security fix and fix parent pages
API CI/CD / Validate (composer + pint) (push) Successful in 3m7s
API CI/CD / Test (PHPUnit) (push) Failing after 5m46s
API CI/CD / Build frontend assets (push) Successful in 1m2s
API CI/CD / Security audit (push) Failing after 49s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped

This commit is contained in:
root
2026-07-06 02:14:16 -04:00
parent 39228168c8
commit 90f9857b06
43 changed files with 4323 additions and 132 deletions
@@ -135,8 +135,15 @@ class SchoolYearControllerTest extends TestCase
$missing = [];
foreach ($routes as $route) {
$uri = $route->uri();
$middleware = $route->gatherMiddleware();
$hasPermission = collect($middleware)->contains(fn (string $middleware): bool => str_starts_with($middleware, 'perm:'));
$isContextRoute = in_array($uri, [
'api/v1/school-years',
'api/v1/school-years/current',
'api/v1/school-years/options',
], true);
$hasPermission = $isContextRoute
|| collect($middleware)->contains(fn (string $middleware): bool => str_starts_with($middleware, 'perm:'));
$hasAuth = collect($middleware)->contains(fn (string $middleware): bool => str_contains($middleware, 'multi.auth') || str_contains($middleware, 'auth'));
$hasAccountGuard = in_array('account.active', $middleware, true);
@@ -148,6 +155,25 @@ class SchoolYearControllerTest extends TestCase
$this->assertSame([], $missing, 'School-year routes missing auth/account/permission middleware: '.implode(', ', $missing));
}
public function test_active_user_can_load_school_year_context_list_without_school_year_permission(): void
{
$this->seedClosureData();
$this->actingAs(User::query()->findOrFail(10), 'api');
$response = $this->getJson('/api/v1/school-years');
$response->assertOk()
->assertJsonPath('ok', true)
->assertJsonPath('current_school_year', '2025-2026');
$this->postJson('/api/v1/school-years', [
'name' => '2026-2027',
'start_date' => '2026-09-01',
'end_date' => '2027-06-30',
])->assertForbidden();
}
public function test_admin_can_create_draft_school_year_via_api(): void
{
$this->seedClosureData();
@@ -426,12 +452,15 @@ class SchoolYearControllerTest extends TestCase
];
foreach ($permissions as $permission) {
$permissionId = DB::table('permissions')->insertGetId([
'name' => $permission,
'description' => 'Test permission '.$permission,
'created_at' => now(),
'updated_at' => now(),
]);
DB::table('permissions')->updateOrInsert(
['name' => $permission],
[
'description' => 'Test permission '.$permission,
'created_at' => now(),
'updated_at' => now(),
]
);
$permissionId = (int) DB::table('permissions')->where('name', $permission)->value('id');
DB::table('role_permissions')->insert([
'role_id' => 1,
'permission_id' => $permissionId,