security fix and fix parent pages
API CI/CD / Validate (composer + pint) (push) Successful in 3m7s
API CI/CD / Test (PHPUnit) (push) Failing after 5m46s
API CI/CD / Build frontend assets (push) Successful in 1m2s
API CI/CD / Security audit (push) Failing after 49s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped

This commit is contained in:
root
2026-07-06 02:14:16 -04:00
parent 39228168c8
commit 90f9857b06
43 changed files with 4323 additions and 132 deletions
@@ -30,6 +30,29 @@ class ReportCardsControllerTest extends TestCase
$this->assertArrayHasKey('class_section_id', $response->json('data.classSections.0'));
}
public function test_parent_meta_is_scoped_to_only_their_students(): void
{
$this->seedConfig();
$admin = $this->seedUser();
$parent = $this->seedParentUser(10);
$data = $this->seedReportCardData($admin->id);
$other = $this->seedOtherScoredStudent($admin->id);
Sanctum::actingAs($parent);
$response = $this->getJson('/api/v1/reports/report-cards/meta?school_year=2025-2026&semester=Fall');
$response->assertOk();
$response->assertJsonPath('status', true);
$this->assertSame([$data['student_id']], collect($response->json('data.students'))->pluck('id')->all());
$this->getJson('/api/v1/reports/report-cards/students/'.$other['student_id'].'?school_year=2025-2026&semester=Fall')
->assertForbidden();
$this->getJson('/api/v1/reports/report-cards/classes/'.$data['class_section_id'].'?school_year=2025-2026&semester=Fall')
->assertForbidden();
}
public function test_completeness_returns_summary_and_students(): void
{
$this->seedConfig();
@@ -155,6 +178,48 @@ class ReportCardsControllerTest extends TestCase
'semester' => 'Fall',
'school_year' => '2025-2026',
'status' => 'Active',
'is_verified' => 1,
'is_suspended' => 0,
]);
return User::query()->findOrFail($userId);
}
private function seedParentUser(int $userId): User
{
$roleId = DB::table('roles')->insertGetId([
'name' => 'parent',
'slug' => 'parent',
'is_active' => 1,
'created_at' => now(),
'updated_at' => now(),
]);
DB::table('users')->insert([
'id' => $userId,
'firstname' => 'Parent',
'lastname' => 'User',
'cellphone' => '8888888888',
'email' => 'parent-reportcards@example.com',
'address_street' => '123 Parent',
'city' => 'City',
'state' => 'ST',
'zip' => '12345',
'accept_school_policy' => 1,
'password' => bcrypt('password'),
'user_type' => 'primary',
'semester' => 'Fall',
'school_year' => '2025-2026',
'status' => 'Active',
'is_verified' => 1,
'is_suspended' => 0,
]);
DB::table('user_roles')->insert([
'user_id' => $userId,
'role_id' => $roleId,
'created_at' => now(),
'updated_at' => now(),
]);
return User::query()->findOrFail($userId);
@@ -280,6 +345,59 @@ class ReportCardsControllerTest extends TestCase
];
}
private function seedOtherScoredStudent(int $userId): array
{
DB::table('students')->insert([
'id' => 102,
'school_id' => 'SCH3',
'firstname' => 'Other',
'lastname' => 'Student',
'age' => 10,
'gender' => 'Female',
'photo_consent' => 1,
'parent_id' => 11,
'year_of_registration' => '2025-2026',
'semester' => 'Fall',
'school_year' => '2025-2026',
'is_active' => 1,
]);
DB::table('student_class')->insert([
'student_id' => 102,
'class_section_id' => 200,
'school_year' => '2025-2026',
'semester' => 'Fall',
'is_event_only' => 0,
'created_at' => now(),
'updated_at' => now(),
]);
DB::table('semester_scores')->insert([
'student_id' => 102,
'school_id' => 'SCH3',
'class_section_id' => 200,
'updated_by' => $userId,
'homework_avg' => 87,
'quiz_avg' => 86,
'project_avg' => 85,
'test_avg' => 84,
'midterm_exam_score' => 83,
'final_exam_score' => 82,
'attendance_score' => 81,
'ptap_score' => 80,
'semester_score' => 84,
'semester' => 'Fall',
'school_year' => '2025-2026',
'created_at' => now(),
'updated_at' => now(),
]);
return [
'student_id' => 102,
'class_section_id' => 200,
];
}
private function seedAcknowledgement(int $studentId): void
{
DB::table('report_card_acknowledgements')->insert([