apiRoutesContainingAny(['staff', 'employee', 'payroll', 'salary', 'hr', 'reimbursement', 'expense']); foreach ($routes as $route) { $method = $this->primaryMethod($route); $response = $this->requestAs($this->admin, $method, $route->uri(), $this->payloadFor($method, $route->uri())); $this->assertControlled($response, $method, $route->uri()); $body = strtolower($response->getContent()); $this->assertStringNotContainsString('ssn', $body); $this->assertStringNotContainsString('social_security', $body); $this->assertStringNotContainsString('bank_account', $body); $this->assertStringNotContainsString('routing_number', $body); } } public function test_low_privilege_users_cannot_mutate_staff_or_payroll_routes(): void { $routes = $this->apiRoutesContainingAny(['staff', 'employee', 'payroll', 'salary', 'hr']); foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'], true)) { continue; } $payload = $this->payloadFor($method, $route->uri()) + [ 'salary' => 999999, 'hourly_rate' => 999, 'role' => 'administrator', ]; foreach ([$this->teacher, $this->parent, $this->studentUser] as $actor) { $response = $this->requestAs($actor, $method, $route->uri(), $payload); $this->assertControlled($response, $method, $route->uri()); $this->assertNotContains($response->getStatusCode(), [200, 201]); } } } }