createMock(PermissionGateway::class); $permissionGateway->expects($this->once()) ->method('userHas') ->with(9, PermissionService::PERMISSIONS_VIEW) ->willReturn(false); $policy = new PermissionAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_VIEW, [ 'actor_user_id' => 9, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); $this->assertSame('forbidden', $decision->error()); } public function testAdminViewIncludesCreateCapability(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->method('userHas') ->willReturnCallback(static function (int $userId, string $permission): bool { if ($userId !== 9) { return false; } return in_array($permission, [PermissionService::PERMISSIONS_VIEW, PermissionService::PERMISSIONS_CREATE], true); }); $policy = new PermissionAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_VIEW, [ 'actor_user_id' => 9, ]); $this->assertTrue($decision->isAllowed()); $this->assertTrue((bool) ($decision->attribute('capabilities', [])['can_create_permission'] ?? false)); } public function testAdminCreateRequiresPermissionsCreatePermission(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->expects($this->once()) ->method('userHas') ->with(3, PermissionService::PERMISSIONS_CREATE) ->willReturn(false); $policy = new PermissionAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_CREATE, [ 'actor_user_id' => 3, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); } public function testEditContextReturnsCapabilitiesAndSystemDeleteRestriction(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->method('userHas') ->willReturnCallback(static function (int $userId, string $permission): bool { if ($userId !== 5) { return false; } return in_array($permission, [ PermissionService::PERMISSIONS_VIEW, PermissionService::PERMISSIONS_UPDATE, PermissionService::PERMISSIONS_DELETE, ], true); }); $policy = new PermissionAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_EDIT_CONTEXT, [ 'actor_user_id' => 5, 'target_permission_id' => 21, 'target_is_system' => true, ]); $capabilities = $decision->attribute('capabilities', []); $this->assertTrue($decision->isAllowed()); $this->assertTrue((bool) ($capabilities['can_update_permission'] ?? false)); $this->assertFalse((bool) ($capabilities['can_delete_permission'] ?? true)); } public function testEditSubmitRequiresPermissionsUpdatePermission(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->method('userHas') ->willReturnCallback(static function (int $userId, string $permission): bool { if ($userId !== 5) { return false; } return $permission === PermissionService::PERMISSIONS_VIEW; }); $policy = new PermissionAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_EDIT_SUBMIT, [ 'actor_user_id' => 5, 'target_permission_id' => 21, 'target_is_system' => false, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); $this->assertSame('forbidden', $decision->error()); } public function testDeleteRequiresPermissionsDeletePermission(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->expects($this->once()) ->method('userHas') ->with(12, PermissionService::PERMISSIONS_DELETE) ->willReturn(false); $policy = new PermissionAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_DELETE, [ 'actor_user_id' => 12, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); } }