lotteryLaravel/tests/Feature/PlatformSystemRolesTest.php

<?php

use App\Models\AdminRole;
use App\Models\AdminUser;
use App\Support\PlatformSystemRoles;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Hash;

uses(RefreshDatabase::class);

beforeEach(function (): void {
    $this->artisan('lottery:admin-auth-sync')->assertExitCode(0);
});

function platformRolesApiToken(string $username): string
{
    $admin = AdminUser::query()->create([
        'username' => $username,
        'name' => 'Tester',
        'email' => null,
        'password' => Hash::make('secret-strong'),
        'status' => 0,
    ]);
    grantSuperAdminRole($admin);

    return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
}

test('platform role index only lists fixed super_admin and agent roles', function (): void {
    AdminRole::query()->create([
        'slug' => 'legacy_custom_ops',
        'code' => 'legacy_custom_ops',
        'name' => 'Legacy Ops',
        'scope_type' => AdminRole::SCOPE_SYSTEM,
        'status' => 1,
        'is_system' => false,
        'sort_order' => 99,
    ]);

    PlatformSystemRoles::ensureAll();

    $token = platformRolesApiToken('platform_role_index');

    $slugs = collect($this->withHeader('Authorization', 'Bearer '.$token)
        ->getJson('/api/v1/admin/admin-roles')
        ->assertOk()
        ->json('data.items'))
        ->pluck('slug')
        ->all();

    expect($slugs)->toBe(['super_admin', 'agent']);
});

test('platform roles cannot be created and super_admin permissions are full catalog', function (): void {
    PlatformSystemRoles::ensureAll();

    $token = platformRolesApiToken('platform_role_guard');
    $menuActionCount = (int) DB::table('admin_menu_actions')->where('status', 1)->count();

    $super = AdminRole::query()->where('slug', 'super_admin')->firstOrFail();
    expect($super->is_system)->toBeTrue();
    expect((int) DB::table('admin_role_menu_actions')->where('role_id', $super->id)->count())
        ->toBe($menuActionCount);
    expect($super->legacyPermissionSlugs())->not->toBeEmpty();

    $this->withHeader('Authorization', 'Bearer '.$token)
        ->postJson('/api/v1/admin/admin-roles', [
            'slug' => 'new_ops',
            'name' => 'New Ops',
        ])
        ->assertStatus(422);

    $this->withHeader('Authorization', 'Bearer '.$token)
        ->putJson('/api/v1/admin/admin-roles/'.$super->id.'/permissions', [
            'permission_slugs' => ['prd.dashboard.view'],
        ])
        ->assertStatus(422);

    $this->withHeader('Authorization', 'Bearer '.$token)
        ->putJson('/api/v1/admin/admin-roles/'.$super->id, [
            'name' => 'Renamed Super',
        ])
        ->assertStatus(422);

    $this->withHeader('Authorization', 'Bearer '.$token)
        ->deleteJson('/api/v1/admin/admin-roles/'.$super->id)
        ->assertStatus(422);
});

test('admin-auth-sync grants super_admin the full permission catalog', function (): void {
    $this->artisan('lottery:admin-auth-sync')->assertExitCode(0);

    $super = AdminRole::query()->where('slug', 'super_admin')->firstOrFail();

    $menuActionCount = (int) DB::table('admin_menu_actions')->where('status', 1)->count();

    expect((int) DB::table('admin_role_menu_actions')->where('role_id', $super->id)->count())
        ->toBe($menuActionCount);
});