Enforce tenant member permissions

2026-01-16 13:33:36 +01:00
parent df60be826d
commit 7aa0a4c847
22 changed files with 592 additions and 112 deletions
--- a/tests/Unit/TenantMemberPermissionsTest.php
+++ b/tests/Unit/TenantMemberPermissionsTest.php
@@ -0,0 +1,95 @@
+<?php
+
+namespace Tests\Unit;
+
+use App\Models\Event;
+use App\Models\EventMember;
+use App\Models\Tenant;
+use App\Models\User;
+use App\Support\TenantMemberPermissions;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Http\Exceptions\HttpResponseException;
+use Illuminate\Http\Request;
+use Tests\TestCase;
+
+class TenantMemberPermissionsTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_resolves_permissions_for_member(): void
+    {
+        $tenant = Tenant::factory()->create();
+        $event = Event::factory()->for($tenant)->create();
+        $user = User::factory()->create([
+            'tenant_id' => $tenant->id,
+            'role' => 'member',
+        ]);
+
+        EventMember::factory()->create([
+            'tenant_id' => $tenant->id,
+            'event_id' => $event->id,
+            'user_id' => $user->id,
+            'email' => $user->email,
+            'status' => 'active',
+            'permissions' => ['photos:moderate', 'tasks:manage'],
+        ]);
+
+        $request = Request::create('/');
+        $request->setUserResolver(fn () => $user);
+
+        $permissions = TenantMemberPermissions::resolveEventPermissions($request, $event);
+
+        $this->assertContains('photos:moderate', $permissions);
+        $this->assertContains('tasks:manage', $permissions);
+    }
+
+    public function test_allows_wildcard_permissions(): void
+    {
+        $tenant = Tenant::factory()->create();
+        $event = Event::factory()->for($tenant)->create();
+        $user = User::factory()->create([
+            'tenant_id' => $tenant->id,
+            'role' => 'member',
+        ]);
+
+        EventMember::factory()->create([
+            'tenant_id' => $tenant->id,
+            'event_id' => $event->id,
+            'user_id' => $user->id,
+            'email' => $user->email,
+            'status' => 'active',
+            'permissions' => ['photos:*'],
+        ]);
+
+        $request = Request::create('/');
+        $request->setUserResolver(fn () => $user);
+
+        $this->assertTrue(TenantMemberPermissions::allowsEventPermission($request, $event, 'photos:moderate'));
+    }
+
+    public function test_denies_missing_permissions(): void
+    {
+        $tenant = Tenant::factory()->create();
+        $event = Event::factory()->for($tenant)->create();
+        $user = User::factory()->create([
+            'tenant_id' => $tenant->id,
+            'role' => 'member',
+        ]);
+
+        EventMember::factory()->create([
+            'tenant_id' => $tenant->id,
+            'event_id' => $event->id,
+            'user_id' => $user->id,
+            'email' => $user->email,
+            'status' => 'active',
+            'permissions' => ['tasks:manage'],
+        ]);
+
+        $request = Request::create('/');
+        $request->setUserResolver(fn () => $user);
+
+        $this->expectException(HttpResponseException::class);
+
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:moderate');
+    }
+}