bert.hausmans
ddf26dad33
Add cross-organisation admin API endpoints behind role:super_admin middleware: - AdminOrganisationController: CRUD with search, filter, billing_status management - AdminUserController: user management with role assignment across orgs - AdminStatsController: platform-wide aggregate statistics - AdminActivityLogController: filterable activity log viewer - AdminImpersonationController + ImpersonationService: user impersonation with token-based session management and activity logging - BillingStatus enum, form requests, API resources, 23 feature tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
125 lines
4.2 KiB
PHP
125 lines
4.2 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Feature\Api\V1\Admin;
|
|
|
|
use App\Models\User;
|
|
use Database\Seeders\RoleSeeder;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Laravel\Sanctum\Sanctum;
|
|
use Spatie\Activitylog\Models\Activity;
|
|
use Tests\TestCase;
|
|
|
|
class AdminImpersonationTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
private User $superAdmin;
|
|
private User $targetUser;
|
|
private User $otherSuperAdmin;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
$this->seed(RoleSeeder::class);
|
|
|
|
$this->superAdmin = User::factory()->create();
|
|
$this->superAdmin->assignRole('super_admin');
|
|
|
|
$this->targetUser = User::factory()->create();
|
|
|
|
$this->otherSuperAdmin = User::factory()->create();
|
|
$this->otherSuperAdmin->assignRole('super_admin');
|
|
}
|
|
|
|
// ─── Start ───────────────────────────────────────────────
|
|
|
|
public function test_start_creates_token_for_target_user(): void
|
|
{
|
|
Sanctum::actingAs($this->superAdmin);
|
|
|
|
$response = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
|
|
|
|
$response->assertOk();
|
|
$response->assertJsonStructure([
|
|
'data' => ['token', 'user' => ['id', 'email'], 'admin_id'],
|
|
]);
|
|
$response->assertJsonPath('data.user.id', $this->targetUser->id);
|
|
$response->assertJsonPath('data.admin_id', $this->superAdmin->id);
|
|
|
|
$this->assertDatabaseHas('personal_access_tokens', [
|
|
'tokenable_id' => $this->targetUser->id,
|
|
'name' => 'impersonation-by-' . $this->superAdmin->id,
|
|
]);
|
|
}
|
|
|
|
public function test_start_denied_for_non_super_admin(): void
|
|
{
|
|
Sanctum::actingAs($this->targetUser);
|
|
|
|
$response = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
public function test_start_denied_when_target_is_super_admin(): void
|
|
{
|
|
Sanctum::actingAs($this->superAdmin);
|
|
|
|
$response = $this->postJson("/api/v1/admin/impersonate/{$this->otherSuperAdmin->id}");
|
|
|
|
$response->assertForbidden();
|
|
}
|
|
|
|
// ─── Stop ────────────────────────────────────────────────
|
|
|
|
public function test_stop_deletes_impersonation_token(): void
|
|
{
|
|
// Start impersonation
|
|
Sanctum::actingAs($this->superAdmin);
|
|
$startResponse = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
|
|
$token = $startResponse->json('data.token');
|
|
|
|
// Reset auth state so the Bearer token takes effect
|
|
$this->app['auth']->forgetGuards();
|
|
|
|
$response = $this->withHeader('Authorization', "Bearer {$token}")
|
|
->postJson('/api/v1/admin/stop-impersonation');
|
|
|
|
$response->assertOk();
|
|
$response->assertJsonPath('data.user.id', $this->superAdmin->id);
|
|
|
|
$this->assertDatabaseMissing('personal_access_tokens', [
|
|
'tokenable_id' => $this->targetUser->id,
|
|
'name' => 'impersonation-by-' . $this->superAdmin->id,
|
|
]);
|
|
}
|
|
|
|
// ─── Activity Log ────────────────────────────────────────
|
|
|
|
public function test_activity_log_records_start_and_stop(): void
|
|
{
|
|
Sanctum::actingAs($this->superAdmin);
|
|
$startResponse = $this->postJson("/api/v1/admin/impersonate/{$this->targetUser->id}");
|
|
$token = $startResponse->json('data.token');
|
|
|
|
$this->assertDatabaseHas('activity_log', [
|
|
'event' => 'admin.impersonation.started',
|
|
'causer_id' => $this->superAdmin->id,
|
|
'subject_id' => $this->targetUser->id,
|
|
]);
|
|
|
|
// Reset auth state so the Bearer token takes effect
|
|
$this->app['auth']->forgetGuards();
|
|
|
|
$this->withHeader('Authorization', "Bearer {$token}")
|
|
->postJson('/api/v1/admin/stop-impersonation');
|
|
|
|
$this->assertDatabaseHas('activity_log', [
|
|
'event' => 'admin.impersonation.stopped',
|
|
'subject_id' => $this->targetUser->id,
|
|
]);
|
|
}
|
|
}
|