seed(CurrencySeeder::class); }); function playerManageAdminToken(): string { $admin = AdminUser::query()->create([ 'username' => 'player_manage_admin', 'name' => 'Player Manage Admin', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); grantSuperAdminRole($admin); return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken; } function playerPermissionAdminToken(string $username, array $permissionSlugs): string { $admin = AdminUser::query()->create([ 'username' => $username, 'name' => 'Player Permission Admin', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); $role = AdminRole::query()->create([ 'slug' => 'role_'.$username, 'name' => 'Role '.$username, ]); $role->syncLegacyPermissionSlugs($permissionSlugs); $admin->roles()->sync([ (int) $role->id => [ 'site_id' => AdminUser::defaultAdminSiteId(), 'granted_at' => now(), ], ]); return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken; } function playerPermissionRequest($test, string $token) { app('auth')->forgetGuards(); return $test->withHeader('Authorization', 'Bearer '.$token); } test('super admin can create player under site root agent', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $token = playerManageAdminToken(); $sitePlayerId = 'manual-create-'.uniqid('', true); $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/players', [ 'site_code' => $siteCode, 'site_player_id' => $sitePlayerId, 'default_currency' => 'NPR', 'status' => 0, ]) ->assertCreated() ->assertJsonPath('data.site_code', $siteCode) ->assertJsonPath('data.site_player_id', $sitePlayerId); $this->assertDatabaseHas('players', [ 'site_code' => $siteCode, 'site_player_id' => $sitePlayerId, ]); }); test('platform user without agent binding cannot create player', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $token = playerPermissionAdminToken('player_manager_no_agent', ['prd.users.manage']); $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/players', [ 'site_code' => $siteCode, 'site_player_id' => 'blocked-create', 'default_currency' => 'NPR', ]) ->assertStatus(422) ->assertJsonPath('msg', fn (string $msg): bool => str_contains($msg, '代理') || str_contains($msg, 'agent')); }); test('admin can freeze and unfreeze player with audit log', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $player = Player::query()->create([ 'site_code' => $siteCode, 'site_player_id' => 'freeze-1', 'username' => 'freeze_user', 'nickname' => 'Freeze', 'default_currency' => 'NPR', 'status' => 0, ]); PlayerWallet::query()->create([ 'player_id' => $player->id, 'wallet_type' => 'lottery', 'currency_code' => 'NPR', 'balance' => 1_000, 'frozen_balance' => 0, 'status' => 0, 'version' => 0, ]); $token = playerManageAdminToken(); $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/players/'.$player->id.'/freeze') ->assertOk() ->assertJsonPath('data.status', 1); $this->assertDatabaseHas('audit_logs', [ 'module_code' => 'player_manage', 'action_code' => 'freeze', 'target_type' => 'player', 'target_id' => (string) $player->id, ]); $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/players/'.$player->id.'/unfreeze') ->assertOk() ->assertJsonPath('data.status', 0); expect(AuditLog::query()->where('module_code', 'player_manage')->count())->toBe(2); }); test('player manage permission gates write and freeze APIs separately from view permissions', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $player = Player::query()->create([ 'site_code' => $siteCode, 'site_player_id' => 'perm-1', 'username' => 'perm_user', 'nickname' => 'Perm', 'default_currency' => 'NPR', 'status' => 0, ]); $financeToken = playerPermissionAdminToken('player_finance_viewer', ['prd.users.view_finance']); playerPermissionRequest($this, $financeToken) ->getJson('/api/v1/admin/players?per_page=10') ->assertOk(); playerPermissionRequest($this, $financeToken) ->getJson('/api/v1/admin/players/'.$player->id.'/wallets') ->assertOk(); playerPermissionRequest($this, $financeToken) ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items') ->assertForbidden(); playerPermissionRequest($this, $financeToken) ->postJson('/api/v1/admin/players', [ 'site_code' => 'main', 'site_player_id' => 'created-by-finance', 'default_currency' => 'NPR', ]) ->assertForbidden(); playerPermissionRequest($this, $financeToken) ->putJson('/api/v1/admin/players/'.$player->id, ['nickname' => 'blocked']) ->assertForbidden(); playerPermissionRequest($this, $financeToken) ->postJson('/api/v1/admin/players/'.$player->id.'/freeze') ->assertForbidden(); $csToken = playerPermissionAdminToken('player_cs_viewer', ['prd.users.view_cs']); playerPermissionRequest($this, $csToken) ->getJson('/api/v1/admin/players?per_page=10') ->assertOk(); playerPermissionRequest($this, $csToken) ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items') ->assertOk(); playerPermissionRequest($this, $csToken) ->getJson('/api/v1/admin/players/'.$player->id.'/wallets') ->assertForbidden(); $freezeToken = playerPermissionAdminToken('player_freezer', ['prd.player_freeze.manage']); playerPermissionRequest($this, $freezeToken) ->getJson('/api/v1/admin/players?per_page=10') ->assertForbidden(); $freezeResp = playerPermissionRequest($this, $freezeToken) ->postJson('/api/v1/admin/players/'.$player->id.'/freeze'); $freezeResp->assertOk() ->assertJsonPath('data.status', 1); playerPermissionRequest($this, $freezeToken) ->postJson('/api/v1/admin/players/'.$player->id.'/unfreeze') ->assertOk() ->assertJsonPath('data.status', 0); $manageToken = playerPermissionAdminToken('player_manager', ['prd.users.manage']); playerPermissionRequest($this, $manageToken) ->getJson('/api/v1/admin/players/'.$player->id.'/wallets') ->assertOk(); playerPermissionRequest($this, $manageToken) ->getJson('/api/v1/admin/players/'.$player->id.'/ticket-items') ->assertOk(); }); test('admin can update player default currency and validation rejects unknown code', function (): void { $player = Player::query()->create([ 'site_code' => 'main', 'site_player_id' => 'currency-1', 'username' => 'currency_user', 'nickname' => 'Currency', 'default_currency' => 'NPR', 'status' => 0, ]); $token = playerManageAdminToken(); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/players/'.$player->id, [ 'default_currency' => 'usd', ]) ->assertOk() ->assertJsonPath('data.default_currency', 'USD'); $this->assertDatabaseHas('players', [ 'id' => $player->id, 'default_currency' => 'USD', ]); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/players/'.$player->id, [ 'default_currency' => 'ABC', ]) ->assertStatus(422); }); test('admin can set player credit limit without clobbering used credit', function (): void { $siteCode = DB::table('admin_sites')->where('is_default', true)->value('code'); $siteCode = is_string($siteCode) && $siteCode !== '' ? $siteCode : 'default_site'; $rootId = (int) DB::table('agent_nodes')->where('depth', 0)->value('id'); AgentProfile::query()->updateOrCreate( ['agent_node_id' => $rootId], [ 'total_share_rate' => 60, 'credit_limit' => 50_000, 'allocated_credit' => 0, 'used_credit' => 0, 'rebate_limit' => 0.01, 'default_player_rebate' => 0.005, 'settlement_cycle' => 'weekly', ], ); $player = Player::query()->create([ 'site_code' => $siteCode, 'agent_node_id' => $rootId, 'site_player_id' => 'credit-limit-1', 'auth_source' => PlayerAuthSource::LOTTERY_NATIVE, 'funding_mode' => PlayerFundingMode::CREDIT, 'username' => 'credit_limit_user', 'default_currency' => 'NPR', 'status' => 0, ]); DB::table('player_credit_accounts')->insert([ 'player_id' => $player->id, 'credit_limit' => 500, 'used_credit' => 120, 'frozen_credit' => 0, 'created_at' => now(), 'updated_at' => now(), ]); $token = playerManageAdminToken(); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/players/'.$player->id, [ 'credit_limit' => 2000, ]) ->assertOk() ->assertJsonPath('data.credit_limit', 2000) ->assertJsonPath('data.available_credit', 1880); $this->assertDatabaseHas('player_credit_accounts', [ 'player_id' => $player->id, 'credit_limit' => 2000, 'used_credit' => 120, ]); });