strprfcrm/tests/Feature/RoutePermissionMiddlewareTest.php

<?php

namespace Tests\Feature;

use App\Models\Permission;
use App\Models\Role;
use App\Models\User;
use Database\Seeders\RbacSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;

class RoutePermissionMiddlewareTest extends TestCase
{
    use RefreshDatabase;

    protected function setUp(): void
    {
        parent::setUp();

        $this->seed(RbacSeeder::class);
    }

    public function test_mapped_auth_route_requires_permission_for_rbac_user(): void
    {
        $role = Role::query()->create([
            'slug' => 'no_orders',
            'name' => 'No orders',
            'is_system' => false,
            'is_active' => true,
        ]);
        $user = User::factory()->create(['role' => $role->slug, 'role_id' => $role->id]);

        $this->actingAs($user)
            ->get(route('order.index'))
            ->assertForbidden();
    }

    public function test_mapped_auth_route_allows_permission_for_rbac_user(): void
    {
        $permission = Permission::query()->where('slug', 'orders.view')->firstOrFail();
        $role = Role::query()->create([
            'slug' => 'orders_viewer',
            'name' => 'Orders viewer',
            'is_system' => false,
            'is_active' => true,
        ]);
        $role->permissions()->sync([
            $permission->id => ['effect' => 'allow'],
        ]);
        $user = User::factory()->create(['role' => $role->slug, 'role_id' => $role->id]);

        $this->actingAs($user)
            ->get(route('order.index'))
            ->assertOk();
    }
}