strprfcrm/tests/Feature/CatalogFieldAccessTest.php

<?php

namespace Tests\Feature;

use App\Models\Permission;
use App\Models\Product;
use App\Models\Role;
use App\Models\User;
use Database\Seeders\RbacSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;

class CatalogFieldAccessTest extends TestCase
{
    use RefreshDatabase;

    protected $seed = true;

    protected function setUp(): void
    {
        parent::setUp();

        $this->seed(RbacSeeder::class);
    }

    public function test_catalog_index_hides_denied_field_columns(): void
    {
        $role = $this->makeRoleWithPermissions([
            'catalog.view' => 'allow',
            'catalog.fields.article.view' => 'allow',
            'catalog.fields.nomenclature_number.view' => 'allow',
            'catalog.fields.name_tz.view' => 'allow',
            'catalog.fields.product_price.view' => 'deny',
            'catalog.fields.product_price.update' => 'deny',
        ]);
        $user = User::factory()->create(['role' => $role->slug, 'role_id' => $role->id]);
        Product::factory()->create([
            'article' => 'ACL-001',
            'name_tz' => 'Открытое название',
            'product_price' => 12345,
        ]);

        $this->actingAs($user)
            ->get(route('catalog.index'))
            ->assertOk()
            ->assertSee('Открытое название')
            ->assertDontSee('Цена товара')
            ->assertDontSee('12 345', false);
    }

    public function test_catalog_update_strips_denied_fields_from_payload(): void
    {
        $role = $this->makeRoleWithPermissions([
            'catalog.view' => 'allow',
            'catalog.update' => 'allow',
            'catalog.fields.name_tz.view' => 'allow',
            'catalog.fields.name_tz.update' => 'allow',
            'catalog.fields.product_price.view' => 'allow',
            'catalog.fields.product_price.update' => 'deny',
        ]);
        $user = User::factory()->create(['role' => $role->slug, 'role_id' => $role->id]);
        $product = Product::factory()->create([
            'name_tz' => 'Старое название',
            'product_price' => 100,
        ]);

        $this->actingAs($user)
            ->post(route('catalog.update', $product), [
                'name_tz' => 'Новое название',
                'product_price' => 999999,
            ])
            ->assertRedirect();

        $product->refresh();
        $this->assertSame('Новое название', $product->name_tz);
        $this->assertSame(100.0, $product->product_price);
    }

    private function makeRoleWithPermissions(array $effects): Role
    {
        $role = Role::query()->create([
            'slug' => 'catalog_acl_' . uniqid(),
            'name' => 'Catalog ACL',
            'is_system' => false,
            'is_active' => true,
        ]);

        $permissions = Permission::query()
            ->whereIn('slug', array_keys($effects))
            ->get();

        $sync = [];
        foreach ($permissions as $permission) {
            $sync[$permission->id] = ['effect' => $effects[$permission->slug]];
        }
        $role->permissions()->sync($sync);

        return $role;
    }
}