fix: Phase 7 review fixes — bill payment guard + test hardening

claude · claude · commit 7759bc3ffe51 · 2026-05-30T04:47:36.000Z
- BillController: reject payment recording on non-received bills - BillTest: scope Bill::latest() to tenant, load payments in total test, add staff-cannot-create and draft-payment-rejected tests - ReportTest: add staff-403 tests, fix date range on zero-net test, add total_liabilities assertion to balance sheet equation test - Show.tsx: use replaceAll() for multi-underscore payment methods All 192 tests passing; npm run build clean. https://claude.ai/code/session_01RdUGwo74JXChRCF88Yu27d
diff --git a/erp/app/Modules/Finance/Http/Controllers/BillController.php b/erp/app/Modules/Finance/Http/Controllers/BillController.php
@@ -138,6 +138,10 @@ public function recordPayment(StorePaymentRequest $request, Bill $bill): Redirec
     {
         $this->authorize('update', $bill);
 
+        if ($bill->status !== 'received') {
+            return back()->withErrors(['status' => 'Payments can only be recorded on received bills.']);
+        }
+
         $data = $request->validated();
 
         DB::transaction(function () use ($data, $bill) {
diff --git a/erp/resources/js/Pages/Finance/Bills/Show.tsx b/erp/resources/js/Pages/Finance/Bills/Show.tsx
@@ -163,7 +163,7 @@ export default function BillShow({ bill }: Props) {
                                 {bill.payments!.map((p) => (
                                     <tr key={p.id}>
                                         <td className="px-4 py-3">{p.payment_date}</td>
-                                        <td className="px-4 py-3 capitalize">{p.method.replace('_', ' ')}</td>
+                                        <td className="px-4 py-3 capitalize">{p.method.replaceAll('_', ' ')}</td>
                                         <td className="px-4 py-3 text-slate-500">{p.reference ?? '—'}</td>
                                         <td className="px-4 py-3 text-right font-medium">{Number(p.amount).toFixed(2)}</td>
                                     </tr>
diff --git a/erp/tests/Feature/Finance/BillTest.php b/erp/tests/Feature/Finance/BillTest.php
@@ -57,9 +57,10 @@
             'items'      => [
                 ['description' => 'Service', 'quantity' => 1, 'unit_price' => 100, 'tax_rate' => 0],
             ],
-        ]);
+        ])
+        ->assertRedirect();
 
-    $bill = Bill::latest()->first();
+    $bill = Bill::where('tenant_id', $this->tenant->id)->latest()->first();
     expect($bill->number)->toStartWith('BILL-');
 });
 
@@ -86,7 +87,7 @@
         'tax_rate'    => 10,
     ]);
 
-    $bill->load('items');
+    $bill->load(['items', 'payments']);
 
     expect($bill->subtotal)->toBe(200.0);
     expect($bill->tax_total)->toBe(20.0);
@@ -177,3 +178,30 @@
         ->delete("/finance/bills/{$bill->id}")
         ->assertStatus(403);
 });
+
+test('staff cannot create a bill', function () {
+    $this->actingAs($this->staff)
+        ->post('/finance/bills', [
+            'issue_date' => '2026-01-01',
+            'items'      => [['description' => 'X', 'quantity' => 1, 'unit_price' => 10, 'tax_rate' => 0]],
+        ])
+        ->assertStatus(403);
+});
+
+test('payment cannot be recorded on a draft bill', function () {
+    $bill = Bill::create([
+        'tenant_id'  => $this->tenant->id,
+        'issue_date' => now()->toDateString(),
+    ]);
+
+    // status is 'draft' — payment should be rejected
+    $this->actingAs($this->admin)
+        ->post("/finance/bills/{$bill->id}/payments", [
+            'amount'       => '50.00',
+            'payment_date' => now()->toDateString(),
+            'method'       => 'cash',
+        ])
+        ->assertSessionHasErrors('status');
+
+    expect(BillPayment::where('bill_id', $bill->id)->exists())->toBeFalse();
+});
diff --git a/erp/tests/Feature/Finance/ReportTest.php b/erp/tests/Feature/Finance/ReportTest.php
@@ -13,6 +13,8 @@
     $this->tenant = Tenant::create(['name' => 'Report Co', 'slug' => 'report-co']);
     $this->admin  = User::factory()->create(['tenant_id' => $this->tenant->id]);
     $this->admin->assignRole('super-admin');
+    $this->staff  = User::factory()->create(['tenant_id' => $this->tenant->id]);
+    $this->staff->assignRole('staff');
 });
 
 test('profit and loss report is accessible', function () {
@@ -29,7 +31,7 @@
 
 test('profit and loss net is zero with no posted entries', function () {
     $this->actingAs($this->admin)
-        ->get('/finance/reports/profit-loss')
+        ->get('/finance/reports/profit-loss?from=2026-01-01&to=2026-12-31')
         ->assertInertia(fn ($p) => $p->where('net', 0));
 });
 
@@ -89,6 +91,7 @@
         ->get('/finance/reports/balance-sheet?as_of=2026-06-01')
         ->assertInertia(fn ($p) => $p
             ->where('total_assets', 1000)
+            ->where('total_liabilities', 0)
             ->where('total_equity', 1000)
         );
 
@@ -99,3 +102,13 @@
     $this->get('/finance/reports/profit-loss')
         ->assertRedirect();
 });
+
+test('staff cannot access financial reports', function () {
+    $this->actingAs($this->staff)
+        ->get('/finance/reports/profit-loss')
+        ->assertStatus(403);
+
+    $this->actingAs($this->staff)
+        ->get('/finance/reports/balance-sheet')
+        ->assertStatus(403);
+});

Original file line number	Diff line number	Diff line change
`@@ -138,6 +138,10 @@ public function recordPayment(StorePaymentRequest $request, Bill $bill): Redirec`
`138`	`138`	`{`
`139`	`139`	`$this->authorize('update', $bill);`
`140`	`140`
	`141`	`+ if ($bill->status !== 'received') {`
	`142`	`+ return back()->withErrors(['status' => 'Payments can only be recorded on received bills.']);`
	`143`	`+ }`
	`144`	`+`
`141`	`145`	`$data = $request->validated();`
`142`	`146`
`143`	`147`	`DB::transaction(function () use ($data, $bill) {`