apiRoutesContainingAny(['students', 'class', 'attendance', 'scores', 'report-card', 'teacher']); foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'school_year' => '1900-1901', 'semester' => 'Summer-Does-Not-Exist', 'class_section_id' => 999999, 'student_id' => 999999, ]; $response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload); $this->assertNoServerError($response, "$method $uri mismatched academic context"); $this->assertStatusIn($response, [200, 201, 202, 204, 302, 400, 401, 403, 404, 409, 419, 422], "$method $uri mismatched academic context"); $this->assertStringNotContainsStringIgnoringCase('foreign key constraint', $response->getContent(), $uri . ' should validate academic context before DB failure leaks.'); } } public function test_financial_amount_rules_reject_zero_negative_and_precision_abuse_cleanly(): void { $routes = $this->apiRoutesContainingAny(['finance', 'payment', 'refund', 'invoice', 'fee', 'installment', 'charge']); $amounts = [0, -0.01, -999999, '0.0000000000001', '1000000000000000000000000.99']; foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } foreach ($amounts as $amount) { $uri = $route->uri(); $payload = $this->payloadFor($method, $uri); $payload['amount'] = $amount; $payload['total'] = $amount; $payload['balance'] = $amount; $response = $this->requestAs($this->admin, $method, $uri, $payload); $this->assertNoServerError($response, "$method $uri amount $amount"); $this->assertStringNotContainsStringIgnoringCase('decimal', $response->getContent(), $uri . ' should not leak decimal cast internals.'); $this->assertStringNotContainsStringIgnoringCase('SQLSTATE', $response->getContent(), $uri . ' should not leak SQLSTATE for financial edge cases.'); } } } public function test_attendance_status_and_time_edge_cases_are_controlled(): void { $routes = $this->apiRoutesContainingAny(['attendance', 'late', 'dismissal', 'absence']); $statuses = ['present', 'absent', 'late', 'excused', 'early_dismissal', 'not-a-real-status']; foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } foreach ($statuses as $status) { $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'status' => $status, 'arrival_time' => '25:99', 'dismissal_time' => '-01:00', ]; $response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload); $this->assertNoServerError($response, "$method $uri status $status"); $this->assertControlled($response, $method, $uri); } } } }