refactor(arch): enforce gateway compliance and remove service-wrapping gateways

This commit is contained in:
2026-03-13 11:31:33 +01:00
parent 082fa4c9a5
commit 892da0048d
96 changed files with 1117 additions and 1060 deletions

View File

@@ -3,9 +3,8 @@
namespace MintyPHP\Tests\Service\Access;
use MintyPHP\Service\Access\DepartmentAuthorizationPolicy;
use MintyPHP\Service\Access\PermissionGateway;
use MintyPHP\Service\Access\PermissionService;
use MintyPHP\Service\Directory\DirectoryScopeGateway;
use MintyPHP\Service\Tenant\TenantScopeService;
use PHPUnit\Framework\TestCase;
class DepartmentAuthorizationPolicyTest extends TestCase
@@ -14,17 +13,17 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testViewRequiresDepartmentsViewPermission(): void
{
$permissionGateway = $this->createMock(PermissionGateway::class);
$permissionGateway->expects($this->once())
$permissionService = $this->createMock(PermissionService::class);
$permissionService->expects($this->once())
->method('userHas')
->with(5, PermissionService::DEPARTMENTS_VIEW)
->willReturn(false);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->never())->method('getUserTenantIds');
$scopeGateway->expects($this->never())->method('isStrict');
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_VIEW, [
'actor_user_id' => 5,
]);
@@ -34,11 +33,11 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testViewReturnsCreateCapabilityAndTenantScopeData(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
5 => [PermissionService::DEPARTMENTS_VIEW, PermissionService::DEPARTMENTS_CREATE],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('getUserTenantIds')
->with(5)
@@ -47,7 +46,7 @@ class DepartmentAuthorizationPolicyTest extends TestCase
->method('isStrict')
->willReturn(true);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_VIEW, [
'actor_user_id' => 5,
]);
@@ -61,17 +60,17 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testCreateRequiresDepartmentsCreatePermission(): void
{
$permissionGateway = $this->createMock(PermissionGateway::class);
$permissionGateway->expects($this->once())
$permissionService = $this->createMock(PermissionService::class);
$permissionService->expects($this->once())
->method('userHas')
->with(7, PermissionService::DEPARTMENTS_CREATE)
->willReturn(false);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->never())->method('getUserTenantIds');
$scopeGateway->expects($this->never())->method('isStrict');
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_CREATE, [
'actor_user_id' => 7,
]);
@@ -81,11 +80,11 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testCreateDeniedInStrictScopeWithoutTenantAssignments(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
7 => [PermissionService::DEPARTMENTS_CREATE],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('getUserTenantIds')
->with(7)
@@ -94,7 +93,7 @@ class DepartmentAuthorizationPolicyTest extends TestCase
->method('isStrict')
->willReturn(true);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_CREATE, [
'actor_user_id' => 7,
]);
@@ -104,11 +103,11 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testCreateReturnsScopeCapabilitiesWhenAllowed(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
7 => [PermissionService::DEPARTMENTS_CREATE],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('getUserTenantIds')
->with(7)
@@ -117,7 +116,7 @@ class DepartmentAuthorizationPolicyTest extends TestCase
->method('isStrict')
->willReturn(true);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_CREATE, [
'actor_user_id' => 7,
]);
@@ -130,11 +129,11 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testEditContextRequiresDepartmentsViewPermission(): void
{
$permissionGateway = $this->createMock(PermissionGateway::class);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$permissionService = $this->createMock(PermissionService::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->never())->method('canAccess');
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_CONTEXT, [
'actor_user_id' => 5,
'target_department_id' => 17,
@@ -145,17 +144,17 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testEditContextDeniesOutOfScopeDepartment(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
5 => [PermissionService::DEPARTMENTS_VIEW],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('canAccess')
->with('departments', 17, 5)
->willReturn(false);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_CONTEXT, [
'actor_user_id' => 5,
'target_department_id' => 17,
@@ -166,11 +165,11 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testEditContextExposesDeleteCapabilityWhenDeletePermissionIsGranted(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
5 => [PermissionService::DEPARTMENTS_VIEW, PermissionService::DEPARTMENTS_DELETE],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('canAccess')
->with('departments', 17, 5)
@@ -180,7 +179,7 @@ class DepartmentAuthorizationPolicyTest extends TestCase
->with(5)
->willReturn([2]);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_CONTEXT, [
'actor_user_id' => 5,
'target_department_id' => 17,
@@ -193,11 +192,11 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testEditContextExposesDeleteCapabilityAsFalseWithoutDeletePermission(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
5 => [PermissionService::DEPARTMENTS_VIEW],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('canAccess')
->with('departments', 17, 5)
@@ -207,7 +206,7 @@ class DepartmentAuthorizationPolicyTest extends TestCase
->with(5)
->willReturn([2]);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_CONTEXT, [
'actor_user_id' => 5,
'target_department_id' => 17,
@@ -220,11 +219,11 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testEditSubmitRequiresDepartmentsUpdatePermission(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
5 => [PermissionService::DEPARTMENTS_VIEW],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('canAccess')
->with('departments', 17, 5)
@@ -234,7 +233,7 @@ class DepartmentAuthorizationPolicyTest extends TestCase
->with(5)
->willReturn([2]);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_SUBMIT, [
'actor_user_id' => 5,
'target_department_id' => 17,
@@ -245,17 +244,17 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testDeleteRequiresPermissionAndScope(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
9 => [PermissionService::DEPARTMENTS_DELETE],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('canAccess')
->with('departments', 44, 9)
->willReturn(true);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_DELETE, [
'actor_user_id' => 9,
'target_department_id' => 44,
@@ -266,17 +265,17 @@ class DepartmentAuthorizationPolicyTest extends TestCase
public function testDeleteDeniesOutOfScopeDepartment(): void
{
$permissionGateway = $this->permissionGatewayAllowing([
$permissionService = $this->permissionGatewayAllowing([
9 => [PermissionService::DEPARTMENTS_DELETE],
]);
$scopeGateway = $this->createMock(DirectoryScopeGateway::class);
$scopeGateway = $this->createMock(TenantScopeService::class);
$scopeGateway->expects($this->once())
->method('canAccess')
->with('departments', 44, 9)
->willReturn(false);
$policy = new DepartmentAuthorizationPolicy($permissionGateway, $scopeGateway);
$policy = new DepartmentAuthorizationPolicy($permissionService, $scopeGateway);
$decision = $policy->authorize(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_DELETE, [
'actor_user_id' => 9,
'target_department_id' => 44,