apiRoutesContainingAny(['privacy', 'consent', 'erase', 'erasure', 'delete-account', 'export-data', 'data-subject', 'retention']); foreach (array_slice($routes, 0, 35) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'user_id' => $this->admin->id, 'parent_id' => $this->ids['parentId'], 'student_id' => 99999999, 'scope' => 'all_users', 'include_deleted' => true, 'include_sensitive' => true, 'reason' => 'Batch 15 privacy boundary probe', ]; $parentResponse = $this->requestAs($this->parent, $method, $uri, $payload); $this->assertControlled($parentResponse, $method, $uri); $this->assertStringNotContainsString('password', strtolower($parentResponse->getContent())); $this->assertStringNotContainsString('remember_token', strtolower($parentResponse->getContent())); } } public function test_batch15_student_actor_cannot_request_family_wide_or_school_wide_privacy_exports(): void { foreach (array_slice($this->apiRoutesContainingAny(['export', 'privacy', 'download', 'report']), 0, 30) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $response = $this->requestAs($this->studentUser, $method, $uri, $this->payloadFor($method, $uri) + [ 'scope' => 'school', 'family_id' => 1, 'student_ids' => '*', 'include_finance' => true, ]); $this->assertControlled($response, $method, $uri); $this->assertStringNotContainsString('db_password', strtolower($response->getContent())); } } }