seed(RoleSeeder::class); } // --- INDEX --- public function test_super_admin_can_list_all_organisations(): void { $admin = User::factory()->create(); $admin->assignRole('super_admin'); Organisation::factory()->count(3)->create(); Sanctum::actingAs($admin); $response = $this->getJson('/api/v1/organisations'); $response->assertOk(); $this->assertCount(3, $response->json('data')); } public function test_org_member_sees_only_own_organisations(): void { $user = User::factory()->create(); $ownOrg = Organisation::factory()->create(); $otherOrg = Organisation::factory()->create(); $ownOrg->users()->attach($user, ['role' => 'org_member']); Sanctum::actingAs($user); $response = $this->getJson('/api/v1/organisations'); $response->assertOk(); $this->assertCount(1, $response->json('data')); $this->assertEquals($ownOrg->id, $response->json('data.0.id')); } public function test_unauthenticated_user_cannot_list_organisations(): void { $response = $this->getJson('/api/v1/organisations'); $response->assertUnauthorized(); } // --- SHOW --- public function test_org_member_can_view_own_organisation(): void { $user = User::factory()->create(); $org = Organisation::factory()->create(); $org->users()->attach($user, ['role' => 'org_member']); Sanctum::actingAs($user); $response = $this->getJson("/api/v1/organisations/{$org->id}"); $response->assertOk() ->assertJson(['data' => ['id' => $org->id]]); } public function test_user_cannot_view_other_organisation(): void { $user = User::factory()->create(); $org = Organisation::factory()->create(); Sanctum::actingAs($user); $response = $this->getJson("/api/v1/organisations/{$org->id}"); $response->assertForbidden(); } // --- STORE --- public function test_super_admin_can_create_organisation(): void { $admin = User::factory()->create(); $admin->assignRole('super_admin'); Sanctum::actingAs($admin); $response = $this->postJson('/api/v1/organisations', [ 'name' => 'Test Org', 'slug' => 'test-org', ]); $response->assertCreated() ->assertJson(['data' => ['name' => 'Test Org', 'slug' => 'test-org']]); $this->assertDatabaseHas('organisations', ['slug' => 'test-org']); } public function test_non_admin_cannot_create_organisation(): void { $user = User::factory()->create(); Sanctum::actingAs($user); $response = $this->postJson('/api/v1/organisations', [ 'name' => 'Test Org', 'slug' => 'test-org', ]); $response->assertForbidden(); } // --- UPDATE --- public function test_org_admin_can_update_organisation(): void { $user = User::factory()->create(); $org = Organisation::factory()->create(); $org->users()->attach($user, ['role' => 'org_admin']); Sanctum::actingAs($user); $response = $this->putJson("/api/v1/organisations/{$org->id}", [ 'name' => 'Updated Name', ]); $response->assertOk() ->assertJson(['data' => ['name' => 'Updated Name']]); } public function test_org_member_cannot_update_organisation(): void { $user = User::factory()->create(); $org = Organisation::factory()->create(); $org->users()->attach($user, ['role' => 'org_member']); Sanctum::actingAs($user); $response = $this->putJson("/api/v1/organisations/{$org->id}", [ 'name' => 'Hacked Name', ]); $response->assertForbidden(); } }