api/tests/Feature/FormBuilder/Channels/SubmissionChannelAuthTest.php

@@ -8,27 +8,35 @@ use App\Models\FormBuilder\FormSchema;
 use App\Models\FormBuilder\FormSubmission;
 use App\Models\Organisation;
 use App\Models\User;
+use Database\Seeders\RoleSeeder;
 use Illuminate\Foundation\Testing\RefreshDatabase;
 use Illuminate\Support\Facades\Broadcast;
 use Tests\TestCase;
 
 /**
- * Per RFC-WS-6 §Q1 v1.3 addition 2.
+ * Per RFC-WS-6 §Q1 v1.3 addition 2 + BACKLOG TECH-CHANNEL-AUTH-ORG-ADMIN.
  *
- * The submission.{submissionId} private channel authorises only the
- * submitter (user whose id matches submissions.submitted_by_user_id).
- * Org-admin access is deferred — see BACKLOG entry
- * TECH-CHANNEL-AUTH-ORG-ADMIN.
+ * The submission.{submissionId} private channel authorises three classes:
+ *   1. Submitter (matching submitted_by_user_id)
+ *   2. super_admin (Spatie HasRoles, app-wide bypass)
+ *   3. Organisation admin of the submission's organisation (pivot-table
+ *      role='org_admin' on user_organisation)
  *
  * Broadcast::auth() drives the same callback path that Laravel's
  * broadcasting auth middleware uses on a websocket subscription
  * attempt. Tests pose as authenticated users and assert the boolean
- * outcome.
+ * outcome of the callback.
  */
 final class SubmissionChannelAuthTest extends TestCase
 {
     use RefreshDatabase;
 
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+    }
+
     private function authoriseSubscription(?User $user, FormSubmission $submission): bool
     {
         // Resolve the channel callback registered in routes/channels.php.
@@ -54,14 +62,20 @@ final class SubmissionChannelAuthTest extends TestCase
         $this->fail("No channel callback registered for {$name}");
     }
 
-    private function makeSubmission(?User $submitter): FormSubmission
+    /**
+     * Build a submission tied to the given organisation (or a fresh one
+     * if not specified). The submitter is a fresh User unrelated to any
+     * test fixture so the submitted_by_user_id short-circuit doesn't
+     * accidentally authorise org-admin / super-admin / member tests.
+     */
+    private function makeSubmission(?Organisation $organisation = null, ?User $submitter = null): FormSubmission
     {
-        $org = Organisation::factory()->create();
-        $schema = FormSchema::factory()->create(['organisation_id' => $org->id]);
+        $organisation ??= Organisation::factory()->create();
+        $schema = FormSchema::factory()->create(['organisation_id' => $organisation->id]);
 
         return FormSubmission::factory()->create([
             'form_schema_id' => $schema->id,
-            'organisation_id' => $org->id,
+            'organisation_id' => $organisation->id,
             'submitted_by_user_id' => $submitter?->id,
         ]);
     }
@@ -69,16 +83,81 @@ final class SubmissionChannelAuthTest extends TestCase
     public function test_submitter_is_authorised(): void
     {
         $submitter = User::factory()->create();
-        $submission = $this->makeSubmission($submitter);
+        $submission = $this->makeSubmission(submitter: $submitter);
 
         $this->assertTrue($this->authoriseSubscription($submitter, $submission));
     }
 
+    public function test_super_admin_can_subscribe(): void
+    {
+        // Spatie HasRoles app-wide bypass — super_admin can subscribe to
+        // any submission's channel regardless of organisation membership
+        // or submitter relationship. Matches the codebase convention
+        // used in every analogous policy.
+        $superAdmin = User::factory()->create();
+        $superAdmin->assignRole('super_admin');
+
+        $submitter = User::factory()->create();
+        $submission = $this->makeSubmission(submitter: $submitter);
+
+        $this->assertTrue($this->authoriseSubscription($superAdmin, $submission));
+    }
+
+    public function test_organisation_admin_of_submission_org_can_subscribe(): void
+    {
+        // Pivot-table check: user attached to the submission's
+        // organisation with role='org_admin'. Mirrors the canonical
+        // pattern from FormSubmissionActionFailurePolicy::canAccess.
+        $organisation = Organisation::factory()->create();
+        $orgAdmin = User::factory()->create();
+        $organisation->users()->attach($orgAdmin->id, ['role' => 'org_admin']);
+
+        $submitter = User::factory()->create();
+        $submission = $this->makeSubmission(organisation: $organisation, submitter: $submitter);
+
+        $this->assertTrue($this->authoriseSubscription($orgAdmin, $submission));
+    }
+
+    public function test_organisation_admin_of_different_org_cannot_subscribe(): void
+    {
+        // Critical multi-tenancy guard: an org_admin of organisation A
+        // must NOT be able to subscribe to a submission's channel when
+        // that submission belongs to organisation B. If this fails, the
+        // pivot-table check is wrong and tenant isolation is broken.
+        $submissionOrg = Organisation::factory()->create();
+        $otherOrg = Organisation::factory()->create();
+
+        $crossTenantAdmin = User::factory()->create();
+        $otherOrg->users()->attach($crossTenantAdmin->id, ['role' => 'org_admin']);
+
+        $submitter = User::factory()->create();
+        $submission = $this->makeSubmission(organisation: $submissionOrg, submitter: $submitter);
+
+        $this->assertFalse($this->authoriseSubscription($crossTenantAdmin, $submission));
+    }
+
+    public function test_regular_organisation_member_cannot_subscribe(): void
+    {
+        // Member of the submission's organisation but with role='org_member',
+        // not 'org_admin'. The pivot-table wherePivot('role', 'org_admin')
+        // filters them out.
+        $organisation = Organisation::factory()->create();
+        $member = User::factory()->create();
+        $organisation->users()->attach($member->id, ['role' => 'org_member']);
+
+        $submitter = User::factory()->create();
+        $submission = $this->makeSubmission(organisation: $organisation, submitter: $submitter);
+
+        $this->assertFalse($this->authoriseSubscription($member, $submission));
+    }
+
     public function test_other_authenticated_user_is_denied(): void
     {
+        // User with NO organisation membership at all → falls through
+        // every auth branch (not submitter, not super_admin, no pivot row).
         $submitter = User::factory()->create();
         $other = User::factory()->create();
-        $submission = $this->makeSubmission($submitter);
+        $submission = $this->makeSubmission(submitter: $submitter);
 
         $this->assertFalse($this->authoriseSubscription($other, $submission));
     }
@@ -88,7 +167,7 @@ final class SubmissionChannelAuthTest extends TestCase
         $user = User::factory()->create();
 
         // Build a submission, then delete it so the FK lookup returns null.
-        $submission = $this->makeSubmission($user);
+        $submission = $this->makeSubmission(submitter: $user);
         $submissionId = (string) $submission->id;
         $submission->forceDelete();
 
@@ -98,22 +177,4 @@ final class SubmissionChannelAuthTest extends TestCase
 
         $this->assertFalse($this->authoriseSubscription($user, $shell));
     }
-
-    public function test_org_admin_is_currently_denied_per_backlog_entry(): void
-    {
-        // Locks the v1 contract: even an org admin of the submission's
-        // organisation is denied because the canonical Spatie helper
-        // hasn't been audited yet. See BACKLOG entry
-        // TECH-CHANNEL-AUTH-ORG-ADMIN. When that lands, this test should
-        // flip to expectTrue() in the same PR as the auth-callback
-        // extension.
-        $orgAdmin = User::factory()->create();
-        $submitter = User::factory()->create();
-        $submission = $this->makeSubmission($submitter);
-
-        $this->assertFalse(
-            $this->authoriseSubscription($orgAdmin, $submission),
-            'V1 contract: org admins are NOT authorised. Flip with TECH-CHANNEL-AUTH-ORG-ADMIN.',
-        );
-    }
 }