TenantAtlas/apps/platform/tests/Browser/Spec285WorkspaceRbacEnvironmentAccessSmokeTest.php

<?php

declare(strict_types=1);

use App\Filament\Resources\FindingResource;
use App\Models\Finding;
use App\Models\ManagedEnvironment;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceMembership;
use App\Services\Auth\TenantMembershipManager;
use App\Services\Auth\WorkspaceMembershipManager;
use App\Support\Workspaces\WorkspaceContext;
use Illuminate\Foundation\Testing\RefreshDatabase;

uses(RefreshDatabase::class);

pest()->browser()->timeout(20_000);

it('smokes workspace role management plus scoped environment drilldown', function (): void {
    $workspace = Workspace::factory()->create([
        'name' => 'Spec 285 Workspace',
    ]);
    $allowedTenant = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'name' => 'Spec 285 Allowed',
        'slug' => 'spec-285-allowed',
    ]);
    $deniedTenant = ManagedEnvironment::factory()->active()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'name' => 'Spec 285 Denied',
        'slug' => 'spec-285-denied',
    ]);
    $owner = User::factory()->create();
    $member = User::factory()->create();

    WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $owner->getKey(),
        'role' => 'owner',
    ]);
    $memberMembership = WorkspaceMembership::factory()->create([
        'workspace_id' => (int) $workspace->getKey(),
        'user_id' => (int) $member->getKey(),
        'role' => 'readonly',
    ]);

    app(WorkspaceMembershipManager::class)->changeRole($workspace, $owner, $memberMembership, 'operator');
    app(TenantMembershipManager::class)->grantScope($allowedTenant, $owner, $member, source: 'manual');

    Finding::factory()->for($allowedTenant)->create([
        'workspace_id' => (int) $workspace->getKey(),
        'severity' => Finding::SEVERITY_HIGH,
    ]);

    $this->actingAs($member)->withSession([
        WorkspaceContext::SESSION_KEY => (int) $workspace->getKey(),
    ]);
    session()->put(WorkspaceContext::SESSION_KEY, (int) $workspace->getKey());

    $managedTenantsPath = (string) parse_url(route('admin.workspace.managed-tenants.index', ['workspace' => $workspace]), PHP_URL_PATH);
    $findingsIndexPath = (string) parse_url(FindingResource::getUrl('index', tenant: $allowedTenant, panel: 'admin'), PHP_URL_PATH);

    visit(route('admin.workspace.managed-tenants.index', ['workspace' => $workspace]))
        ->waitForText('Spec 285 Allowed')
        ->assertScript("window.location.pathname === '{$managedTenantsPath}'", true)
        ->assertSee('Spec 285 Allowed')
        ->assertDontSee('Spec 285 Denied')
        ->assertNoJavaScriptErrors()
        ->assertNoConsoleLogs();

    visit(FindingResource::getUrl('index', tenant: $allowedTenant, panel: 'admin'))
        ->waitForText('Findings')
        ->assertScript("window.location.pathname === '{$findingsIndexPath}'", true)
        ->assertNoJavaScriptErrors()
        ->assertNoConsoleLogs();
});