artisan('lottery:admin-auth-sync')->assertExitCode(0); }); test('role with only draw view slug does not round-trip as manage', function (): void { $role = AdminRole::query()->create([ 'slug' => 'draw_view_only', 'name' => 'Draw view only', ]); $role->syncLegacyPermissionSlugs(['prd.draw_result.view']); expect($role->legacyPermissionSlugs()) ->toContain('prd.draw_result.view') ->not->toContain('prd.draw_result.manage'); }); test('platform role sync can drop draw manage while keeping view', function (): void { $super = AdminUser::query()->create([ 'username' => 'draw_perm_super', 'name' => 'Super', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); grantSuperAdminRole($super); $token = $super->createToken('test', ['*'], now()->addDay())->plainTextToken; $role = AdminRole::query()->create([ 'slug' => 'draw_toggle_test', 'name' => 'Draw toggle test', ]); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/admin-roles/'.$role->id.'/permissions', [ 'permission_slugs' => ['prd.draw_result.view', 'prd.draw_result.manage'], ]) ->assertOk() ->assertJsonPath('data.permission_slugs', fn ($slugs): bool => in_array('prd.draw_result.manage', $slugs, true)); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/admin-roles/'.$role->id.'/permissions', [ 'permission_slugs' => ['prd.draw_result.view'], ]) ->assertOk() ->assertJsonPath('data.permission_slugs', function ($slugs): bool { $list = is_array($slugs) ? $slugs : []; return in_array('prd.draw_result.view', $list, true) && ! in_array('prd.draw_result.manage', $list, true); }); });