From e056da6b2ae7443ad9a1483cebb4d8e0858b6bdf Mon Sep 17 00:00:00 2001
From: spencerrlongg <spencer@spencerlong.com>
Date: Tue, 26 Nov 2024 14:47:16 -0600
Subject: [PATCH] Add permissions checks to asset tests

Implement tests to ensure users without appropriate permissions are denied access to asset endpoints. Update tests to verify proper soft deletions and asset existence checks in delete scenarios.
---
 tests/Feature/Assets/Ui/DeleteAssetTest.php |  4 ++++
 tests/Feature/Assets/Ui/EditAssetTest.php   | 13 +++++++++++++
 tests/Feature/Assets/Ui/StoreAssetTest.php  | 15 +++++++++++++++
 3 files changed, 32 insertions(+)

diff --git a/tests/Feature/Assets/Ui/DeleteAssetTest.php b/tests/Feature/Assets/Ui/DeleteAssetTest.php
index 915247109e..948f0d6833 100644
--- a/tests/Feature/Assets/Ui/DeleteAssetTest.php
+++ b/tests/Feature/Assets/Ui/DeleteAssetTest.php
@@ -16,6 +16,8 @@ class DeleteAssetTest extends TestCase
         $this->actingAs($user)
             ->delete(route('hardware.destroy', $asset))
             ->assertRedirect(route('hardware.index'));
+
+        $this->assertSoftDeleted($asset);
     }
 
     public function test_asset_cannot_be_deleted_without_permissions()
@@ -26,6 +28,8 @@ class DeleteAssetTest extends TestCase
         $this->actingAs($user)
             ->delete(route('hardware.destroy', $asset))
             ->assertForbidden();
+
+        $this->assertModelExists($asset);
     }
 
 }
\ No newline at end of file
diff --git a/tests/Feature/Assets/Ui/EditAssetTest.php b/tests/Feature/Assets/Ui/EditAssetTest.php
index ebe7bf9a97..d085036f2b 100644
--- a/tests/Feature/Assets/Ui/EditAssetTest.php
+++ b/tests/Feature/Assets/Ui/EditAssetTest.php
@@ -68,6 +68,19 @@ class EditAssetTest extends TestCase
         $this->assertDatabaseHas('assets', ['asset_tag' => 'New Asset Tag']);
     }
 
+    public function test_user_without_permission_is_denied()
+    {
+        $user = User::factory()->create();
+        $asset = Asset::factory()->create();
+
+        $this->actingAs($user)->put(route('hardware.update', $asset), [
+            'name'       => 'New name',
+            'asset_tags' => 'New Asset Tag',
+            'status_id'  => StatusLabel::factory()->create()->id,
+            'model_id'   => AssetModel::factory()->create()->id,
+        ])->assertForbidden();
+    }
+
     public function testNewCheckinIsLoggedIfStatusChangedToUndeployable()
     {
         Event::fake([CheckoutableCheckedIn::class]);
diff --git a/tests/Feature/Assets/Ui/StoreAssetTest.php b/tests/Feature/Assets/Ui/StoreAssetTest.php
index 51dfd3806a..560dec4125 100644
--- a/tests/Feature/Assets/Ui/StoreAssetTest.php
+++ b/tests/Feature/Assets/Ui/StoreAssetTest.php
@@ -131,4 +131,19 @@ class StoreAssetTest extends TestCase
         $this->assertDatabaseHas('assets', array_merge($commonData, ['asset_tag' => 'TEST-ASSET-2', 'serial' => 'TEST-SERIAL-2', 'image' => $storedAsset2->image]));
     }
 
+    public function test_user_without_permission_denied()
+    {
+        $user = User::factory()->create();
+        $model = AssetModel::factory()->create();
+        $status = Statuslabel::factory()->readyToDeploy()->create();
+
+        $this->actingAs($user)->post(route('hardware.store'), [
+            'redirect_option' => 'index',
+            'name'            => 'Test Assets',
+            'model_id'        => $model->id,
+            'status_id'       => $status->id,
+            'asset_tags'      => ['', 'TEST-ASSET-1'],
+            'serials'         => ['', 'TEST-SERIAL-1'],
+        ])->assertForbidden();
+    }
 }
\ No newline at end of file