TenantAtlas/tests/Feature/TenantReview/TenantReviewRegisterRbacTest.php

<?php

declare(strict_types=1);

use App\Filament\Pages\Reviews\ReviewRegister;
use App\Models\Tenant;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Support\Workspaces\WorkspaceContext;
use Livewire\Livewire;

it('returns 404 for users outside the active workspace on the canonical review register', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    $this->actingAs($user)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
        ->get(ReviewRegister::getUrl(panel: 'admin'))
        ->assertNotFound();
});

it('returns 404 for workspace members that have no tenant-review visibility in the active workspace', function (): void {
    $workspace = Workspace::factory()->create();
    $user = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $user->getKey(),
        'role' => 'owner',
    ]);

    $this->actingAs($user)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $workspace->getKey()])
        ->get(ReviewRegister::getUrl(panel: 'admin'))
        ->assertNotFound();
});

it('allows entitled workspace members to access the canonical review register', function (): void {
    $tenant = Tenant::factory()->create();
    [$user, $tenant] = createUserWithTenant(tenant: $tenant, role: 'readonly');
    composeTenantReviewForTest($tenant, $user);

    $this->actingAs($user)
        ->withSession([WorkspaceContext::SESSION_KEY => (int) $tenant->workspace_id])
        ->get(ReviewRegister::getUrl(panel: 'admin'))
        ->assertOk();
});

it('shows artifact-truth rows only for entitled tenants on the canonical review register', function (): void {
    $tenantAllowed = Tenant::factory()->create(['name' => 'Allowed Tenant']);
    [$user, $tenantAllowed] = createUserWithTenant(tenant: $tenantAllowed, role: 'readonly');

    $allowedReview = composeTenantReviewForTest(
        $tenantAllowed,
        $user,
        seedTenantReviewEvidence(
            tenant: $tenantAllowed,
            permissionPayload: [
                'required_count' => 11,
                'granted_count' => 7,
            ],
            operationRunCount: 0,
        ),
    );

    $tenantDenied = Tenant::factory()->create([
        'workspace_id' => (int) $tenantAllowed->workspace_id,
        'name' => 'Denied Tenant',
    ]);
    [$otherOwner, $tenantDenied] = createUserWithTenant(tenant: $tenantDenied, role: 'owner');
    $deniedReview = composeTenantReviewForTest($tenantDenied, $otherOwner);

    $this->actingAs($user);
    setAdminPanelContext();
    session()->put(WorkspaceContext::SESSION_KEY, (int) $tenantAllowed->workspace_id);

    Livewire::actingAs($user)
        ->test(ReviewRegister::class)
        ->assertCanSeeTableRecords([$allowedReview])
        ->assertCanNotSeeTableRecords([$deniedReview])
        ->assertSee('Blocked')
        ->assertSee('Resolve the review blockers before publication')
        ->assertDontSee('Denied Tenant');
});