'manage access rights', 'guard_name' => 'web']); Permission::firstOrCreate(['name' => 'view access rights', 'guard_name' => 'web']); $user->givePermissionTo($perm); } test('guest cannot access permissions index', function () { $this->get('/permissions')->assertRedirect('/login'); }); test('user without permission gets 403', function () { $u = User::factory()->create(); $this->actingAs($u)->get('/permissions')->assertForbidden(); }); test('store creates a permission with web guard', function () { $admin = User::factory()->create(); grantManageAccessRightsForPerms($admin); $response = $this->actingAs($admin)->postJson('/permissions', [ 'name' => 'view.reports', 'guard_name' => 'web', ]); $response->assertOk()->assertJson(['success' => true]); $this->assertDatabaseHas('permissions', [ 'name' => 'view.reports', 'guard_name' => 'web', ]); }); test('same name allowed across different guards', function () { $admin = User::factory()->create(); grantManageAccessRightsForPerms($admin); Permission::create(['name' => 'shared.perm', 'guard_name' => 'web']); $this->actingAs($admin)->postJson('/permissions', [ 'name' => 'shared.perm', 'guard_name' => 'api', ])->assertOk(); }); test('store rejects duplicate name within same guard', function () { $admin = User::factory()->create(); grantManageAccessRightsForPerms($admin); Permission::create(['name' => 'duplicate.perm', 'guard_name' => 'web']); $this->actingAs($admin)->postJson('/permissions', [ 'name' => 'duplicate.perm', 'guard_name' => 'web', ])->assertStatus(422); }); test('store rejects invalid guard', function () { $admin = User::factory()->create(); grantManageAccessRightsForPerms($admin); $this->actingAs($admin)->postJson('/permissions', [ 'name' => 'some.perm', 'guard_name' => 'console', ])->assertStatus(422); }); test('store rejects illegal characters in name', function () { $admin = User::factory()->create(); grantManageAccessRightsForPerms($admin); $this->actingAs($admin)->postJson('/permissions', [ 'name' => 'bad name with space!', 'guard_name' => 'web', ])->assertStatus(422); }); test('update can rename a permission', function () { $admin = User::factory()->create(); grantManageAccessRightsForPerms($admin); $p = Permission::create(['name' => 'old.name', 'guard_name' => 'web']); $this->actingAs($admin)->putJson("/permissions/{$p->id}", [ 'name' => 'new.name', 'guard_name' => 'web', ])->assertOk(); expect($p->fresh()->name)->toBe('new.name'); }); test('toggleStatus flips is_active', function () { $admin = User::factory()->create(); grantManageAccessRightsForPerms($admin); $p = Permission::create(['name' => 'flip.able', 'guard_name' => 'web', 'is_active' => 1]); $this->actingAs($admin) ->postJson('/permissions/toggle-status', ['id' => $p->id, 'status' => 'deactivate']) ->assertOk(); expect((bool) $p->fresh()->is_active)->toBeFalse(); $this->actingAs($admin) ->postJson('/permissions/toggle-status', ['id' => $p->id, 'status' => 'activate']) ->assertOk(); expect((bool) $p->fresh()->is_active)->toBeTrue(); }); test('destroy soft deletes permission', function () { $admin = User::factory()->create(); grantManageAccessRightsForPerms($admin); $p = Permission::create(['name' => 'to.delete', 'guard_name' => 'web']); $this->actingAs($admin)->deleteJson("/permissions/{$p->id}")->assertOk(); expect(Permission::withTrashed()->find($p->id)->trashed())->toBeTrue(); });