archetecture security fix

This commit is contained in:
root
2026-06-11 03:22:12 -04:00
parent 6def9993da
commit 9483750161
3126 changed files with 177194 additions and 37211 deletions
@@ -5,6 +5,7 @@ namespace Tests\Feature\Api\Administrator;
use App\Models\Configuration;
use App\Models\TeacherSubmissionNotificationHistory;
use App\Models\User;
use App\Services\Administrator\AdministratorSharedService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Mail;
@@ -217,6 +218,62 @@ class AdministratorTeacherSubmissionNotifyApiTest extends TestCase
]);
}
public function test_notify_endpoint_accepts_flat_teacher_ids_when_teacher_class_has_no_semester_column(): void
{
Mail::fake();
$shared = \Mockery::mock($this->app->make(AdministratorSharedService::class))->makePartial();
$shared->shouldReceive('teacherClassSupportsSemester')
->once()
->andReturn(false);
$this->app->instance(AdministratorSharedService::class, $shared);
$admin = $this->seedAdminUser('admin4@test.com', 903, 'Admin', 'Four');
Sanctum::actingAs($admin, [], 'api');
User::factory()->create([
'id' => 103,
'firstname' => 'Legacy',
'lastname' => 'Notify',
'email' => 'legacy.notify@test.com',
]);
DB::table('classSection')->insert([
[
'class_section_id' => 13,
'class_section_name' => 'Grade 9A',
'class_id' => 9,
'semester' => 'Fall',
'school_year' => '2025-2026',
],
]);
DB::table('teacher_class')->insert([
'class_section_id' => 13,
'teacher_id' => 103,
'position' => 'main',
'school_year' => '2025-2026',
'semester' => 'Fall',
]);
$response = $this->postJson('/api/v1/administrator/teacher-submissions/notify', [
'notify' => [103],
]);
$response->assertOk()
->assertJson([
'sent' => 1,
'failed' => 0,
]);
$this->assertDatabaseHas('teacher_submission_notification_history', [
'teacher_id' => 103,
'class_section_id' => 13,
'admin_id' => 903,
'notification_category' => 'teacher_submissions',
'status' => 'sent',
]);
}
private function seedAdminUser(string $email, ?int $id = null, string $firstname = 'Admin', string $lastname = 'User'): User
{
$roleId = DB::table('roles')->insertGetId([
@@ -7,6 +7,7 @@ use App\Models\Configuration;
use App\Models\SemesterScore;
use App\Models\TeacherSubmissionNotificationHistory;
use App\Models\User;
use App\Services\Administrator\AdministratorSharedService;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Str;
@@ -242,6 +243,53 @@ class AdministratorTeacherSubmissionReportApiTest extends TestCase
$this->assertSame(0, $row['student_count']);
}
public function test_teacher_submission_report_handles_teacher_class_without_semester_column(): void
{
$shared = \Mockery::mock($this->app->make(AdministratorSharedService::class))->makePartial();
$shared->shouldReceive('teacherClassSupportsSemester')
->once()
->andReturn(false);
$this->app->instance(AdministratorSharedService::class, $shared);
$admin = $this->seedAdminUser('admin.report.legacy@test.com', 902, 'Admin', 'Legacy');
Sanctum::actingAs($admin, [], 'api');
User::factory()->create([
'id' => 210,
'firstname' => 'Legacy',
'lastname' => 'Teacher',
'email' => 'legacy.teacher@test.com',
]);
DB::table('classSection')->insert([
[
'class_section_id' => 21,
'class_section_name' => 'Grade 8A',
'class_id' => 8,
'semester' => 'Fall',
'school_year' => '2025-2026',
],
]);
DB::table('teacher_class')->insert([
[
'class_section_id' => 21,
'teacher_id' => 210,
'position' => 'main',
'school_year' => '2025-2026',
'semester' => 'Fall',
],
]);
$response = $this->getJson('/api/v1/administrator/teacher-submissions');
$response->assertOk()
->assertJsonCount(1, 'rows');
$this->assertSame('Grade 8A', $response->json('rows.0.class_section'));
$this->assertSame('Main: Legacy Teacher', $response->json('rows.0.teachers.0.label'));
}
public function test_teacher_submission_report_limits_history_to_three_entries(): void
{
$admin = $this->seedAdminUser('admin.report.two@test.com', 901, 'Admin', 'Two');
@@ -0,0 +1,190 @@
<?php
namespace Tests\Feature\Api\V1\CompetitionWinners;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\DB;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
class CompetitionWinnersControllerTest extends TestCase
{
use RefreshDatabase;
public function test_index_returns_admin_competitions_with_ids(): void
{
$this->seedCompetitionData();
Sanctum::actingAs($this->createAdministrator());
$response = $this->getJson('/api/v1/competition-winners');
$response->assertOk();
$response->assertJson([
'ok' => true,
'competitions' => [
[
'id' => 1,
'title' => 'Competition One',
'class_section_id' => null,
'is_locked' => false,
'is_published' => false,
],
],
]);
$this->assertSame('1-A', $response->json('sectionMap.101'));
}
public function test_lock_and_unlock_toggle_competition(): void
{
$this->seedCompetitionData();
Sanctum::actingAs($this->createAdministrator());
$this->postJson('/api/v1/competition-winners/1/lock')
->assertOk()
->assertJson(['ok' => true]);
$this->assertDatabaseHas('competitions', [
'id' => 1,
'is_locked' => 1,
]);
$this->postJson('/api/v1/competition-winners/1/unlock')
->assertOk()
->assertJson(['ok' => true]);
$this->assertDatabaseHas('competitions', [
'id' => 1,
'is_locked' => 0,
]);
}
public function test_export_quiz_creates_quiz_rows(): void
{
$this->seedCompetitionData();
Sanctum::actingAs($this->createAdministrator());
$response = $this->postJson('/api/v1/competition-winners/1/export-quiz', [
'class_section_id' => 101,
]);
$response->assertOk();
$response->assertJson([
'ok' => true,
'message' => 'Exported.',
]);
$this->assertDatabaseHas('quiz', [
'student_id' => 1,
'class_section_id' => 101,
'semester' => 'Fall',
'school_year' => '2025-2026',
'score' => 50.0,
]);
}
private function seedCompetitionData(): void
{
DB::table('configuration')->insert([
['id' => 1, 'config_key' => 'school_year', 'config_value' => '2025-2026'],
['id' => 2, 'config_key' => 'semester', 'config_value' => 'Fall'],
]);
DB::table('classSection')->insert([
'id' => 1,
'class_id' => 1,
'class_section_id' => 101,
'class_section_name' => '1-A',
'semester' => 'Fall',
'school_year' => '2025-2026',
]);
DB::table('students')->insert([
'id' => 1,
'school_id' => 'S-1',
'firstname' => 'Student',
'lastname' => 'One',
'age' => 8,
'gender' => 'Male',
'photo_consent' => 1,
'parent_id' => 1,
'year_of_registration' => '2025',
'school_year' => '2025-2026',
'semester' => 'Fall',
'is_active' => 1,
]);
DB::table('student_class')->insert([
'student_id' => 1,
'class_section_id' => 101,
'semester' => 'Fall',
'school_year' => '2025-2026',
]);
DB::table('competitions')->insert([
'id' => 1,
'title' => 'Competition One',
'semester' => 'Fall',
'school_year' => '2025-2026',
'class_section_id' => null,
'is_locked' => 0,
'is_published' => 0,
]);
DB::table('competition_class_winners')->insert([
'competition_id' => 1,
'class_section_id' => 101,
'question_count' => 20,
]);
DB::table('competition_scores')->insert([
'competition_id' => 1,
'student_id' => 1,
'class_section_id' => 101,
'score' => 10,
]);
}
private function createAdministrator(): User
{
DB::table('users')->insert([
'id' => 1,
'school_id' => 777,
'firstname' => 'Admin',
'lastname' => 'User',
'cellphone' => '5555555555',
'email' => 'admin@example.com',
'address_street' => '123 Main',
'city' => 'City',
'state' => 'ST',
'zip' => '12345',
'accept_school_policy' => 1,
'is_verified' => 1,
'status' => 'Active',
'is_suspended' => 0,
'failed_attempts' => 0,
'password' => bcrypt('secret'),
'semester' => 'Fall',
'school_year' => '2025-2026',
]);
DB::table('roles')->insert([
'id' => 1,
'name' => 'administrator',
'slug' => 'administrator',
'dashboard_route' => 'administrator/administratordashboard',
'priority' => 1,
'is_active' => 1,
]);
DB::table('user_roles')->insert([
'user_id' => 1,
'role_id' => 1,
]);
return User::query()->findOrFail(1);
}
}
@@ -110,6 +110,21 @@ class StudentControllerTest extends TestCase
]);
}
public function test_index_returns_students_without_parent_filter(): void
{
$this->seedConfig();
$user = $this->seedUser();
$studentId = $this->seedStudent();
Sanctum::actingAs($user, [], 'api');
$response = $this->getJson('/api/v1/students');
$response->assertOk();
$response->assertJsonPath('ok', true);
$response->assertJsonPath('students.0.id', $studentId);
$response->assertJsonPath('current_year', '2025-2026');
}
private function seedConfig(): void
{
DB::table('configuration')->insert([
+11
View File
@@ -21,4 +21,15 @@ class UserTest extends TestCase
{
$this->assertInstanceOf(User::class, new User());
}
public function test_password_mutator_preserves_pbkdf2_hashes(): void
{
$hash = pbkdf2_hash('secret-password');
$model = new User();
$model->password = $hash;
$this->assertSame($hash, $model->getAttributes()['password']);
$this->assertTrue(verify_stored_password('secret-password', $model->getAttributes()['password']));
}
}