From d005e7b06dbfdd4b81192f0dfd51faabb7ce7097 Mon Sep 17 00:00:00 2001
From: lukinovec <lukinovec@gmail.com>
Date: Tue, 27 Jun 2023 17:48:47 +0200
Subject: [PATCH] Test that tenant permmissions are scoped only to the tenant
 schema

---
 tests/PostgresRLSTest.php | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tests/PostgresRLSTest.php b/tests/PostgresRLSTest.php
index 8e411510..20f41846 100644
--- a/tests/PostgresRLSTest.php
+++ b/tests/PostgresRLSTest.php
@@ -228,6 +228,22 @@ test('users created by CreatePostgresUserForTenant are only granted the permissi
         ->not()->toContain('DELETE');
 });
 
+test('postgres user permissions are only scoped to the tenant app', function() {
+    $tenant = Tenant::create();
+    // ALL grants'
+    CreatePostgresUserForTenant::dispatchSync($tenant);
+
+    tenancy()->initialize($tenant);
+
+    // Tenant cannot access central data due to insufficient permissions
+    expect(fn () => Tenant::all())->toThrow(Exception::class);
+
+    tenancy()->end();
+
+    // Central data can be accessed from the central context
+    expect(Tenant::all())->not()->toBeEmpty();
+})->group('access');
+
 test('model discovery gets the models correctly', function() {
     // 'tenancy.rls.model_directories' is set to [__DIR__ . '/Etc'] in beforeEach
     // Check that the Post and ScopedComment models are found in the directory