999999, 'user_id' => $this->admin->id, 'role_id' => $this->ids['roleId'], 'is_admin' => true, 'is_super_admin' => true, 'email_verified_at' => now()->toISOString(), 'created_by' => $this->admin->id, 'updated_by' => $this->admin->id, 'deleted_at' => now()->toISOString(), 'balance' => -999999, 'amount_paid' => -999999, 'status' => 'approved', 'permissions' => ['*'], 'roles' => ['administrator'], ]; foreach ($this->apiRoutes() as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + $dangerousFields; $response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload); $this->assertControlled($response, $method, $uri); if ($this->isJsonString($response->getContent())) { $json = json_encode($response->json(), JSON_THROW_ON_ERROR); $this->assertStringNotContainsString('"is_super_admin":true', $json, "{$uri} accepted is_super_admin overpost."); $this->assertStringNotContainsString('"permissions":["*"]', $json, "{$uri} echoed wildcard permissions overpost."); } } } public function test_parent_and_teacher_cannot_overpost_owner_ids_to_reassign_records(): void { foreach ($this->apiRoutesContainingAny(['parents', 'profile', 'students', 'attendance', 'messages', 'emergency-contacts']) as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } $payload = $this->payloadFor($method, $route->uri()) + [ 'parent_id' => 999999, 'student_id' => 999999, 'family_id' => 999999, 'class_section_id' => 999999, 'teacher_id' => 999999, ]; $parentResponse = $this->requestAs($this->parent, $method, $route->uri(), $payload); $this->assertStatusIn($parentResponse, [200, 201, 202, 204, 400, 401, 403, 404, 409, 422], "Parent overpost {$route->uri()}"); if ($parentResponse->getStatusCode() < 300) { $body = $parentResponse->getContent(); $this->assertStringNotContainsString('999999', $body, "Parent overpost should not be reflected by {$route->uri()}."); } } } }