fix unit tests as well as missing code
API CI/CD / Validate (composer + pint) (push) Successful in 2m7s
API CI/CD / Test (PHPUnit) (push) Failing after 2m23s
API CI/CD / Build frontend assets (push) Successful in 2m18s
API CI/CD / Security audit (push) Successful in 31s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped

This commit is contained in:
root
2026-06-25 14:26:32 -04:00
parent fdfcd1f0e2
commit 940afe9319
115 changed files with 4554 additions and 290 deletions
@@ -60,6 +60,11 @@ class AttendanceTrackingController extends Controller
public function record(Request $request): JsonResponse
{
$guard = $this->forbidLowPrivilegeActor();
if ($guard instanceof JsonResponse) {
return $guard;
}
$validator = Validator::make($request->all(), [
'student_id' => ['required', 'integer', 'min:1'],
'date' => ['required', 'date_format:Y-m-d'],
@@ -87,6 +92,11 @@ class AttendanceTrackingController extends Controller
public function sendAutoEmails(Request $request): JsonResponse
{
$guard = $this->forbidLowPrivilegeActor(adminOnly: true);
if ($guard instanceof JsonResponse) {
return $guard;
}
$result = $this->service->sendAutoEmails($request->input('variant'));
return response()->json($result);
@@ -124,6 +134,11 @@ class AttendanceTrackingController extends Controller
public function sendManualEmail(Request $request): JsonResponse
{
$guard = $this->forbidLowPrivilegeActor();
if ($guard instanceof JsonResponse) {
return $guard;
}
$validator = Validator::make($request->all(), [
'student_id' => ['required', 'integer', 'min:1'],
'to' => ['required', 'email'],
@@ -173,6 +188,11 @@ class AttendanceTrackingController extends Controller
public function saveNotificationNote(Request $request): JsonResponse
{
$guard = $this->forbidLowPrivilegeActor();
if ($guard instanceof JsonResponse) {
return $guard;
}
$validator = Validator::make($request->all(), [
'student_id' => ['required', 'integer', 'min:1'],
'code' => ['required', 'string'],
@@ -197,4 +217,33 @@ class AttendanceTrackingController extends Controller
$result['status'] ?? 200
);
}
private function forbidLowPrivilegeActor(bool $adminOnly = false): ?JsonResponse
{
$user = request()->user() ?? auth()->user();
if (! $user || ! method_exists($user, 'roles')) {
return null;
}
$roles = $user->roles()
->pluck('roles.name')
->map(fn ($role) => strtolower((string) $role))
->all();
if ($roles === []) {
return null;
}
$allowedRoles = $adminOnly
? ['administrator', 'admin', 'principal', 'vice_principal', 'vice-principal']
: ['teacher', 'administrator', 'admin', 'principal', 'vice_principal', 'vice-principal'];
foreach ($allowedRoles as $allowed) {
if (in_array($allowed, $roles, true)) {
return null;
}
}
return response()->json(['message' => 'Forbidden.'], 403);
}
}