ibnezzoubayr/L-Ami-Fiduciaire
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c89d1879bf66c36fcc6943f4c7f511ed0ff6e3d0
L-Ami-Fiduciaire/tests/Feature/Team/TeamRoleAssignmentTest.php
Saad Ibn-Ezzoubayr c89d1879bf feat: complete Epic 1 — team management & permission system 
- Story 1.1: Permission enum, config, AuthorizesPermissions & HasWorkspaceScope traits, member→worker migration
- Story 1.2: Team page with member list, invitation system with queued email
- Story 1.3: Role assignment (Manager/Worker) and member removal with activity logging
- Story 1.4: Owner-only permission toggle matrix for Managers (manage team, view logs, configure portal)
- Story 1.5: Role-based access enforcement — Workers see only assigned declarations/clients, sidebar scoping
- Story 1.6: Workspace switcher dropdown for multi-workspace users with session-based switching
- 83 new/modified files, 182 tests passing with zero regressions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-18 00:12:50 +00:00

218 lines
7.8 KiB
PHP
Raw Blame History

<?php
use App\Enums\Permission;
use App\Enums\WorkspaceUserRole;
use App\Models\User;
use App\Models\Workspace;
use App\Models\WorkspaceUser;
use Spatie\Activitylog\Models\Activity;
function setupRoleTestUser(string $role, array $permissions = []): array
{
$user = User::factory()->create();
$workspace = Workspace::factory()->create();
$workspace->users()->attach($user->id, [
'role' => $role,
'permissions' => $permissions,
]);
session(['current_workspace_id' => $workspace->id]);
return [$user, $workspace];
}
function createWorkspaceMember(Workspace $workspace, string $role, array $permissions = []): User
{
$member = User::factory()->create();
$workspace->users()->attach($member->id, [
'role' => $role,
'permissions' => $permissions,
]);
return $member;
}
function getWorkspaceUserId(Workspace $workspace, User $user): int
{
return WorkspaceUser::where('workspace_id', $workspace->id)
->where('user_id', $user->id)
->firstOrFail()
->id;
}
// ── Owner can change roles ──────────────────────────────────
test('owner can change a member role from worker to manager', function () {
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
$pivotId = getWorkspaceUserId($workspace, $worker);
$response = $this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
'role' => 'manager',
]);
$response->assertRedirect();
$response->assertSessionHas('success', 'Rôle mis à jour');
$updatedPivot = WorkspaceUser::find($pivotId);
expect($updatedPivot->role->is(WorkspaceUserRole::Manager))->toBeTrue();
});
test('owner can change a member role from manager to worker', function () {
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
$manager = createWorkspaceMember($workspace, WorkspaceUserRole::Manager, [
Permission::CanManageTeam => true,
Permission::CanViewActivityLogs => true,
]);
$pivotId = getWorkspaceUserId($workspace, $manager);
$response = $this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
'role' => 'worker',
]);
$response->assertRedirect();
$response->assertSessionHas('success', 'Rôle mis à jour');
$updatedPivot = WorkspaceUser::find($pivotId);
expect($updatedPivot->role->is(WorkspaceUserRole::Worker))->toBeTrue();
});
// ── Role change resets permissions ──────────────────────────
test('role change resets permissions to defaults for new role', function () {
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
$pivotId = getWorkspaceUserId($workspace, $worker);
$this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
'role' => 'manager',
]);
$updatedPivot = WorkspaceUser::find($pivotId);
$managerDefaults = config('permissions.defaults.manager');
expect($updatedPivot->permissions)->toBe($managerDefaults);
// Now change back to worker — permissions should be empty
$this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
'role' => 'worker',
]);
$updatedPivot->refresh();
expect($updatedPivot->permissions)->toBe([]);
});
// ── Owner cannot change own role ────────────────────────────
test('owner cannot change own role', function () {
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
$pivotId = getWorkspaceUserId($workspace, $owner);
$response = $this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
'role' => 'manager',
]);
$response->assertNotFound();
});
// ── Manager with can_manage_team can change worker role ─────
test('manager with can_manage_team can change worker role', function () {
[$manager, $workspace] = setupRoleTestUser(WorkspaceUserRole::Manager, [
Permission::CanManageTeam => true,
]);
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
$pivotId = getWorkspaceUserId($workspace, $worker);
$response = $this->actingAs($manager)->patch(route('team.updateRole', $pivotId), [
'role' => 'manager',
]);
$response->assertRedirect();
$response->assertSessionHas('success', 'Rôle mis à jour');
});
// ── Manager with can_manage_team can change another manager role ─
test('manager with can_manage_team can change another manager role', function () {
[$manager, $workspace] = setupRoleTestUser(WorkspaceUserRole::Manager, [
Permission::CanManageTeam => true,
]);
$otherManager = createWorkspaceMember($workspace, WorkspaceUserRole::Manager, [
Permission::CanManageTeam => false,
]);
$pivotId = getWorkspaceUserId($workspace, $otherManager);
$response = $this->actingAs($manager)->patch(route('team.updateRole', $pivotId), [
'role' => 'worker',
]);
$response->assertRedirect();
$response->assertSessionHas('success', 'Rôle mis à jour');
$updatedPivot = WorkspaceUser::find($pivotId);
expect($updatedPivot->role->is(WorkspaceUserRole::Worker))->toBeTrue();
});
// ── Manager with can_manage_team cannot change owner role ───
test('manager with can_manage_team cannot change owner role', function () {
[$manager, $workspace] = setupRoleTestUser(WorkspaceUserRole::Manager, [
Permission::CanManageTeam => true,
]);
$owner = createWorkspaceMember($workspace, WorkspaceUserRole::Owner);
$pivotId = getWorkspaceUserId($workspace, $owner);
$response = $this->actingAs($manager)->patch(route('team.updateRole', $pivotId), [
'role' => 'worker',
]);
$response->assertNotFound();
});
// ── Manager without can_manage_team gets 404 ───────────────
test('manager without can_manage_team gets 404 on role change', function () {
[$manager, $workspace] = setupRoleTestUser(WorkspaceUserRole::Manager, [
Permission::CanManageTeam => false,
]);
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
$pivotId = getWorkspaceUserId($workspace, $worker);
$response = $this->actingAs($manager)->patch(route('team.updateRole', $pivotId), [
'role' => 'manager',
]);
$response->assertNotFound();
});
// ── Worker gets 404 on role change attempt ──────────────────
test('worker gets 404 on role change attempt', function () {
[$worker, $workspace] = setupRoleTestUser(WorkspaceUserRole::Worker);
$otherWorker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
$pivotId = getWorkspaceUserId($workspace, $otherWorker);
$response = $this->actingAs($worker)->patch(route('team.updateRole', $pivotId), [
'role' => 'manager',
]);
$response->assertNotFound();
});
// ── Activity log ────────────────────────────────────────────
test('role change is logged in activity log', function () {
[$owner, $workspace] = setupRoleTestUser(WorkspaceUserRole::Owner);
$worker = createWorkspaceMember($workspace, WorkspaceUserRole::Worker);
$pivotId = getWorkspaceUserId($workspace, $worker);
$this->actingAs($owner)->patch(route('team.updateRole', $pivotId), [
'role' => 'manager',
]);
$log = Activity::latest('id')->first();
expect($log->description)->toBe('role_changed')
->and($log->properties['target_user'])->toBe($worker->name)
->and($log->properties['old_role'])->toBe('worker')
->and($log->properties['new_role'])->toBe('manager');
});
Reference in New Issue View Git Blame Copy Permalink