Space-Theme/server/tests/Integration/PermissionDenyTest.php

<?php

declare(strict_types=1);

namespace App\Tests\Integration;

use App\Shared\Clock\FixedTimeProvider;
use App\Tests\Support\TestAppFactory;
use App\Tests\Support\TestDatabase;
use PHPUnit\Framework\TestCase;
use Slim\Psr7\Factory\ServerRequestFactory;

final class PermissionDenyTest extends TestCase
{
    public function testDenyOverrideBlocksPermission(): void
    {
        $pdo = TestDatabase::create();
        TestDatabase::reset($pdo);
        $seed = TestDatabase::seedMinimal($pdo);
        $userId = (int)$seed['user_id'];

        $resources = [
            'metal' => 100.0,
            'alloy' => 0.0,
            'crystals' => 50.0,
            'energy' => 0.0,
            'credits' => 0.0,
            'population' => 0.0,
            'water' => 0.0,
            'deuterium' => 0.0,
            'food' => 0.0,
        ];

        $stmt = $pdo->prepare(
            'INSERT INTO planets (user_id, name, class_key, planet_seed, temperature_c, modifiers, resources, last_resource_update_at)
             VALUES (:user_id, :name, :class_key, :planet_seed, :temperature_c, :modifiers, :resources, :last_update)'
        );
        $stmt->execute([
            'user_id' => $userId,
            'name' => 'Denied',
            'class_key' => 'temperate',
            'planet_seed' => 9,
            'temperature_c' => 12,
            'modifiers' => json_encode(['metal' => 0.0], JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES),
            'resources' => json_encode($resources, JSON_UNESCAPED_UNICODE | JSON_UNESCAPED_SLASHES),
            'last_update' => '2026-02-03 00:00:00',
        ]);

        $permissionId = (int)$pdo->query("SELECT id FROM permissions WHERE key = 'planet.public.view'")->fetchColumn();
        $pdo->exec("INSERT INTO user_permission_overrides (user_id, permission_id, effect) VALUES ({$userId}, {$permissionId}, 'deny')");

        $time = new FixedTimeProvider(new \DateTimeImmutable('2026-02-03 00:00:00'));
        $app = TestAppFactory::create($pdo, $time);

        $factory = new ServerRequestFactory();
        $request = $factory->createServerRequest('GET', '/state')
            ->withHeader('X-User-Id', (string)$userId);

        $response = $app->handle($request);
        self::assertSame(403, $response->getStatusCode());
    }
}