create(['role' => Role::MANAGER]); $this->seed(RbacSeeder::class); $user->refresh(); $this->assertNotNull($user->role_id); $this->assertSame(Role::MANAGER, $user->roleModel->slug); } public function test_direct_admin_has_all_permissions(): void { $admin = User::factory()->create(['role' => Role::ADMIN]); $this->seed(RbacSeeder::class); $admin->refresh(); $this->assertTrue(app(AccessService::class)->can($admin, 'catalog.delete')); $this->assertTrue(app(AccessService::class)->can($admin, 'catalog.fields.product_price.update')); } public function test_manager_has_seeded_permissions_but_not_admin_only_permissions(): void { $manager = User::factory()->create(['role' => Role::MANAGER]); $this->seed(RbacSeeder::class); $manager->refresh(); $this->assertTrue(app(AccessService::class)->can($manager, 'catalog.view')); $this->assertFalse(app(AccessService::class)->can($manager, 'catalog.update')); } public function test_user_deny_overrides_role_allow(): void { $manager = User::factory()->create(['role' => Role::MANAGER]); $this->seed(RbacSeeder::class); $manager->refresh(); $permission = Permission::query()->where('slug', 'catalog.view')->firstOrFail(); $manager->permissions()->syncWithoutDetaching([ $permission->id => ['effect' => 'deny'], ]); app(AccessService::class)->bumpCacheVersion(); $this->assertFalse(app(AccessService::class)->can($manager, 'catalog.view')); } public function test_assistant_head_has_materialized_admin_permissions_without_runtime_inheritance(): void { $assistantHead = User::factory()->create(['role' => Role::ASSISTANT_HEAD]); $this->seed(RbacSeeder::class); $assistantHead->refresh(); $this->assertTrue($assistantHead->hasRole(Role::ADMIN)); $this->assertTrue(app(AccessService::class)->can($assistantHead, 'maf_orders.delete')); } }