apiRoutesContainingAny(['enroll', 'withdraw', 'registration', 'student', 'class-section', 'assignment']); foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } $payload = $this->payloadFor($method, $route->uri()) + [ 'student_id' => $this->ids['studentId'], 'students' => [$this->ids['studentId'], 99999999], 'parent_id' => 99999999, 'family_id' => 99999999, 'class_section_id' => 99999999, 'previous_class_section_id' => $this->ids['classSectionId'], 'effective_date' => '1900-01-01', 'reason' => 'Batch 13 enrollment integrity probe', ]; $response = $this->requestAs($this->admin, $method, $route->uri(), $payload); $this->assertControlled($response, $method, $route->uri()); $this->assertStringNotContainsString('Integrity constraint violation', $response->getContent()); } } public function test_parent_cannot_self_enroll_or_move_student_into_arbitrary_class(): void { $routes = $this->apiRoutesContainingAny(['enroll', 'withdraw', 'class-section', 'student']); foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'], true)) { continue; } $payload = $this->payloadFor($method, $route->uri()) + [ 'student_id' => $this->ids['studentId'], 'class_section_id' => 99999999, 'force' => true, 'approved_by' => $this->admin->id, ]; $response = $this->requestAs($this->parent, $method, $route->uri(), $payload); $this->assertControlled($response, $method, $route->uri()); $this->assertNotContains($response->getStatusCode(), [200, 201], 'Parent should not self-enroll or arbitrarily move students through '.$route->uri()); } } }