d9180e16b3
Closes the P2 items from /tmp/service/new/01-TZ-rbac §4.1 §4.2.
== User invitation workflow ==
New columns on users: invited_at, invited_by_id (FK self), accepted_at,
invitation_token (sha256 hash, indexed). Migration is idempotent.
User::sendInvitation($invitedBy = auth()->user())
- generates 64-char random token
- stores sha256(token) in invitation_token column (never plaintext)
- marks invited_at = now(), status = inactive
- queues UserInvitationMail to the user's email with the signed accept URL
- returns the raw token (for tests / API consumers)
User::findByInvitationToken($rawToken) hashes + lookups.
User::acceptInvitation($password) sets password (hashed cast), clears
invitation_token, marks accepted_at + email_verified_at, status = active.
Web routes (no auth — token IS the credential):
GET /invitations/{token} → password-set form
POST /invitations/{token} → validates min:8 + confirmed, accepts
Tokens expire after 7 days (checked against invited_at). Expired and
invalid tokens render dedicated views (invitations/expired.blade.php,
invitations/invalid.blade.php) instead of generic 404 — so the user
knows to ask for a resend.
UserInvitationMail uses Filament's existing markdown layout; subject
includes the tenant display_name.
== REST API ==
Twenty new endpoints under /api/v1/ (Sanctum auth + tenant scoping
via the existing EnsureTokenMatchesTenant middleware). All gated by
ADMIN_USERS_* / ADMIN_ROLES_MANAGE permissions; mechanic-level token
gets 403.
Users:
GET /users — paginated + role/status/q filters
GET /users/{u} — eager-loads roles + overrides + invitedBy
POST /users — creates inactive user + sends invitation
PATCH /users/{u} — update name/email/role/status
DELETE /users/{u} — soft delete
POST /users/{u}/activate
POST /users/{u}/deactivate — also revokes all sessions
POST /users/{u}/resend-invitation
POST /users/{u}/force-password-reset — re-sends invitation
GET /users/{u}/sessions — list active sessions (from sessions table)
DELETE /users/{u}/sessions — revoke all
DELETE /users/{u}/sessions/{sessionId} — revoke one
GET /users/{u}/roles — assigned roles
POST /users/{u}/roles — assign role
DELETE /users/{u}/roles/{role} — remove role
GET /users/{u}/permissions — effective: role perms + grants - active denies
POST /users/{u}/permission-overrides — add grant/deny (with optional expires_at)
DELETE /users/{u}/permission-overrides/{perm}
Roles:
apiResource roles — index/show/store/update/destroy
(system roles guarded against rename/delete)
GET /roles/{r}/permissions
PUT /roles/{r}/permissions — bulk sync
GET /permissions — catalog: flat list + grouped + labels + role labels
Authorization is uniform: every controller method calls $this->authorize()
which throws 403 if canDo(perm) is false. canDo() already honors the
overrides + admin bypass + audit log from earlier commits, so the API
behaves identically to the Filament UI.
== Tests ==
InvitationFlowTest (8): token generation + sha256 storage + queued mail,
findByInvitationToken happy/sad path, accept sets password + activates,
GET form renders, POST accepts + redirects, invalid token view,
backdated invited_at → expired view, password too short → validation error.
RbacApiTest (12): admin can list users, mechanic 403, create user
queues invitation, assign+remove role round-trip, effective permissions
endpoint subtracts active denies, add+remove override via API,
role index returns 7 system roles with permission counts (51 for owner),
role sync permissions, system role destroy rejected with 422,
permission catalog endpoint returns all 51 + grouped + labels,
revoke all sessions deletes only target user's rows.
Suite: 234 passed (659 assertions). Was 214.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
152 lines
5.4 KiB
PHP
152 lines
5.4 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature;
|
|
|
|
use App\Mail\UserInvitationMail;
|
|
use App\Models\Central\Company;
|
|
use App\Models\Central\Plan;
|
|
use App\Models\Tenant\User;
|
|
use App\Services\RbacSeeder;
|
|
use App\Tenancy\TenantManager;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\Mail;
|
|
use Tests\TestCase;
|
|
|
|
class InvitationFlowTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
private Company $company;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
$plan = Plan::firstOrCreate(['slug' => 'test'], ['name' => 'T', 'price' => 0, 'features' => []]);
|
|
$this->company = Company::create([
|
|
'plan_id' => $plan->id, 'slug' => 'inv-' . uniqid(),
|
|
'name' => 'Inv Co', 'status' => 'active',
|
|
]);
|
|
app(TenantManager::class)->setCurrent($this->company);
|
|
app(RbacSeeder::class)->seedTenantRoles($this->company->id);
|
|
}
|
|
|
|
public function test_send_invitation_generates_token_marks_pending_and_queues_mail(): void
|
|
{
|
|
Mail::fake();
|
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
|
|
|
$token = $u->sendInvitation();
|
|
|
|
$u->refresh();
|
|
$this->assertNotEmpty($token);
|
|
$this->assertEquals(64, strlen($token));
|
|
$this->assertNotNull($u->invited_at);
|
|
$this->assertNull($u->accepted_at);
|
|
$this->assertEquals('inactive', $u->status);
|
|
$this->assertTrue($u->isPendingInvitation());
|
|
|
|
// Stored token is sha256 hash, not the raw value
|
|
$this->assertNotEquals($token, $u->invitation_token);
|
|
$this->assertEquals(hash('sha256', $token), $u->invitation_token);
|
|
|
|
Mail::assertQueued(UserInvitationMail::class, fn ($m) => $m->user->id === $u->id);
|
|
}
|
|
|
|
public function test_find_by_invitation_token_resolves_user(): void
|
|
{
|
|
Mail::fake();
|
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
|
$token = $u->sendInvitation();
|
|
|
|
$found = User::findByInvitationToken($token);
|
|
$this->assertNotNull($found);
|
|
$this->assertEquals($u->id, $found->id);
|
|
|
|
// Wrong token returns null
|
|
$this->assertNull(User::findByInvitationToken('not-a-real-token'));
|
|
}
|
|
|
|
public function test_accept_invitation_sets_password_clears_token_activates(): void
|
|
{
|
|
Mail::fake();
|
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('placeholder'), 'role' => 'mechanic', 'status' => 'inactive']);
|
|
$token = $u->sendInvitation();
|
|
|
|
$u->refresh();
|
|
$u->acceptInvitation('NewStrongPass123');
|
|
|
|
$u->refresh();
|
|
$this->assertNull($u->invitation_token);
|
|
$this->assertNotNull($u->accepted_at);
|
|
$this->assertEquals('active', $u->status);
|
|
$this->assertNotNull($u->email_verified_at);
|
|
$this->assertTrue(\Hash::check('NewStrongPass123', $u->password));
|
|
$this->assertFalse($u->isPendingInvitation());
|
|
}
|
|
|
|
public function test_invitation_url_returns_form_with_token(): void
|
|
{
|
|
Mail::fake();
|
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
|
$token = $u->sendInvitation();
|
|
|
|
$resp = $this->get("/invitations/{$token}");
|
|
$resp->assertStatus(200);
|
|
$resp->assertSee($u->name);
|
|
$resp->assertSee('Activează contul');
|
|
}
|
|
|
|
public function test_invitation_post_accepts_password_and_redirects(): void
|
|
{
|
|
Mail::fake();
|
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('placeholder'), 'role' => 'mechanic', 'status' => 'active']);
|
|
$token = $u->sendInvitation();
|
|
|
|
$resp = $this->post("/invitations/{$token}", [
|
|
'password' => 'BrandNewPass1',
|
|
'password_confirmation' => 'BrandNewPass1',
|
|
]);
|
|
$resp->assertStatus(302);
|
|
|
|
$u->refresh();
|
|
$this->assertNotNull($u->accepted_at);
|
|
$this->assertTrue(\Hash::check('BrandNewPass1', $u->password));
|
|
}
|
|
|
|
public function test_invalid_token_returns_invalid_view(): void
|
|
{
|
|
$resp = $this->get('/invitations/not-a-real-token');
|
|
$resp->assertStatus(200);
|
|
$resp->assertSee('Invitație invalidă');
|
|
}
|
|
|
|
public function test_expired_invitation_returns_expired_view(): void
|
|
{
|
|
Mail::fake();
|
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
|
$token = $u->sendInvitation();
|
|
// Force expiry by backdating invited_at
|
|
$u->forceFill(['invited_at' => now()->subDays(8)])->saveQuietly();
|
|
|
|
$resp = $this->get("/invitations/{$token}");
|
|
$resp->assertStatus(200);
|
|
$resp->assertSee('Invitație expirată');
|
|
}
|
|
|
|
public function test_password_too_short_returns_validation_error(): void
|
|
{
|
|
Mail::fake();
|
|
$u = User::create(['name' => 'X', 'email' => 'x@e.com', 'password' => bcrypt('x'), 'role' => 'mechanic', 'status' => 'active']);
|
|
$token = $u->sendInvitation();
|
|
|
|
$resp = $this->post("/invitations/{$token}", [
|
|
'password' => 'short',
|
|
'password_confirmation' => 'short',
|
|
]);
|
|
$resp->assertSessionHasErrors('password');
|
|
|
|
$u->refresh();
|
|
$this->assertNull($u->accepted_at);
|
|
}
|
|
}
|