api('GET', 'users'); $this->assertLegacyAuthError($res, 401, 'Missing Bearer token'); } public function testCoachForbidden(): void { $this->loginAs(DatabaseFixture::COACH1_USERNAME); $res = $this->api('GET', 'users'); $this->assertLegacyAuthError($res, 403, 'Insufficient permissions'); } public function testAdminSeesAllUsers(): void { $this->loginAs(DatabaseFixture::ADMIN_USERNAME); $res = $this->api('GET', 'users'); $this->assertOk($res); $usernames = array_column($res['body']['data']['users'], 'username'); $this->assertContains(DatabaseFixture::COACH1_USERNAME, $usernames); $this->assertContains(DatabaseFixture::COACH2_USERNAME, $usernames); $this->assertContains(DatabaseFixture::SUPERVISOR1_USERNAME, $usernames); $this->assertNotEmpty($res['body']['data']['supervisors']); } public function testSupervisorSeesOnlyTheirCoaches(): void { $this->loginAs(DatabaseFixture::SUPERVISOR1_USERNAME); $res = $this->api('GET', 'users'); $this->assertOk($res); $usernames = array_column($res['body']['data']['users'], 'username'); $this->assertContains(DatabaseFixture::COACH1_USERNAME, $usernames); $this->assertNotContains(DatabaseFixture::COACH2_USERNAME, $usernames); $this->assertSame([], $res['body']['data']['supervisors']); } }