apiRoutesContainingAny(['impersonate', 'delegate', 'acting-as', 'switch-user', 'assume', 'behalf']), 0, 80); foreach ($routes as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'user_id' => $this->admin->id, 'target_user_id' => $this->parent->id, 'reason' => 'E2E impersonation probe', ]; $adminResponse = $this->requestAs($this->admin, $method, $uri, $payload); $parentResponse = $this->requestAs($this->parent, $method, $uri, $payload); $teacherResponse = $this->requestAs($this->teacher, $method, $uri, $payload); $this->assertControlled($adminResponse, $method, $uri); $this->assertStatusIn($parentResponse, [401, 403, 404, 405, 409, 419, 422], "$method $uri should deny parent impersonation attempts."); $this->assertStatusIn($teacherResponse, [401, 403, 404, 405, 409, 419, 422], "$method $uri should deny teacher impersonation attempts."); } } }