156 lines
5.2 KiB
PHP
156 lines
5.2 KiB
PHP
<?php
|
|
|
|
use App\Lottery\ErrorCode;
|
|
use App\Models\AdminRole;
|
|
use App\Models\AdminUser;
|
|
use App\Support\AdminPermissionBridge;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Facades\Hash;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
function makeAdminWithPermissions(string $username, array $permissionSlugs): string
|
|
{
|
|
$admin = AdminUser::query()->create([
|
|
'username' => $username,
|
|
'name' => 'Tester',
|
|
'email' => null,
|
|
'password' => Hash::make('secret-strong'),
|
|
'status' => 0,
|
|
]);
|
|
|
|
$role = AdminRole::query()->create([
|
|
'slug' => 'role_'.$username,
|
|
'name' => 'Role '.$username,
|
|
]);
|
|
|
|
$codes = [];
|
|
foreach ($permissionSlugs as $slug) {
|
|
$codes = array_merge($codes, AdminPermissionBridge::menuActionCodesForLegacy($slug));
|
|
}
|
|
$codes = array_values(array_unique($codes));
|
|
$ids = DB::table('admin_menu_actions')
|
|
->whereIn('permission_code', $codes)
|
|
->where('status', 1)
|
|
->pluck('id')
|
|
->all();
|
|
|
|
foreach ($ids as $mid) {
|
|
DB::table('admin_role_menu_actions')->insert([
|
|
'role_id' => $role->id,
|
|
'menu_action_id' => (int) $mid,
|
|
]);
|
|
}
|
|
|
|
$siteId = AdminUser::defaultAdminSiteId();
|
|
$admin->roles()->sync([
|
|
(int) $role->id => [
|
|
'site_id' => $siteId,
|
|
'granted_at' => now(),
|
|
],
|
|
]);
|
|
|
|
return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
|
|
}
|
|
|
|
test('admin user permission apis require rbac permission', function (): void {
|
|
$token = makeAdminWithPermissions('rbac_viewer', ['prd.report.player']);
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$token)
|
|
->getJson('/api/v1/admin/admin-users')
|
|
->assertForbidden()
|
|
->assertJsonPath('code', ErrorCode::AdminForbidden->value);
|
|
});
|
|
|
|
test('admin can list users and sync direct permissions', function (): void {
|
|
$token = makeAdminWithPermissions('rbac_manager', ['prd.admin_user.manage']);
|
|
|
|
$target = AdminUser::query()->create([
|
|
'username' => 'target_user',
|
|
'name' => 'Target User',
|
|
'email' => 'target@example.com',
|
|
'password' => Hash::make('secret-strong'),
|
|
'status' => 0,
|
|
]);
|
|
$targetRole = AdminRole::query()->create(['slug' => 'target_role', 'name' => 'Target Role']);
|
|
|
|
$drawCodes = AdminPermissionBridge::menuActionCodesForLegacy('prd.draw_result.view');
|
|
$drawIds = DB::table('admin_menu_actions')
|
|
->whereIn('permission_code', $drawCodes)
|
|
->where('status', 1)
|
|
->pluck('id')
|
|
->all();
|
|
foreach ($drawIds as $mid) {
|
|
DB::table('admin_role_menu_actions')->insert([
|
|
'role_id' => $targetRole->id,
|
|
'menu_action_id' => (int) $mid,
|
|
]);
|
|
}
|
|
|
|
$siteId = AdminUser::defaultAdminSiteId();
|
|
$target->roles()->sync([
|
|
(int) $targetRole->id => [
|
|
'site_id' => $siteId,
|
|
'granted_at' => now(),
|
|
],
|
|
]);
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$token)
|
|
->getJson('/api/v1/admin/admin-user-permission-catalog')
|
|
->assertOk()
|
|
->assertJsonPath('code', ErrorCode::Success->value)
|
|
->assertJsonFragment(['slug' => 'prd.admin_user.manage']);
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$token)
|
|
->getJson('/api/v1/admin/admin-users?keyword=target')
|
|
->assertOk()
|
|
->assertJsonPath('code', ErrorCode::Success->value)
|
|
->assertJsonPath('data.items.0.username', 'target_user')
|
|
->assertJsonPath('data.items.0.roles.0', 'target_role');
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$token)
|
|
->putJson('/api/v1/admin/admin-users/'.$target->id.'/permissions', [
|
|
'permission_slugs' => ['prd.report.player'],
|
|
])
|
|
->assertOk()
|
|
->assertJsonPath('code', ErrorCode::Success->value)
|
|
->assertJsonFragment(['prd.report.player']);
|
|
|
|
expect($target->fresh()->directLegacyPermissionSlugs())->toContain('prd.report.player');
|
|
|
|
$list = $this->withHeader('Authorization', 'Bearer '.$token)
|
|
->getJson('/api/v1/admin/admin-users?keyword=target')
|
|
->assertOk()
|
|
->json('data.items.0.effective_permissions');
|
|
|
|
expect($list)->toContain('prd.draw_result.view');
|
|
expect($list)->toContain('prd.report.player');
|
|
});
|
|
|
|
test('admin can sync user roles for default site', function (): void {
|
|
$token = makeAdminWithPermissions('rbac_role_editor', ['prd.admin_user.manage']);
|
|
|
|
$r1 = AdminRole::query()->create(['slug' => 'role_sync_a', 'name' => 'Role A']);
|
|
$r2 = AdminRole::query()->create(['slug' => 'role_sync_b', 'name' => 'Role B']);
|
|
|
|
$target = AdminUser::query()->create([
|
|
'username' => 'role_target',
|
|
'name' => 'Role Target',
|
|
'email' => null,
|
|
'password' => Hash::make('secret-strong'),
|
|
'status' => 0,
|
|
]);
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$token)
|
|
->putJson('/api/v1/admin/admin-users/'.$target->id.'/roles', [
|
|
'role_slugs' => ['role_sync_b', 'role_sync_a'],
|
|
])
|
|
->assertOk()
|
|
->assertJsonPath('code', ErrorCode::Success->value);
|
|
|
|
$slugs = $target->fresh()->adminRoleSlugs();
|
|
sort($slugs);
|
|
expect($slugs)->toBe(['role_sync_a', 'role_sync_b']);
|
|
});
|