WS-2: Firmen-Scope für PMs & Magic-Link-Zugang für Pressekontakte

Firmen-Scope (Fundament):
- PM-Zugriff war hart an user_id (Autor) gebunden. Jetzt additiv: Autor ODER
  Mitglied der zugeordneten Firma (Owner via owner_user_id oder company_user-
  Pivot). Geändert in PressReleasePolicy (canManage) sowie den Queries der
  Listen-, Show- und Edit-Komponenten. Helfer User::accessibleCompanyIds()/
  canAccessCompany(). Solo-Owner unverändert; Firmenmitglieder sehen/bearbeiten
  alle PMs ihrer Firma.

Magic-Link-Zugang für Pressekontakte (ContactAccessService):
- Öffentliches, enumeration-sicheres Formular (/pressekontakt-zugang) mit
  Honeypot + Rate-Limit. Eine hinterlegte Kontakt-E-Mail führt zu einem lazy
  angelegten, de-duplizierten customer-Account (aktiv, verifiziert über den
  Magic-Link-Kanal), der den Firmen seiner Kontakte als Mitglied zugeordnet
  wird. Versand über den bestehenden Login-Magic-Link (Generator + Consume
  wiederverwendet) – keine Schema-Änderung, kein paralleles System.
- Dezenter Einstiegslink von der Login-Seite (PM-Frontend-Wiring später).

Tests: PressReleaseCompanyScopeTest (3), ContactAccessTest (6, inkl. De-Dup,
Enumeration-Sicherheit, Honeypot).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

tests/Feature/Auth/ContactAccessTest.php

@@ -0,0 +1,116 @@
+<?php
+
+use App\Mail\MagicLoginLink;
+use App\Models\Company;
+use App\Models\Contact;
+use App\Models\User;
+use App\Services\Auth\ContactAccessService;
+use Database\Seeders\RolesAndPermissionsSeeder;
+use Illuminate\Support\Facades\Mail;
+use Livewire\Volt\Volt;
+use Tests\TestCase;
+
+beforeEach(function () {
+    $this->seed(RolesAndPermissionsSeeder::class);
+});
+
+test('requesting access for an unknown email creates nothing and sends no mail', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $sent = app(ContactAccessService::class)->requestAccess('nobody@example.test');
+
+    expect($sent)->toBeFalse();
+    expect(User::query()->where('email', 'nobody@example.test')->exists())->toBeFalse();
+    Mail::assertNothingSent();
+});
+
+test('requesting access for a known contact lazily creates a scoped account and sends a link', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $company = Company::factory()->presseecho()->create();
+    Contact::factory()->for($company)->create([
+        'email' => 'paula@example.test',
+        'first_name' => 'Paula',
+        'last_name' => 'Presse',
+        'portal' => $company->portal->value,
+    ]);
+
+    // Gross-/Kleinschreibung egal.
+    $sent = app(ContactAccessService::class)->requestAccess('Paula@Example.test');
+
+    expect($sent)->toBeTrue();
+
+    $user = User::query()->where('email', 'paula@example.test')->firstOrFail();
+
+    expect($user->name)->toBe('Paula Presse');
+    expect($user->is_active)->toBeTrue();
+    expect($user->hasVerifiedEmail())->toBeTrue();
+    expect($user->hasRole('customer'))->toBeTrue();
+    expect($user->canAccessAdmin())->toBeFalse();
+    expect($user->canAccessCustomer())->toBeTrue();
+    expect($user->accessibleCompanyIds())->toContain($company->id);
+
+    Mail::assertSent(MagicLoginLink::class, fn (MagicLoginLink $mail) => $mail->user->is($user));
+});
+
+test('requesting access reuses an existing user without creating a duplicate', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $company = Company::factory()->presseecho()->create();
+    Contact::factory()->for($company)->create([
+        'email' => 'existing@example.test',
+        'portal' => $company->portal->value,
+    ]);
+
+    $existing = User::factory()->create(['email' => 'existing@example.test', 'is_active' => true]);
+    $existing->assignRole('customer');
+
+    app(ContactAccessService::class)->requestAccess('existing@example.test');
+
+    expect(User::query()->where('email', 'existing@example.test')->count())->toBe(1);
+    expect($existing->fresh()->accessibleCompanyIds())->toContain($company->id);
+    Mail::assertSent(MagicLoginLink::class);
+});
+
+test('the contact access form responds neutrally and triggers the service', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $company = Company::factory()->presseecho()->create();
+    Contact::factory()->for($company)->create([
+        'email' => 'form@example.test',
+        'portal' => $company->portal->value,
+    ]);
+
+    Volt::test('auth.contact-access')
+        ->set('email', 'form@example.test')
+        ->call('requestAccess')
+        ->assertHasNoErrors()
+        ->assertSet('email', '');
+
+    Mail::assertSent(MagicLoginLink::class);
+    expect(User::query()->where('email', 'form@example.test')->exists())->toBeTrue();
+});
+
+test('the honeypot blocks bots without creating an account', function () {
+    /** @var TestCase $this */
+    Mail::fake();
+
+    $company = Company::factory()->presseecho()->create();
+    Contact::factory()->for($company)->create([
+        'email' => 'bot-target@example.test',
+        'portal' => $company->portal->value,
+    ]);
+
+    Volt::test('auth.contact-access')
+        ->set('email', 'bot-target@example.test')
+        ->set('website', 'http://spam.example')
+        ->call('requestAccess')
+        ->assertHasNoErrors();
+
+    Mail::assertNothingSent();
+    expect(User::query()->where('email', 'bot-target@example.test')->exists())->toBeFalse();
+});