $tenantA = ManagedEnvironment::factory()->create();
    [$user, $tenantA] = createUserWithTenant($tenantA, role: 'owner');

    $tenantB = ManagedEnvironment::factory()->create([
        'workspace_id' => (int) $tenantA->workspace_id,
    ]);

    $this->actingAs($user)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $tenantA->workspace_id])
        ->get(TenantDashboard::getUrl(panel: 'tenant', tenant: $tenantB))
        ->assertNotFound();
});