seed(CurrencySeeder::class); }); function playerManageAdminToken(): string { $admin = AdminUser::query()->create([ 'username' => 'player_manage_admin', 'name' => 'Player Manage Admin', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); grantSuperAdminRole($admin); return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken; } function playerPermissionAdminToken(string $username, array $permissionSlugs): string { $admin = AdminUser::query()->create([ 'username' => $username, 'name' => 'Player Permission Admin', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); $role = AdminRole::query()->create([ 'slug' => 'role_'.$username, 'name' => 'Role '.$username, ]); $role->syncLegacyPermissionSlugs($permissionSlugs); $admin->roles()->sync([ (int) $role->id => [ 'site_id' => AdminUser::defaultAdminSiteId(), 'granted_at' => now(), ], ]); return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken; } function playerPermissionRequest($test, string $token) { app('auth')->forgetGuards(); return $test->withHeader('Authorization', 'Bearer '.$token); } test('super admin can create player under site root agent', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $token = playerManageAdminToken(); $sitePlayerId = 'manual-create-'.uniqid('', true); $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/players', [ 'site_code' => $siteCode, 'site_player_id' => $sitePlayerId, 'default_currency' => 'NPR', 'status' => 0, ]) ->assertCreated() ->assertJsonPath('data.site_code', $siteCode) ->assertJsonPath('data.site_player_id', $sitePlayerId); $this->assertDatabaseHas('players', [ 'site_code' => $siteCode, 'site_player_id' => $sitePlayerId, ]); }); test('platform user without agent binding cannot create player', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $token = playerPermissionAdminToken('player_manager_no_agent', ['prd.users.manage']); $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/players', [ 'site_code' => $siteCode, 'site_player_id' => 'blocked-create', 'default_currency' => 'NPR', ]) ->assertStatus(422) ->assertJsonPath('msg', fn (string $msg): bool => str_contains($msg, '代理') || str_contains($msg, 'agent')); }); test('admin can freeze and unfreeze player with audit log', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $player = Player::query()->create([ 'site_code' => $siteCode, 'site_player_id' => 'freeze-1', 'username' => 'freeze_user', 'nickname' => 'Freeze', 'default_currency' => 'NPR', 'status' => 0, ]); PlayerWallet::query()->create([ 'player_id' => $player->id, 'wallet_type' => 'lottery', 'currency_code' => 'NPR', 'balance' => 1_000, 'frozen_balance' => 0, 'status' => 0, 'version' => 0, ]); $token = playerManageAdminToken(); $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/players/'.$player->id.'/freeze') ->assertOk() ->assertJsonPath('data.status', 1); $this->assertDatabaseHas('audit_logs', [ 'module_code' => 'player_manage', 'action_code' => 'freeze', 'target_type' => 'player', 'target_id' => (string) $player->id, ]); $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/players/'.$player->id.'/unfreeze') ->assertOk() ->assertJsonPath('data.status', 0); expect(AuditLog::query()->where('module_code', 'player_manage')->count())->toBe(2); }); test('player manage permission gates write and freeze APIs separately from view permissions', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $player = Player::query()->create([ 'site_code' => $siteCode, 'site_player_id' => 'perm-1', 'username' => 'perm_user', 'nickname' => 'Perm', 'default_currency' => 'NPR', 'status' => 0, ]); $financeToken = playerPermissionAdminToken('player_finance_viewer', ['prd.users.view_finance']); playerPermissionRequest($this, $financeToken) ->getJson('/api/v1/admin/players?per_page=10') ->assertOk(); playerPermissionRequest($this, $financeToken) ->getJson('/api/v1/admin/players/'.$player->id.'/wallets') ->assertOk(); playerPermissionRequest($this, $financeToken) ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items') ->assertForbidden(); playerPermissionRequest($this, $financeToken) ->postJson('/api/v1/admin/players', [ 'site_code' => 'main', 'site_player_id' => 'created-by-finance', 'default_currency' => 'NPR', ]) ->assertForbidden(); playerPermissionRequest($this, $financeToken) ->putJson('/api/v1/admin/players/'.$player->id, ['nickname' => 'blocked']) ->assertForbidden(); playerPermissionRequest($this, $financeToken) ->postJson('/api/v1/admin/players/'.$player->id.'/freeze') ->assertForbidden(); $csToken = playerPermissionAdminToken('player_cs_viewer', ['prd.users.view_cs']); playerPermissionRequest($this, $csToken) ->getJson('/api/v1/admin/players?per_page=10') ->assertOk(); playerPermissionRequest($this, $csToken) ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items') ->assertOk(); playerPermissionRequest($this, $csToken) ->getJson('/api/v1/admin/players/'.$player->id.'/wallets') ->assertForbidden(); $freezeToken = playerPermissionAdminToken('player_freezer', ['prd.player_freeze.manage']); playerPermissionRequest($this, $freezeToken) ->getJson('/api/v1/admin/players?per_page=10') ->assertForbidden(); $freezeResp = playerPermissionRequest($this, $freezeToken) ->postJson('/api/v1/admin/players/'.$player->id.'/freeze'); $freezeResp->assertOk() ->assertJsonPath('data.status', 1); playerPermissionRequest($this, $freezeToken) ->postJson('/api/v1/admin/players/'.$player->id.'/unfreeze') ->assertOk() ->assertJsonPath('data.status', 0); $manageToken = playerPermissionAdminToken('player_manager', ['prd.users.manage']); playerPermissionRequest($this, $manageToken) ->getJson('/api/v1/admin/players/'.$player->id.'/wallets') ->assertOk(); playerPermissionRequest($this, $manageToken) ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items') ->assertOk(); }); test('admin can update player default currency and validation rejects unknown code', function (): void { $player = Player::query()->create([ 'site_code' => 'main', 'site_player_id' => 'currency-1', 'username' => 'currency_user', 'nickname' => 'Currency', 'default_currency' => 'NPR', 'status' => 0, ]); $token = playerManageAdminToken(); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/players/'.$player->id, [ 'default_currency' => 'usd', ]) ->assertOk() ->assertJsonPath('data.default_currency', 'USD'); $this->assertDatabaseHas('players', [ 'id' => $player->id, 'default_currency' => 'USD', ]); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/players/'.$player->id, [ 'default_currency' => 'ABC', ]) ->assertStatus(422); });