create([ 'username' => $username, 'name' => 'Tester', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); $role = AdminRole::query()->create([ 'slug' => 'role_'.$username, 'name' => 'Role '.$username, ]); $role->syncLegacyPermissionSlugs($permissionSlugs); $siteId = $boundSiteId ?? AdminUser::defaultAdminSiteId(); DB::table('admin_user_site_roles')->insert([ 'admin_user_id' => $admin->id, 'site_id' => $siteId, 'role_id' => $role->id, 'granted_at' => now(), ]); return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken; } test('platform user created with admin_site_id only sees that site players', function (): void { $this->seed(CurrencySeeder::class); AdminSite::query()->firstOrCreate(['code' => 'site-a'], ['name' => 'A', 'currency_code' => 'NPR', 'status' => 1]); AdminSite::query()->firstOrCreate(['code' => 'site-b'], ['name' => 'B', 'currency_code' => 'NPR', 'status' => 1]); $siteBId = (int) AdminSite::query()->where('code', 'site-b')->value('id'); Player::query()->create([ 'site_code' => 'site-a', 'site_player_id' => 'pa-bind-1', 'username' => 'pa_bind_1', 'nickname' => 'PA', 'default_currency' => 'NPR', 'status' => 0, ]); Player::query()->create([ 'site_code' => 'site-b', 'site_player_id' => 'pb-bind-1', 'username' => 'pb_bind_1', 'nickname' => 'PB', 'default_currency' => 'NPR', 'status' => 0, ]); $opsRole = AdminRole::query()->create([ 'slug' => 'site_b_ops', 'name' => 'Site B Ops', 'scope_type' => AdminRole::SCOPE_SYSTEM, ]); $opsRole->syncLegacyPermissionSlugs(['prd.users.view_finance', 'prd.admin_user.manage']); $creator = AdminUser::query()->create([ 'username' => 'super_creator', 'name' => 'Creator', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); grantSuperAdminRole($creator); $token = $creator->createToken('test', ['*'], now()->addDay())->plainTextToken; $this->withHeader('Authorization', 'Bearer '.$token) ->postJson('/api/v1/admin/admin-users', [ 'username' => 'site_b_ops_user', 'nickname' => 'Site B Ops User', 'email' => null, 'password' => 'secret-long', 'admin_site_id' => $siteBId, 'role_slugs' => ['site_b_ops'], ]) ->assertOk() ->assertJsonPath('data.site_bindings.0.site_id', $siteBId) ->assertJsonPath('data.site_bindings.0.site_code', 'site-b'); $created = AdminUser::query()->where('username', 'site_b_ops_user')->firstOrFail(); expect($created->isSuperAdmin())->toBeFalse(); expect($created->accessibleAdminSiteIds())->toEqual([$siteBId]); expect(AdminSiteScope::accessibleSiteCodes($created))->toBe(['site-b']); $scopedQuery = Player::query(); AdminSiteScope::applyToPlayerQuery($scopedQuery, $created); expect($scopedQuery->pluck('site_code')->unique()->values()->all())->toBe(['site-b']); $createdToken = $created->createToken('test', ['*'], now()->addDay())->plainTextToken; expect($creator->id)->not->toBe($created->id); $boundRoleSlugs = DB::table('admin_user_site_roles as usr') ->join('admin_roles as r', 'r.id', '=', 'usr.role_id') ->where('usr.admin_user_id', $created->id) ->orderBy('r.slug') ->pluck('r.slug') ->all(); expect($boundRoleSlugs)->toBe(['site_b_ops']); expect($created->fresh()->isSuperAdmin())->toBeFalse(); app('auth')->forgetGuards(); $this->withHeader('Authorization', 'Bearer '.$createdToken) ->getJson('/api/v1/admin/auth/me') ->assertOk() ->assertJsonPath('data.admin.id', $created->id) ->assertJsonPath('data.admin.username', 'site_b_ops_user') ->assertJsonCount(1, 'data.admin.accessible_sites'); $codes = collect( $this->withHeader('Authorization', 'Bearer '.$createdToken) ->getJson('/api/v1/admin/players') ->assertOk() ->json('data.items'), )->pluck('site_code')->unique()->values()->all(); expect($codes)->toBe(['site-b']); $this->withHeader('Authorization', 'Bearer '.$createdToken) ->getJson('/api/v1/admin/auth/me') ->assertOk() ->assertJsonPath('data.admin.accessible_sites.0.code', 'site-b') ->assertJsonPath('data.admin.agent', null); }); test('scoped operator cannot assign roles on site outside their binding', function (): void { AdminSite::query()->firstOrCreate(['code' => 'site-a'], ['name' => 'A', 'currency_code' => 'NPR', 'status' => 1]); AdminSite::query()->firstOrCreate(['code' => 'site-b'], ['name' => 'B', 'currency_code' => 'NPR', 'status' => 1]); $siteAId = (int) AdminSite::query()->where('code', 'site-a')->value('id'); $siteBId = (int) AdminSite::query()->where('code', 'site-b')->value('id'); $target = AdminUser::query()->create([ 'username' => 'bind_target', 'name' => 'Target', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); AdminRole::query()->create([ 'slug' => 'scoped_assign_role', 'name' => 'Scoped Assign', 'scope_type' => AdminRole::SCOPE_SYSTEM, ]); $token = siteRoleBindingAdmin('site_a_only_mgr', ['prd.admin_user.manage'], $siteAId); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/admin-users/'.$target->id.'/roles', [ 'admin_site_id' => $siteBId, 'role_slugs' => ['scoped_assign_role'], ]) ->assertStatus(422) ->assertJsonPath('code', ErrorCode::ValidationFailed->value); }); test('role sync replaces roles only for requested site', function (): void { AdminSite::query()->firstOrCreate(['code' => 'site-a'], ['name' => 'A', 'currency_code' => 'NPR', 'status' => 1]); AdminSite::query()->firstOrCreate(['code' => 'site-b'], ['name' => 'B', 'currency_code' => 'NPR', 'status' => 1]); $siteAId = (int) AdminSite::query()->where('code', 'site-a')->value('id'); $siteBId = (int) AdminSite::query()->where('code', 'site-b')->value('id'); $rA = AdminRole::query()->create([ 'slug' => 'multi_a', 'name' => 'A', 'scope_type' => AdminRole::SCOPE_SYSTEM, ]); $rB = AdminRole::query()->create([ 'slug' => 'multi_b', 'name' => 'B', 'scope_type' => AdminRole::SCOPE_SYSTEM, ]); $target = AdminUser::query()->create([ 'username' => 'multi_site_user', 'name' => 'Multi', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); DB::table('admin_user_site_roles')->insert([ ['admin_user_id' => $target->id, 'site_id' => $siteAId, 'role_id' => $rA->id, 'granted_at' => now()], ['admin_user_id' => $target->id, 'site_id' => $siteBId, 'role_id' => $rB->id, 'granted_at' => now()], ]); $actor = AdminUser::query()->create([ 'username' => 'multi_sync_actor', 'name' => 'Actor', 'email' => null, 'password' => Hash::make('secret-strong'), 'status' => 0, ]); grantSuperAdminRole($actor); $token = $actor->createToken('test', ['*'], now()->addDay())->plainTextToken; $rC = AdminRole::query()->create([ 'slug' => 'multi_c', 'name' => 'C', 'scope_type' => AdminRole::SCOPE_SYSTEM, ]); $this->withHeader('Authorization', 'Bearer '.$token) ->putJson('/api/v1/admin/admin-users/'.$target->id.'/roles', [ 'admin_site_id' => $siteAId, 'role_slugs' => ['multi_c'], ]) ->assertOk(); $siteARoles = DB::table('admin_user_site_roles') ->where('admin_user_id', $target->id) ->where('site_id', $siteAId) ->pluck('role_id') ->map(static fn ($id): int => (int) $id) ->all(); $siteBRoles = DB::table('admin_user_site_roles') ->where('admin_user_id', $target->id) ->where('site_id', $siteBId) ->pluck('role_id') ->map(static fn ($id): int => (int) $id) ->all(); expect($siteARoles)->toBe([(int) $rC->id]); expect($siteBRoles)->toBe([(int) $rB->id]); });