archetecture security fix
This commit is contained in:
@@ -5,6 +5,7 @@ namespace Tests\Feature\Api\Administrator;
|
||||
use App\Models\Configuration;
|
||||
use App\Models\TeacherSubmissionNotificationHistory;
|
||||
use App\Models\User;
|
||||
use App\Services\Administrator\AdministratorSharedService;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
use Illuminate\Support\Facades\Mail;
|
||||
@@ -217,6 +218,62 @@ class AdministratorTeacherSubmissionNotifyApiTest extends TestCase
|
||||
]);
|
||||
}
|
||||
|
||||
public function test_notify_endpoint_accepts_flat_teacher_ids_when_teacher_class_has_no_semester_column(): void
|
||||
{
|
||||
Mail::fake();
|
||||
$shared = \Mockery::mock($this->app->make(AdministratorSharedService::class))->makePartial();
|
||||
$shared->shouldReceive('teacherClassSupportsSemester')
|
||||
->once()
|
||||
->andReturn(false);
|
||||
$this->app->instance(AdministratorSharedService::class, $shared);
|
||||
|
||||
$admin = $this->seedAdminUser('admin4@test.com', 903, 'Admin', 'Four');
|
||||
Sanctum::actingAs($admin, [], 'api');
|
||||
|
||||
User::factory()->create([
|
||||
'id' => 103,
|
||||
'firstname' => 'Legacy',
|
||||
'lastname' => 'Notify',
|
||||
'email' => 'legacy.notify@test.com',
|
||||
]);
|
||||
|
||||
DB::table('classSection')->insert([
|
||||
[
|
||||
'class_section_id' => 13,
|
||||
'class_section_name' => 'Grade 9A',
|
||||
'class_id' => 9,
|
||||
'semester' => 'Fall',
|
||||
'school_year' => '2025-2026',
|
||||
],
|
||||
]);
|
||||
|
||||
DB::table('teacher_class')->insert([
|
||||
'class_section_id' => 13,
|
||||
'teacher_id' => 103,
|
||||
'position' => 'main',
|
||||
'school_year' => '2025-2026',
|
||||
'semester' => 'Fall',
|
||||
]);
|
||||
|
||||
$response = $this->postJson('/api/v1/administrator/teacher-submissions/notify', [
|
||||
'notify' => [103],
|
||||
]);
|
||||
|
||||
$response->assertOk()
|
||||
->assertJson([
|
||||
'sent' => 1,
|
||||
'failed' => 0,
|
||||
]);
|
||||
|
||||
$this->assertDatabaseHas('teacher_submission_notification_history', [
|
||||
'teacher_id' => 103,
|
||||
'class_section_id' => 13,
|
||||
'admin_id' => 903,
|
||||
'notification_category' => 'teacher_submissions',
|
||||
'status' => 'sent',
|
||||
]);
|
||||
}
|
||||
|
||||
private function seedAdminUser(string $email, ?int $id = null, string $firstname = 'Admin', string $lastname = 'User'): User
|
||||
{
|
||||
$roleId = DB::table('roles')->insertGetId([
|
||||
|
||||
@@ -7,6 +7,7 @@ use App\Models\Configuration;
|
||||
use App\Models\SemesterScore;
|
||||
use App\Models\TeacherSubmissionNotificationHistory;
|
||||
use App\Models\User;
|
||||
use App\Services\Administrator\AdministratorSharedService;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
use Illuminate\Support\Str;
|
||||
@@ -242,6 +243,53 @@ class AdministratorTeacherSubmissionReportApiTest extends TestCase
|
||||
$this->assertSame(0, $row['student_count']);
|
||||
}
|
||||
|
||||
public function test_teacher_submission_report_handles_teacher_class_without_semester_column(): void
|
||||
{
|
||||
$shared = \Mockery::mock($this->app->make(AdministratorSharedService::class))->makePartial();
|
||||
$shared->shouldReceive('teacherClassSupportsSemester')
|
||||
->once()
|
||||
->andReturn(false);
|
||||
$this->app->instance(AdministratorSharedService::class, $shared);
|
||||
|
||||
$admin = $this->seedAdminUser('admin.report.legacy@test.com', 902, 'Admin', 'Legacy');
|
||||
Sanctum::actingAs($admin, [], 'api');
|
||||
|
||||
User::factory()->create([
|
||||
'id' => 210,
|
||||
'firstname' => 'Legacy',
|
||||
'lastname' => 'Teacher',
|
||||
'email' => 'legacy.teacher@test.com',
|
||||
]);
|
||||
|
||||
DB::table('classSection')->insert([
|
||||
[
|
||||
'class_section_id' => 21,
|
||||
'class_section_name' => 'Grade 8A',
|
||||
'class_id' => 8,
|
||||
'semester' => 'Fall',
|
||||
'school_year' => '2025-2026',
|
||||
],
|
||||
]);
|
||||
|
||||
DB::table('teacher_class')->insert([
|
||||
[
|
||||
'class_section_id' => 21,
|
||||
'teacher_id' => 210,
|
||||
'position' => 'main',
|
||||
'school_year' => '2025-2026',
|
||||
'semester' => 'Fall',
|
||||
],
|
||||
]);
|
||||
|
||||
$response = $this->getJson('/api/v1/administrator/teacher-submissions');
|
||||
|
||||
$response->assertOk()
|
||||
->assertJsonCount(1, 'rows');
|
||||
|
||||
$this->assertSame('Grade 8A', $response->json('rows.0.class_section'));
|
||||
$this->assertSame('Main: Legacy Teacher', $response->json('rows.0.teachers.0.label'));
|
||||
}
|
||||
|
||||
public function test_teacher_submission_report_limits_history_to_three_entries(): void
|
||||
{
|
||||
$admin = $this->seedAdminUser('admin.report.two@test.com', 901, 'Admin', 'Two');
|
||||
|
||||
@@ -0,0 +1,190 @@
|
||||
<?php
|
||||
|
||||
namespace Tests\Feature\Api\V1\CompetitionWinners;
|
||||
|
||||
use App\Models\User;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
use Laravel\Sanctum\Sanctum;
|
||||
use Tests\TestCase;
|
||||
|
||||
class CompetitionWinnersControllerTest extends TestCase
|
||||
{
|
||||
use RefreshDatabase;
|
||||
|
||||
public function test_index_returns_admin_competitions_with_ids(): void
|
||||
{
|
||||
$this->seedCompetitionData();
|
||||
|
||||
Sanctum::actingAs($this->createAdministrator());
|
||||
|
||||
$response = $this->getJson('/api/v1/competition-winners');
|
||||
|
||||
$response->assertOk();
|
||||
$response->assertJson([
|
||||
'ok' => true,
|
||||
'competitions' => [
|
||||
[
|
||||
'id' => 1,
|
||||
'title' => 'Competition One',
|
||||
'class_section_id' => null,
|
||||
'is_locked' => false,
|
||||
'is_published' => false,
|
||||
],
|
||||
],
|
||||
]);
|
||||
$this->assertSame('1-A', $response->json('sectionMap.101'));
|
||||
}
|
||||
|
||||
public function test_lock_and_unlock_toggle_competition(): void
|
||||
{
|
||||
$this->seedCompetitionData();
|
||||
|
||||
Sanctum::actingAs($this->createAdministrator());
|
||||
|
||||
$this->postJson('/api/v1/competition-winners/1/lock')
|
||||
->assertOk()
|
||||
->assertJson(['ok' => true]);
|
||||
|
||||
$this->assertDatabaseHas('competitions', [
|
||||
'id' => 1,
|
||||
'is_locked' => 1,
|
||||
]);
|
||||
|
||||
$this->postJson('/api/v1/competition-winners/1/unlock')
|
||||
->assertOk()
|
||||
->assertJson(['ok' => true]);
|
||||
|
||||
$this->assertDatabaseHas('competitions', [
|
||||
'id' => 1,
|
||||
'is_locked' => 0,
|
||||
]);
|
||||
}
|
||||
|
||||
public function test_export_quiz_creates_quiz_rows(): void
|
||||
{
|
||||
$this->seedCompetitionData();
|
||||
|
||||
Sanctum::actingAs($this->createAdministrator());
|
||||
|
||||
$response = $this->postJson('/api/v1/competition-winners/1/export-quiz', [
|
||||
'class_section_id' => 101,
|
||||
]);
|
||||
|
||||
$response->assertOk();
|
||||
$response->assertJson([
|
||||
'ok' => true,
|
||||
'message' => 'Exported.',
|
||||
]);
|
||||
|
||||
$this->assertDatabaseHas('quiz', [
|
||||
'student_id' => 1,
|
||||
'class_section_id' => 101,
|
||||
'semester' => 'Fall',
|
||||
'school_year' => '2025-2026',
|
||||
'score' => 50.0,
|
||||
]);
|
||||
}
|
||||
|
||||
private function seedCompetitionData(): void
|
||||
{
|
||||
DB::table('configuration')->insert([
|
||||
['id' => 1, 'config_key' => 'school_year', 'config_value' => '2025-2026'],
|
||||
['id' => 2, 'config_key' => 'semester', 'config_value' => 'Fall'],
|
||||
]);
|
||||
|
||||
DB::table('classSection')->insert([
|
||||
'id' => 1,
|
||||
'class_id' => 1,
|
||||
'class_section_id' => 101,
|
||||
'class_section_name' => '1-A',
|
||||
'semester' => 'Fall',
|
||||
'school_year' => '2025-2026',
|
||||
]);
|
||||
|
||||
DB::table('students')->insert([
|
||||
'id' => 1,
|
||||
'school_id' => 'S-1',
|
||||
'firstname' => 'Student',
|
||||
'lastname' => 'One',
|
||||
'age' => 8,
|
||||
'gender' => 'Male',
|
||||
'photo_consent' => 1,
|
||||
'parent_id' => 1,
|
||||
'year_of_registration' => '2025',
|
||||
'school_year' => '2025-2026',
|
||||
'semester' => 'Fall',
|
||||
'is_active' => 1,
|
||||
]);
|
||||
|
||||
DB::table('student_class')->insert([
|
||||
'student_id' => 1,
|
||||
'class_section_id' => 101,
|
||||
'semester' => 'Fall',
|
||||
'school_year' => '2025-2026',
|
||||
]);
|
||||
|
||||
DB::table('competitions')->insert([
|
||||
'id' => 1,
|
||||
'title' => 'Competition One',
|
||||
'semester' => 'Fall',
|
||||
'school_year' => '2025-2026',
|
||||
'class_section_id' => null,
|
||||
'is_locked' => 0,
|
||||
'is_published' => 0,
|
||||
]);
|
||||
|
||||
DB::table('competition_class_winners')->insert([
|
||||
'competition_id' => 1,
|
||||
'class_section_id' => 101,
|
||||
'question_count' => 20,
|
||||
]);
|
||||
|
||||
DB::table('competition_scores')->insert([
|
||||
'competition_id' => 1,
|
||||
'student_id' => 1,
|
||||
'class_section_id' => 101,
|
||||
'score' => 10,
|
||||
]);
|
||||
}
|
||||
|
||||
private function createAdministrator(): User
|
||||
{
|
||||
DB::table('users')->insert([
|
||||
'id' => 1,
|
||||
'school_id' => 777,
|
||||
'firstname' => 'Admin',
|
||||
'lastname' => 'User',
|
||||
'cellphone' => '5555555555',
|
||||
'email' => 'admin@example.com',
|
||||
'address_street' => '123 Main',
|
||||
'city' => 'City',
|
||||
'state' => 'ST',
|
||||
'zip' => '12345',
|
||||
'accept_school_policy' => 1,
|
||||
'is_verified' => 1,
|
||||
'status' => 'Active',
|
||||
'is_suspended' => 0,
|
||||
'failed_attempts' => 0,
|
||||
'password' => bcrypt('secret'),
|
||||
'semester' => 'Fall',
|
||||
'school_year' => '2025-2026',
|
||||
]);
|
||||
|
||||
DB::table('roles')->insert([
|
||||
'id' => 1,
|
||||
'name' => 'administrator',
|
||||
'slug' => 'administrator',
|
||||
'dashboard_route' => 'administrator/administratordashboard',
|
||||
'priority' => 1,
|
||||
'is_active' => 1,
|
||||
]);
|
||||
|
||||
DB::table('user_roles')->insert([
|
||||
'user_id' => 1,
|
||||
'role_id' => 1,
|
||||
]);
|
||||
|
||||
return User::query()->findOrFail(1);
|
||||
}
|
||||
}
|
||||
@@ -110,6 +110,21 @@ class StudentControllerTest extends TestCase
|
||||
]);
|
||||
}
|
||||
|
||||
public function test_index_returns_students_without_parent_filter(): void
|
||||
{
|
||||
$this->seedConfig();
|
||||
$user = $this->seedUser();
|
||||
$studentId = $this->seedStudent();
|
||||
|
||||
Sanctum::actingAs($user, [], 'api');
|
||||
$response = $this->getJson('/api/v1/students');
|
||||
|
||||
$response->assertOk();
|
||||
$response->assertJsonPath('ok', true);
|
||||
$response->assertJsonPath('students.0.id', $studentId);
|
||||
$response->assertJsonPath('current_year', '2025-2026');
|
||||
}
|
||||
|
||||
private function seedConfig(): void
|
||||
{
|
||||
DB::table('configuration')->insert([
|
||||
|
||||
@@ -21,4 +21,15 @@ class UserTest extends TestCase
|
||||
{
|
||||
$this->assertInstanceOf(User::class, new User());
|
||||
}
|
||||
|
||||
public function test_password_mutator_preserves_pbkdf2_hashes(): void
|
||||
{
|
||||
$hash = pbkdf2_hash('secret-password');
|
||||
|
||||
$model = new User();
|
||||
$model->password = $hash;
|
||||
|
||||
$this->assertSame($hash, $model->getAttributes()['password']);
|
||||
$this->assertTrue(verify_stored_password('secret-password', $model->getAttributes()['password']));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user