From 52af8afac2332131f2b40ced641b82709ca11ae9 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Sat, 1 Jun 2024 03:10:29 +0100
Subject: [PATCH] Added company scoping test

Signed-off-by: snipe <snipe@snipe.net>
---
 tests/Feature/Api/Users/DeleteUsersTest.php | 32 +++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/tests/Feature/Api/Users/DeleteUsersTest.php b/tests/Feature/Api/Users/DeleteUsersTest.php
index 830008d0b..3b68cbb4d 100644
--- a/tests/Feature/Api/Users/DeleteUsersTest.php
+++ b/tests/Feature/Api/Users/DeleteUsersTest.php
@@ -2,6 +2,8 @@
 
 namespace Tests\Feature\Api\Users;
 
+use App\Models\Asset;
+use App\Models\Company;
 use App\Models\Location;
 use App\Models\User;
 use App\Models\LicenseSeat;
@@ -64,6 +66,36 @@ class DeleteUsersTest extends TestCase
             ->json();
     }
 
+    public function testDisallowUserDeletionIfNotInSameCompanyIfNotSuperadmin()
+    {
+        $this->settings->enableMultipleFullCompanySupport();
+        [$companyA, $companyB] = Company::factory()->count(2)->create();
+
+        $superUser = $companyA->users()->save(User::factory()->superuser()->make());
+        $userInCompanyA = $companyA->users()->save(User::factory()->deleteUsers()->make());
+        $userInCompanyB = $companyB->users()->save(User::factory()->deleteUsers()->make());
+
+        $this->actingAsForApi($userInCompanyA)
+            ->deleteJson(route('api.users.destroy', $userInCompanyB))
+            ->assertStatus(403)
+            ->json();
+
+        $this->actingAsForApi($userInCompanyB)
+            ->deleteJson(route('api.users.destroy', $userInCompanyA))
+            ->assertStatus(403)
+            ->json();
+
+        $this->actingAsForApi($superUser)
+            ->deleteJson(route('api.users.destroy', $userInCompanyA))
+            ->assertOk()
+            ->assertStatus(200)
+            ->assertStatusMessageIs('success')
+            ->json();
+
+    }
+
+
+
 
 
 }