class CustomerController extends Controller
{
    public function __construct()
    {
        $this->middleware('jwt.auth');
        $this->authorizeResource(Customer::class, 'customer');
    }

    /**
     * Delete a customer
     * @param Customer $customer
     * @return \Illuminate\Http\JsonResponse
     */
    public function destroy(Customer $customer)
    {
        $customer->delete();

        return response()->json(null, 204);
    }
}

class CustomerPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view any models.
     *
     * @param  \App\User  $user
     * @return mixed
     */
    public function viewAny(User $user)
    {
        return true;
    }

    /**
     * Determine whether the user can delete the model.
     *
     * @param  \App\User  $user
     * @param  \App\Customer  $customer
     * @return mixed
     */
    public function delete(User $user, Customer $customer)
    {
        return $user->id == $customer->user_id;
    }
}

class CustomerTest extends TestCase
{
    use RefreshDatabase;

    /**
     * @var UrlGenerator
     */
    protected $urlGenerator;

    protected function setUp(): void
    {
        parent::setUp();
        $this->urlGenerator = app(UrlGenerator::class)->version('v1');
    }
   
    public function test_user_cannot_delete_customer_belongs_to_other_user()
    {
        $urlGenerator = $this->urlGenerator;
        $user = factory(User::class)->create();
        $customer = factory(Customer::class)->create();

        $this->apiLogin($user)
            ->deleteJson($urlGenerator->route('customers.destroy', $customer))
            ->dump()
            ->assertForbidden();
/*
{#2294
 +"message": "This action is unauthorized."
 +"status_code": 500
}

Response status code [500] is not a forbidden status code.
Failed asserting that false is true.
/home/vagrant/code/php/pvsell-api/vendor/laravel/framework/src/Illuminate/Testing/TestResponse.php:150
*/
    }
}