'test'], ['name' => 'T', 'price' => 0, 'features' => []]); $this->company = Company::create([ 'plan_id' => $plan->id, 'slug' => 'ov-' . uniqid(), 'name' => 'OV Co', 'status' => 'active', ]); app(TenantManager::class)->setCurrent($this->company); app(RbacSeeder::class)->seedTenantRoles($this->company->id); app(PermissionRegistrar::class)->setPermissionsTeamId($this->company->id); $this->mechanic = User::create([ 'name' => 'M', 'email' => 'm-' . uniqid() . '@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active', ]); $this->mechanic->syncRoles(['mechanic']); } public function test_grant_override_unlocks_permission_for_user(): void { // Mechanic normally can't view all WOs $this->assertFalse($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL)); $perm = Permission::where('name', Permissions::WORK_ORDERS_VIEW_ALL)->first(); UserPermissionOverride::create([ 'user_id' => $this->mechanic->id, 'permission_id' => $perm->id, 'mode' => 'grant', 'reason' => 'temp standin', 'granted_at' => now(), ]); $this->mechanic->refresh(); $this->assertTrue($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL)); } public function test_deny_override_blocks_permission_even_when_role_grants_it(): void { $this->mechanic->refresh(); $this->assertTrue($this->mechanic->canDo(Permissions::INVENTORY_VIEW)); $perm = Permission::where('name', Permissions::INVENTORY_VIEW)->first(); UserPermissionOverride::create([ 'user_id' => $this->mechanic->id, 'permission_id' => $perm->id, 'mode' => 'deny', 'reason' => 'audit period', 'granted_at' => now(), ]); $this->mechanic->refresh(); $this->assertFalse($this->mechanic->canDo(Permissions::INVENTORY_VIEW)); } public function test_deny_override_blocks_even_admin_role(): void { $admin = User::create(['name' => 'A', 'email' => 'a-' . uniqid() . '@e.com', 'password' => bcrypt('x'), 'role' => 'admin', 'status' => 'active']); $admin->syncRoles(['admin']); $perm = Permission::where('name', Permissions::FINANCE_DELETE_PAYMENT)->first(); UserPermissionOverride::create([ 'user_id' => $admin->id, 'permission_id' => $perm->id, 'mode' => 'deny', 'reason' => 'separation of duties', 'granted_at' => now(), ]); $admin->refresh(); $this->assertFalse($admin->canDo(Permissions::FINANCE_DELETE_PAYMENT)); // Other permissions still work $this->assertTrue($admin->canDo(Permissions::FINANCE_VIEW_OVERVIEW)); } public function test_expired_override_is_ignored(): void { $perm = Permission::where('name', Permissions::WORK_ORDERS_VIEW_ALL)->first(); UserPermissionOverride::create([ 'user_id' => $this->mechanic->id, 'permission_id' => $perm->id, 'mode' => 'grant', 'reason' => 'temp', 'granted_at' => now()->subDay(), 'expires_at' => now()->subHour(), // already expired ]); $this->mechanic->refresh(); $this->assertFalse($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL)); } public function test_future_expiry_keeps_override_active(): void { $perm = Permission::where('name', Permissions::WORK_ORDERS_VIEW_ALL)->first(); UserPermissionOverride::create([ 'user_id' => $this->mechanic->id, 'permission_id' => $perm->id, 'mode' => 'grant', 'reason' => 'temp', 'granted_at' => now(), 'expires_at' => now()->addDays(7), ]); $this->mechanic->refresh(); $this->assertTrue($this->mechanic->canDo(Permissions::WORK_ORDERS_VIEW_ALL)); } public function test_audit_log_writes_entry_on_sensitive_denial(): void { // mechanic.canDo(admin.users.manage) → false → logs activity $this->mechanic->canDo(Permissions::ADMIN_USERS_MANAGE); $rows = DB::table('activity_log') ->where('event', 'permission_denied') ->get(); $this->assertGreaterThanOrEqual(1, $rows->count()); $latest = $rows->last(); $this->assertStringContainsString('admin.users.manage', $latest->properties); } public function test_non_sensitive_denial_does_not_log(): void { DB::table('activity_log')->truncate(); // CLIENTS_CREATE is not in AUDITED_DENIALS list $this->mechanic->canDo(Permissions::CLIENTS_CREATE); $count = DB::table('activity_log')->where('event', 'permission_denied')->count(); $this->assertEquals(0, $count); } public function test_force_logout_deletes_all_user_sessions(): void { DB::table('sessions')->insert([ ['id' => 's1', 'user_id' => $this->mechanic->id, 'ip_address' => '1.1.1.1', 'user_agent' => 'Chrome', 'payload' => '', 'last_activity' => time()], ['id' => 's2', 'user_id' => $this->mechanic->id, 'ip_address' => '2.2.2.2', 'user_agent' => 'Firefox', 'payload' => '', 'last_activity' => time()], ['id' => 's3', 'user_id' => 9999, 'ip_address' => '3.3.3.3', 'user_agent' => 'Safari', 'payload' => '', 'last_activity' => time()], ]); $n = DB::table('sessions')->where('user_id', $this->mechanic->id)->delete(); $this->assertEquals(2, $n); $this->assertEquals(0, DB::table('sessions')->where('user_id', $this->mechanic->id)->count()); // Other users' sessions untouched $this->assertEquals(1, DB::table('sessions')->where('user_id', 9999)->count()); } }