actingAsAdmin(); $user = $this->createUser(); $response = $this->getJson('/api/users'); $response->assertStatus(200) ->assertJsonFragment(['id' => $admin->id]) ->assertJsonFragment(['id' => $user->id]); } public function test_non_admin_cannot_list_users(): void { $this->actingAsUser(); $this->getJson('/api/users')->assertStatus(403); } public function test_admin_can_create_user(): void { $this->actingAsAdmin(); $response = $this->postJson('/api/users', [ 'name' => 'Test User', 'email' => 'test-user@example.com', 'password' => 'secretpass', 'is_admin' => true, 'is_active' => true, ]); $response->assertStatus(201) ->assertJsonFragment(['email' => 'test-user@example.com']); $this->assertDatabaseHas('users', [ 'email' => 'test-user@example.com', 'is_admin' => 1, 'is_active' => 1, ]); } public function test_admin_can_update_user_and_password(): void { $this->actingAsAdmin(); $user = $this->createUser(['password' => 'oldpass']); $response = $this->putJson("/api/users/{$user->id}", [ 'name' => 'Updated Name', 'email' => 'updated@example.com', 'password' => 'newpass123', 'is_admin' => false, 'is_active' => true, ]); $response->assertStatus(200) ->assertJsonFragment(['email' => 'updated@example.com']); $user->refresh(); $this->assertSame('Updated Name', $user->name); $this->assertTrue(Hash::check('newpass123', $user->password)); } public function test_admin_can_deactivate_user(): void { $this->actingAsAdmin(); $user = $this->createUser(['is_active' => true]); $response = $this->deleteJson("/api/users/{$user->id}"); $response->assertStatus(200); $this->assertDatabaseHas('users', [ 'id' => $user->id, 'is_active' => 0, ]); } public function test_admin_cannot_deactivate_self(): void { $admin = $this->actingAsAdmin(); $this->deleteJson("/api/users/{$admin->id}") ->assertStatus(422); } }