apiRoutesContainingAny(['attendance', 'scanner', 'scan', 'kiosk', 'badge', 'dismissal', 'late']), 0, 55) as $route) { $method = $this->primaryMethod($route); $response = $this->withHeaders(['X-Device-Id' => 'trusted-front-desk-tablet', 'X-Kiosk-Mode' => 'true', 'X-Scanner-Token' => 'forged-scanner-token', 'X-Forwarded-For' => '127.0.0.1']) ->actingAs($this->actorFor($route->uri()), 'api') ->json($method, $this->materializePath($route->uri()), $this->payloadFor($method, $route->uri()) + ['badge_token' => 'forged-badge-token', 'device_id' => 'trusted-front-desk-tablet', 'scan_time' => '2099-01-01 00:00:00', 'status' => 'present', 'override' => true]); $this->assertControlled($response, $method, $route->uri()); $this->assertStringNotContainsString('sqlstate', strtolower($response->getContent())); } } public function test_student_and_parent_cannot_self_mark_attendance_through_device_payloads(): void { foreach (array_slice($this->apiRoutesContainingAny(['attendance', 'scan', 'dismissal', 'late']), 0, 30) as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } foreach ([$this->studentUser, $this->parent] as $actor) { $response = $this->requestAs($actor, $method, $route->uri(), ['student_id' => $this->ids['studentId'], 'status' => 'present', 'verified_by_device' => true, 'override_reason' => 'parent approved']); $this->assertStatusIn($response, [400, 401, 403, 404, 405, 409, 419, 422], $method.' '.$route->uri()); } } } }