createMock(PermissionGateway::class); $permissionGateway->expects($this->once()) ->method('userHas') ->with(7, PermissionService::ROLES_VIEW) ->willReturn(false); $policy = new RoleAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_VIEW, [ 'actor_user_id' => 7, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); $this->assertSame('forbidden', $decision->error()); } public function testAdminViewIncludesCreateCapability(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->method('userHas') ->willReturnCallback(static function (int $userId, string $permission): bool { if ($userId !== 7) { return false; } return in_array($permission, [PermissionService::ROLES_VIEW, PermissionService::ROLES_CREATE], true); }); $policy = new RoleAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_VIEW, [ 'actor_user_id' => 7, ]); $this->assertTrue($decision->isAllowed()); $this->assertTrue((bool) ($decision->attribute('capabilities', [])['can_create_role'] ?? false)); } public function testAdminCreateRequiresRolesCreatePermission(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->expects($this->once()) ->method('userHas') ->with(11, PermissionService::ROLES_CREATE) ->willReturn(false); $policy = new RoleAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_CREATE, [ 'actor_user_id' => 11, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); } public function testEditContextRequiresTargetRoleId(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->expects($this->never())->method('userHas'); $policy = new RoleAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_EDIT_CONTEXT, [ 'actor_user_id' => 5, 'target_role_id' => 0, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); } public function testEditContextReturnsCapabilities(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->method('userHas') ->willReturnCallback(static function (int $userId, string $permission): bool { if ($userId !== 5) { return false; } return in_array($permission, [ PermissionService::ROLES_VIEW, PermissionService::ROLES_UPDATE, ], true); }); $policy = new RoleAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_EDIT_CONTEXT, [ 'actor_user_id' => 5, 'target_role_id' => 22, ]); $capabilities = $decision->attribute('capabilities', []); $this->assertTrue($decision->isAllowed()); $this->assertTrue((bool) ($capabilities['can_edit_role'] ?? false)); $this->assertFalse((bool) ($capabilities['can_delete_role'] ?? true)); } public function testEditSubmitRequiresRolesUpdatePermission(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->method('userHas') ->willReturnCallback(static function (int $userId, string $permission): bool { if ($userId !== 5) { return false; } return $permission === PermissionService::ROLES_VIEW; }); $policy = new RoleAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_EDIT_SUBMIT, [ 'actor_user_id' => 5, 'target_role_id' => 22, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); $this->assertSame('forbidden', $decision->error()); } public function testDeleteRequiresRolesDeletePermission(): void { $permissionGateway = $this->createMock(PermissionGateway::class); $permissionGateway->expects($this->once()) ->method('userHas') ->with(6, PermissionService::ROLES_DELETE) ->willReturn(false); $policy = new RoleAuthorizationPolicy($permissionGateway); $decision = $policy->authorize(RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_DELETE, [ 'actor_user_id' => 6, ]); $this->assertFalse($decision->isAllowed()); $this->assertSame(403, $decision->status()); } }