bert.hausmans
0d24506c89
Frontend: - Consolidate duplicate API layers into single src/lib/axios.ts per app - Remove src/lib/api-client.ts and src/utils/api.ts (admin) - Add src/lib/query-client.ts with TanStack Query config per app - Update all imports and auto-import config Backend: - Fix organisations.billing_status default to 'trial' - Fix user_invitations.invited_by_user_id to nullOnDelete - Add MeResource with separated app_roles and pivot-based org roles - Add cross-org check to EventPolicy view() and update() - Restrict EventPolicy create/update to org_admin/event_manager (not org_member) - Attach creator as org_admin on organisation store - Add query scopes to Event and UserInvitation models - Improve factories with Dutch test data - Expand test suite from 29 to 41 tests (90 assertions) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
225 lines
6.0 KiB
PHP
225 lines
6.0 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Feature\Organisation;
|
|
|
|
use App\Models\Organisation;
|
|
use App\Models\User;
|
|
use Database\Seeders\RoleSeeder;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Laravel\Sanctum\Sanctum;
|
|
use Tests\TestCase;
|
|
|
|
class OrganisationTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
$this->seed(RoleSeeder::class);
|
|
}
|
|
|
|
// --- INDEX ---
|
|
|
|
public function test_super_admin_can_list_all_organisations(): void
|
|
{
|
|
$admin = User::factory()->create();
|
|
$admin->assignRole('super_admin');
|
|
Organisation::factory()->count(3)->create();
|
|
|
|
Sanctum::actingAs($admin);
|
|
|
|
$response = $this->getJson('/api/v1/organisations');
|
|
|
|
$response->assertOk();
|
|
$this->assertCount(3, $response->json('data'));
|
|
}
|
|
|
|
public function test_org_member_sees_only_own_organisations(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$ownOrg = Organisation::factory()->create();
|
|
Organisation::factory()->create(); // other org
|
|
|
|
$ownOrg->users()->attach($user, ['role' => 'org_member']);
|
|
|
|
Sanctum::actingAs($user);
|
|
|
|
$response = $this->getJson('/api/v1/organisations');
|
|
|
|
$response->assertOk();
|
|
$this->assertCount(1, $response->json('data'));
|
|
$this->assertEquals($ownOrg->id, $response->json('data.0.id'));
|
|
}
|
|
|
|
public function test_unauthenticated_user_cannot_list_organisations(): void
|
|
{
|
|
$response = $this->getJson('/api/v1/organisations');
|
|
|
|
$response->assertUnauthorized();
|
|
}
|
|
|
|
// --- SHOW ---
|
|
|
|
public function test_org_member_can_view_own_organisation(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$org = Organisation::factory()->create();
|
|
$org->users()->attach($user, ['role' => 'org_member']);
|
|
|
|
Sanctum::actingAs($user);
|
|
|
|
$response = $this->getJson("/api/v1/organisations/{$org->id}");
|
|
|
|
$response->assertOk()
|
|
->assertJson(['data' => ['id' => $org->id]]);
|
|
}
|
|
|
|
public function test_user_cannot_view_other_organisation(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$org = Organisation::factory()->create();
|
|
|
|
Sanctum::actingAs($user);
|
|
|
|
$response = $this->getJson("/api/v1/organisations/{$org->id}");
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// --- STORE ---
|
|
|
|
public function test_super_admin_can_create_organisation(): void
|
|
{
|
|
$admin = User::factory()->create();
|
|
$admin->assignRole('super_admin');
|
|
|
|
Sanctum::actingAs($admin);
|
|
|
|
$response = $this->postJson('/api/v1/organisations', [
|
|
'name' => 'Test Org',
|
|
'slug' => 'test-org',
|
|
]);
|
|
|
|
$response->assertCreated()
|
|
->assertJson(['data' => ['name' => 'Test Org', 'slug' => 'test-org']]);
|
|
|
|
$this->assertDatabaseHas('organisations', ['slug' => 'test-org']);
|
|
}
|
|
|
|
public function test_store_attaches_creator_as_org_admin(): void
|
|
{
|
|
$admin = User::factory()->create();
|
|
$admin->assignRole('super_admin');
|
|
|
|
Sanctum::actingAs($admin);
|
|
|
|
$response = $this->postJson('/api/v1/organisations', [
|
|
'name' => 'New Org',
|
|
'slug' => 'new-org',
|
|
]);
|
|
|
|
$response->assertCreated();
|
|
|
|
$org = Organisation::where('slug', 'new-org')->first();
|
|
$this->assertDatabaseHas('organisation_user', [
|
|
'user_id' => $admin->id,
|
|
'organisation_id' => $org->id,
|
|
'role' => 'org_admin',
|
|
]);
|
|
}
|
|
|
|
public function test_non_admin_cannot_create_organisation(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
|
|
Sanctum::actingAs($user);
|
|
|
|
$response = $this->postJson('/api/v1/organisations', [
|
|
'name' => 'Test Org',
|
|
'slug' => 'test-org',
|
|
]);
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
public function test_store_with_invalid_data_returns_422(): void
|
|
{
|
|
$admin = User::factory()->create();
|
|
$admin->assignRole('super_admin');
|
|
|
|
Sanctum::actingAs($admin);
|
|
|
|
$response = $this->postJson('/api/v1/organisations', []);
|
|
|
|
$response->assertUnprocessable()
|
|
->assertJsonValidationErrors(['name', 'slug']);
|
|
}
|
|
|
|
public function test_store_with_duplicate_slug_returns_422(): void
|
|
{
|
|
$admin = User::factory()->create();
|
|
$admin->assignRole('super_admin');
|
|
Organisation::factory()->create(['slug' => 'taken-slug']);
|
|
|
|
Sanctum::actingAs($admin);
|
|
|
|
$response = $this->postJson('/api/v1/organisations', [
|
|
'name' => 'New Org',
|
|
'slug' => 'taken-slug',
|
|
]);
|
|
|
|
$response->assertUnprocessable()
|
|
->assertJsonValidationErrors(['slug']);
|
|
}
|
|
|
|
// --- UPDATE ---
|
|
|
|
public function test_org_admin_can_update_organisation(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$org = Organisation::factory()->create();
|
|
$org->users()->attach($user, ['role' => 'org_admin']);
|
|
|
|
Sanctum::actingAs($user);
|
|
|
|
$response = $this->putJson("/api/v1/organisations/{$org->id}", [
|
|
'name' => 'Updated Name',
|
|
]);
|
|
|
|
$response->assertOk()
|
|
->assertJson(['data' => ['name' => 'Updated Name']]);
|
|
}
|
|
|
|
public function test_org_member_cannot_update_organisation(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$org = Organisation::factory()->create();
|
|
$org->users()->attach($user, ['role' => 'org_member']);
|
|
|
|
Sanctum::actingAs($user);
|
|
|
|
$response = $this->putJson("/api/v1/organisations/{$org->id}", [
|
|
'name' => 'Hacked Name',
|
|
]);
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
public function test_non_member_cannot_update_organisation(): void
|
|
{
|
|
$user = User::factory()->create();
|
|
$org = Organisation::factory()->create();
|
|
|
|
Sanctum::actingAs($user);
|
|
|
|
$response = $this->putJson("/api/v1/organisations/{$org->id}", [
|
|
'name' => 'Hacked Name',
|
|
]);
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
}
|