From e88f50912c9c273fb1ab4e74560e06c684fb043e Mon Sep 17 00:00:00 2001
From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com>
Date: Wed, 15 Oct 2025 15:08:35 +0200
Subject: [PATCH] fix: add authentication context to TeamPolicyTest

The tests were failing because User::role() depends on Auth::user() and
currentTeam() session being set. Added actingAs() and session setup to
each test to properly authenticate users before checking permissions.

This fixes the 'Attempt to read property "teams" on null' errors.
---
 tests/Feature/TeamPolicyTest.php | 48 ++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/tests/Feature/TeamPolicyTest.php b/tests/Feature/TeamPolicyTest.php
index 10abd8adf..d6a65e231 100644
--- a/tests/Feature/TeamPolicyTest.php
+++ b/tests/Feature/TeamPolicyTest.php
@@ -21,116 +21,164 @@
 
 describe('update permission', function () {
     test('owner can update team', function () {
+        $this->actingAs($this->owner);
+        session(['currentTeam' => $this->team]);
         expect($this->owner->can('update', $this->team))->toBeTrue();
     });
 
     test('admin can update team', function () {
+        $this->actingAs($this->admin);
+        session(['currentTeam' => $this->team]);
         expect($this->admin->can('update', $this->team))->toBeTrue();
     });
 
     test('member cannot update team', function () {
+        $this->actingAs($this->member);
+        session(['currentTeam' => $this->team]);
         expect($this->member->can('update', $this->team))->toBeFalse();
     });
 
     test('non-team member cannot update team', function () {
         $outsider = User::factory()->create();
+        $this->actingAs($outsider);
+        session(['currentTeam' => $this->team]);
         expect($outsider->can('update', $this->team))->toBeFalse();
     });
 });
 
 describe('delete permission', function () {
     test('owner can delete team', function () {
+        $this->actingAs($this->owner);
+        session(['currentTeam' => $this->team]);
         expect($this->owner->can('delete', $this->team))->toBeTrue();
     });
 
     test('admin can delete team', function () {
+        $this->actingAs($this->admin);
+        session(['currentTeam' => $this->team]);
         expect($this->admin->can('delete', $this->team))->toBeTrue();
     });
 
     test('member cannot delete team', function () {
+        $this->actingAs($this->member);
+        session(['currentTeam' => $this->team]);
         expect($this->member->can('delete', $this->team))->toBeFalse();
     });
 
     test('non-team member cannot delete team', function () {
         $outsider = User::factory()->create();
+        $this->actingAs($outsider);
+        session(['currentTeam' => $this->team]);
         expect($outsider->can('delete', $this->team))->toBeFalse();
     });
 });
 
 describe('manageMembers permission', function () {
     test('owner can manage members', function () {
+        $this->actingAs($this->owner);
+        session(['currentTeam' => $this->team]);
         expect($this->owner->can('manageMembers', $this->team))->toBeTrue();
     });
 
     test('admin can manage members', function () {
+        $this->actingAs($this->admin);
+        session(['currentTeam' => $this->team]);
         expect($this->admin->can('manageMembers', $this->team))->toBeTrue();
     });
 
     test('member cannot manage members', function () {
+        $this->actingAs($this->member);
+        session(['currentTeam' => $this->team]);
         expect($this->member->can('manageMembers', $this->team))->toBeFalse();
     });
 
     test('non-team member cannot manage members', function () {
         $outsider = User::factory()->create();
+        $this->actingAs($outsider);
+        session(['currentTeam' => $this->team]);
         expect($outsider->can('manageMembers', $this->team))->toBeFalse();
     });
 });
 
 describe('viewAdmin permission', function () {
     test('owner can view admin panel', function () {
+        $this->actingAs($this->owner);
+        session(['currentTeam' => $this->team]);
         expect($this->owner->can('viewAdmin', $this->team))->toBeTrue();
     });
 
     test('admin can view admin panel', function () {
+        $this->actingAs($this->admin);
+        session(['currentTeam' => $this->team]);
         expect($this->admin->can('viewAdmin', $this->team))->toBeTrue();
     });
 
     test('member cannot view admin panel', function () {
+        $this->actingAs($this->member);
+        session(['currentTeam' => $this->team]);
         expect($this->member->can('viewAdmin', $this->team))->toBeFalse();
     });
 
     test('non-team member cannot view admin panel', function () {
         $outsider = User::factory()->create();
+        $this->actingAs($outsider);
+        session(['currentTeam' => $this->team]);
         expect($outsider->can('viewAdmin', $this->team))->toBeFalse();
     });
 });
 
 describe('manageInvitations permission (privilege escalation fix)', function () {
     test('owner can manage invitations', function () {
+        $this->actingAs($this->owner);
+        session(['currentTeam' => $this->team]);
         expect($this->owner->can('manageInvitations', $this->team))->toBeTrue();
     });
 
     test('admin can manage invitations', function () {
+        $this->actingAs($this->admin);
+        session(['currentTeam' => $this->team]);
         expect($this->admin->can('manageInvitations', $this->team))->toBeTrue();
     });
 
     test('member cannot manage invitations (SECURITY FIX)', function () {
         // This test verifies the privilege escalation vulnerability is fixed
         // Previously, members could see and manage admin invitations
+        $this->actingAs($this->member);
+        session(['currentTeam' => $this->team]);
         expect($this->member->can('manageInvitations', $this->team))->toBeFalse();
     });
 
     test('non-team member cannot manage invitations', function () {
         $outsider = User::factory()->create();
+        $this->actingAs($outsider);
+        session(['currentTeam' => $this->team]);
         expect($outsider->can('manageInvitations', $this->team))->toBeFalse();
     });
 });
 
 describe('view permission', function () {
     test('owner can view team', function () {
+        $this->actingAs($this->owner);
+        session(['currentTeam' => $this->team]);
         expect($this->owner->can('view', $this->team))->toBeTrue();
     });
 
     test('admin can view team', function () {
+        $this->actingAs($this->admin);
+        session(['currentTeam' => $this->team]);
         expect($this->admin->can('view', $this->team))->toBeTrue();
     });
 
     test('member can view team', function () {
+        $this->actingAs($this->member);
+        session(['currentTeam' => $this->team]);
         expect($this->member->can('view', $this->team))->toBeTrue();
     });
 
     test('non-team member cannot view team', function () {
         $outsider = User::factory()->create();
+        $this->actingAs($outsider);
+        session(['currentTeam' => $this->team]);
         expect($outsider->can('view', $this->team))->toBeFalse();
     });
 });