feat: complete Epic 1 — team management & permission system
- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration - Story 1.2: Team page with member list, invitation system with queued email - Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging - Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal) - Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping - Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching - 83 new/modified files, 182 tests passing with zero regressions Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
217
tests/Feature/Team/TeamRoleAssignmentTest.php
Normal file
217
tests/Feature/Team/TeamRoleAssignmentTest.php
Normal file
@@ -0,0 +1,217 @@
|
||||
<?php
|
||||
|
||||
use App\Enums\Permission;
|
||||
use App\Enums\WorkspaceUserRole;
|
||||
use App\Models\User;
|
||||
use App\Models\Workspace;
|
||||
use App\Models\WorkspaceUser;
|
||||
use Spatie\Activitylog\Models\Activity;
|
||||
|
||||
function setupRoleTestUser(string $role, array $permissions = []): array
|
||||
{
|
||||
$user = User::factory()->create();
|
||||
$workspace = Workspace::factory()->create();
|
||||
$workspace->users()->attach($user->id, [
|
||||
'role' => $role,
|
||||
'permissions' => $permissions,
|
||||
]);
|
||||
session(['current_workspace_id' => $workspace->id]);
|
||||
|
||||
return [$user, $workspace];
|
||||
}
|
||||
|
||||
function createWorkspaceMember(Workspace $workspace, string $role, array $permissions = []): User
|
||||
{
|
||||
$member = User::factory()->create();
|
||||
$workspace->users()->attach($member->id, [
|
||||
'role' => $role,
|
||||
'permissions' => $permissions,
|
||||
]);
|
||||
|
||||
return $member;
|
||||
}
|
||||
|
||||
function getWorkspaceUserId(Workspace $workspace, User $user): int
|
||||
{
|
||||
return WorkspaceUser::where('workspace_id', $workspace->id)
|
||||
->where('user_id', $user->id)
|
||||
->firstOrFail()
|
||||
->id;
|
||||
}
|
||||
|
||||
// ── Owner can change roles ──────────────────────────────────
|
||||
|
||||
test('owner can change a member role from worker to manager', function () {
|
||||
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
|
||||
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
|
||||
$pivotId = getWorkspaceUserId($workspace, $worker);
|
||||
|
||||
$response = $this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
$response->assertRedirect();
|
||||
$response->assertSessionHas('success', 'Rôle mis à jour');
|
||||
|
||||
$updatedPivot = WorkspaceUser::find($pivotId);
|
||||
expect($updatedPivot->role->is(WorkspaceUserRole::Manager))->toBeTrue();
|
||||
});
|
||||
|
||||
test('owner can change a member role from manager to worker', function () {
|
||||
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
|
||||
$manager = createWorkspaceMember($workspace, WorkspaceUserRole::Manager, [
|
||||
Permission::CanManageTeam => true,
|
||||
Permission::CanViewActivityLogs => true,
|
||||
]);
|
||||
$pivotId = getWorkspaceUserId($workspace, $manager);
|
||||
|
||||
$response = $this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'worker',
|
||||
]);
|
||||
|
||||
$response->assertRedirect();
|
||||
$response->assertSessionHas('success', 'Rôle mis à jour');
|
||||
|
||||
$updatedPivot = WorkspaceUser::find($pivotId);
|
||||
expect($updatedPivot->role->is(WorkspaceUserRole::Worker))->toBeTrue();
|
||||
});
|
||||
|
||||
// ── Role change resets permissions ──────────────────────────
|
||||
|
||||
test('role change resets permissions to defaults for new role', function () {
|
||||
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
|
||||
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
|
||||
$pivotId = getWorkspaceUserId($workspace, $worker);
|
||||
|
||||
$this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
$updatedPivot = WorkspaceUser::find($pivotId);
|
||||
$managerDefaults = config('permissions.defaults.manager');
|
||||
expect($updatedPivot->permissions)->toBe($managerDefaults);
|
||||
|
||||
// Now change back to worker — permissions should be empty
|
||||
$this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'worker',
|
||||
]);
|
||||
|
||||
$updatedPivot->refresh();
|
||||
expect($updatedPivot->permissions)->toBe([]);
|
||||
});
|
||||
|
||||
// ── Owner cannot change own role ────────────────────────────
|
||||
|
||||
test('owner cannot change own role', function () {
|
||||
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
|
||||
$pivotId = getWorkspaceUserId($workspace, $owner);
|
||||
|
||||
$response = $this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
$response->assertNotFound();
|
||||
});
|
||||
|
||||
// ── Manager with can_manage_team can change worker role ─────
|
||||
|
||||
test('manager with can_manage_team can change worker role', function () {
|
||||
[$manager, $workspace] = setupRoleTestUser(WorkspaceUserRole::Manager, [
|
||||
Permission::CanManageTeam => true,
|
||||
]);
|
||||
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
|
||||
$pivotId = getWorkspaceUserId($workspace, $worker);
|
||||
|
||||
$response = $this->actingAs($manager)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
$response->assertRedirect();
|
||||
$response->assertSessionHas('success', 'Rôle mis à jour');
|
||||
});
|
||||
|
||||
// ── Manager with can_manage_team can change another manager role ─
|
||||
|
||||
test('manager with can_manage_team can change another manager role', function () {
|
||||
[$manager, $workspace] = setupRoleTestUser(WorkspaceUserRole::Manager, [
|
||||
Permission::CanManageTeam => true,
|
||||
]);
|
||||
$otherManager = createWorkspaceMember($workspace, WorkspaceUserRole::Manager, [
|
||||
Permission::CanManageTeam => false,
|
||||
]);
|
||||
$pivotId = getWorkspaceUserId($workspace, $otherManager);
|
||||
|
||||
$response = $this->actingAs($manager)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'worker',
|
||||
]);
|
||||
|
||||
$response->assertRedirect();
|
||||
$response->assertSessionHas('success', 'Rôle mis à jour');
|
||||
|
||||
$updatedPivot = WorkspaceUser::find($pivotId);
|
||||
expect($updatedPivot->role->is(WorkspaceUserRole::Worker))->toBeTrue();
|
||||
});
|
||||
|
||||
// ── Manager with can_manage_team cannot change owner role ───
|
||||
|
||||
test('manager with can_manage_team cannot change owner role', function () {
|
||||
[$manager, $workspace] = setupRoleTestUser(WorkspaceUserRole::Manager, [
|
||||
Permission::CanManageTeam => true,
|
||||
]);
|
||||
$owner = createWorkspaceMember($workspace, WorkspaceUserRole::Owner);
|
||||
$pivotId = getWorkspaceUserId($workspace, $owner);
|
||||
|
||||
$response = $this->actingAs($manager)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'worker',
|
||||
]);
|
||||
|
||||
$response->assertNotFound();
|
||||
});
|
||||
|
||||
// ── Manager without can_manage_team gets 404 ───────────────
|
||||
|
||||
test('manager without can_manage_team gets 404 on role change', function () {
|
||||
[$manager, $workspace] = setupRoleTestUser(WorkspaceUserRole::Manager, [
|
||||
Permission::CanManageTeam => false,
|
||||
]);
|
||||
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
|
||||
$pivotId = getWorkspaceUserId($workspace, $worker);
|
||||
|
||||
$response = $this->actingAs($manager)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
$response->assertNotFound();
|
||||
});
|
||||
|
||||
// ── Worker gets 404 on role change attempt ──────────────────
|
||||
|
||||
test('worker gets 404 on role change attempt', function () {
|
||||
[$worker, $workspace] = setupRoleTestUser(WorkspaceUserRole::Worker);
|
||||
$otherWorker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
|
||||
$pivotId = getWorkspaceUserId($workspace, $otherWorker);
|
||||
|
||||
$response = $this->actingAs($worker)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
$response->assertNotFound();
|
||||
});
|
||||
|
||||
// ── Activity log ────────────────────────────────────────────
|
||||
|
||||
test('role change is logged in activity log', function () {
|
||||
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
|
||||
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
|
||||
$pivotId = getWorkspaceUserId($workspace, $worker);
|
||||
|
||||
$this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
|
||||
'role' => 'manager',
|
||||
]);
|
||||
|
||||
$log = Activity::latest('id')->first();
|
||||
expect($log->description)->toBe('role_changed')
|
||||
->and($log->properties['target_user'])->toBe($worker->name)
|
||||
->and($log->properties['old_role'])->toBe('worker')
|
||||
->and($log->properties['new_role'])->toBe('manager');
|
||||
});
|
||||
Reference in New Issue
Block a user