Added company scoping test

Signed-off-by: snipe <snipe@snipe.net>
This commit is contained in:
snipe 2024-06-01 03:10:29 +01:00
parent 03b0268dc2
commit 52af8afac2

View file

@ -2,6 +2,8 @@
namespace Tests\Feature\Api\Users; namespace Tests\Feature\Api\Users;
use App\Models\Asset;
use App\Models\Company;
use App\Models\Location; use App\Models\Location;
use App\Models\User; use App\Models\User;
use App\Models\LicenseSeat; use App\Models\LicenseSeat;
@ -64,6 +66,36 @@ class DeleteUsersTest extends TestCase
->json(); ->json();
} }
public function testDisallowUserDeletionIfNotInSameCompanyIfNotSuperadmin()
{
$this->settings->enableMultipleFullCompanySupport();
[$companyA, $companyB] = Company::factory()->count(2)->create();
$superUser = $companyA->users()->save(User::factory()->superuser()->make());
$userInCompanyA = $companyA->users()->save(User::factory()->deleteUsers()->make());
$userInCompanyB = $companyB->users()->save(User::factory()->deleteUsers()->make());
$this->actingAsForApi($userInCompanyA)
->deleteJson(route('api.users.destroy', $userInCompanyB))
->assertStatus(403)
->json();
$this->actingAsForApi($userInCompanyB)
->deleteJson(route('api.users.destroy', $userInCompanyA))
->assertStatus(403)
->json();
$this->actingAsForApi($superUser)
->deleteJson(route('api.users.destroy', $userInCompanyA))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('success')
->json();
}
} }