security fix and fix parent pages
API CI/CD / Validate (composer + pint) (push) Successful in 3m7s
API CI/CD / Test (PHPUnit) (push) Failing after 5m46s
API CI/CD / Build frontend assets (push) Successful in 1m2s
API CI/CD / Security audit (push) Failing after 49s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
API CI/CD / Validate (composer + pint) (push) Successful in 3m7s
API CI/CD / Test (PHPUnit) (push) Failing after 5m46s
API CI/CD / Build frontend assets (push) Successful in 1m2s
API CI/CD / Security audit (push) Failing after 49s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
This commit is contained in:
@@ -135,8 +135,15 @@ class SchoolYearControllerTest extends TestCase
|
||||
|
||||
$missing = [];
|
||||
foreach ($routes as $route) {
|
||||
$uri = $route->uri();
|
||||
$middleware = $route->gatherMiddleware();
|
||||
$hasPermission = collect($middleware)->contains(fn (string $middleware): bool => str_starts_with($middleware, 'perm:'));
|
||||
$isContextRoute = in_array($uri, [
|
||||
'api/v1/school-years',
|
||||
'api/v1/school-years/current',
|
||||
'api/v1/school-years/options',
|
||||
], true);
|
||||
$hasPermission = $isContextRoute
|
||||
|| collect($middleware)->contains(fn (string $middleware): bool => str_starts_with($middleware, 'perm:'));
|
||||
$hasAuth = collect($middleware)->contains(fn (string $middleware): bool => str_contains($middleware, 'multi.auth') || str_contains($middleware, 'auth'));
|
||||
$hasAccountGuard = in_array('account.active', $middleware, true);
|
||||
|
||||
@@ -148,6 +155,25 @@ class SchoolYearControllerTest extends TestCase
|
||||
$this->assertSame([], $missing, 'School-year routes missing auth/account/permission middleware: '.implode(', ', $missing));
|
||||
}
|
||||
|
||||
public function test_active_user_can_load_school_year_context_list_without_school_year_permission(): void
|
||||
{
|
||||
$this->seedClosureData();
|
||||
|
||||
$this->actingAs(User::query()->findOrFail(10), 'api');
|
||||
|
||||
$response = $this->getJson('/api/v1/school-years');
|
||||
|
||||
$response->assertOk()
|
||||
->assertJsonPath('ok', true)
|
||||
->assertJsonPath('current_school_year', '2025-2026');
|
||||
|
||||
$this->postJson('/api/v1/school-years', [
|
||||
'name' => '2026-2027',
|
||||
'start_date' => '2026-09-01',
|
||||
'end_date' => '2027-06-30',
|
||||
])->assertForbidden();
|
||||
}
|
||||
|
||||
public function test_admin_can_create_draft_school_year_via_api(): void
|
||||
{
|
||||
$this->seedClosureData();
|
||||
@@ -426,12 +452,15 @@ class SchoolYearControllerTest extends TestCase
|
||||
];
|
||||
|
||||
foreach ($permissions as $permission) {
|
||||
$permissionId = DB::table('permissions')->insertGetId([
|
||||
'name' => $permission,
|
||||
'description' => 'Test permission '.$permission,
|
||||
'created_at' => now(),
|
||||
'updated_at' => now(),
|
||||
]);
|
||||
DB::table('permissions')->updateOrInsert(
|
||||
['name' => $permission],
|
||||
[
|
||||
'description' => 'Test permission '.$permission,
|
||||
'created_at' => now(),
|
||||
'updated_at' => now(),
|
||||
]
|
||||
);
|
||||
$permissionId = (int) DB::table('permissions')->where('name', $permission)->value('id');
|
||||
DB::table('role_permissions')->insert([
|
||||
'role_id' => 1,
|
||||
'permission_id' => $permissionId,
|
||||
|
||||
Reference in New Issue
Block a user