get('/test-perm', fn () => 'ok'); $user = User::query()->create([ 'firstname' => 'No', 'lastname' => 'Perm', 'email' => 'noperm@example.com', 'cellphone' => '5555555555', 'address_street' => '123 Main', 'city' => 'City', 'state' => 'CT', 'zip' => '12345', 'accept_school_policy' => 1, 'status' => 'Active', 'is_verified' => 1, 'is_suspended' => 0, 'password' => 'hashed', 'semester' => 'Fall', ]); $response = $this->actingAs($user)->get('/test-perm', ['Accept' => 'application/json']); $response->assertStatus(403); } public function test_allows_when_permission_assigned(): void { $permissionId = DB::table('permissions')->insertGetId([ 'name' => 'edit_students', 'description' => 'Edit students', ]); $roleId = DB::table('roles')->insertGetId([ 'name' => 'admin', 'priority' => 1, ]); $user = User::query()->create([ 'firstname' => 'Has', 'lastname' => 'Perm', 'email' => 'hasperm@example.com', 'cellphone' => '5555555555', 'address_street' => '123 Main', 'city' => 'City', 'state' => 'CT', 'zip' => '12345', 'accept_school_policy' => 1, 'status' => 'Active', 'is_verified' => 1, 'is_suspended' => 0, 'password' => 'hashed', 'semester' => 'Fall', ]); DB::table('user_roles')->insert([ 'user_id' => $user->id, 'role_id' => $roleId, ]); DB::table('role_permissions')->insert([ 'role_id' => $roleId, 'permission_id' => $permissionId, 'can_read' => 1, ]); Route::middleware('perm:edit_students')->get('/test-perm-ok', fn () => 'ok'); $response = $this->actingAs($user)->get('/test-perm-ok'); $response->assertOk(); $response->assertSee('ok'); } public function test_multi_auth_blocks_suspended_sanctum_user(): void { Route::middleware('multi.auth')->get('/test-active-account', fn () => 'ok'); $user = $this->createUser([ 'email' => 'suspended@example.com', 'is_verified' => 1, 'is_suspended' => 1, ]); Sanctum::actingAs($user); $this->get('/test-active-account', ['Accept' => 'application/json']) ->assertStatus(403) ->assertJsonPath('message', 'Account unavailable.'); } public function test_permission_middleware_blocks_unverified_user_even_with_permission(): void { $permissionId = DB::table('permissions')->insertGetId([ 'name' => 'edit_students', 'description' => 'Edit students', ]); $roleId = DB::table('roles')->insertGetId([ 'name' => 'admin', 'priority' => 1, ]); $user = $this->createUser([ 'email' => 'unverified-perm@example.com', 'is_verified' => 0, 'is_suspended' => 0, ]); DB::table('user_roles')->insert([ 'user_id' => $user->id, 'role_id' => $roleId, ]); DB::table('role_permissions')->insert([ 'role_id' => $roleId, 'permission_id' => $permissionId, 'can_read' => 1, ]); Route::middleware('perm:edit_students')->get('/test-perm-unverified', fn () => 'ok'); $this->actingAs($user)->get('/test-perm-unverified', ['Accept' => 'application/json']) ->assertStatus(403) ->assertJsonPath('message', 'Account unavailable.'); } private function createUser(array $overrides = []): User { return User::query()->create(array_merge([ 'firstname' => 'Test', 'lastname' => 'User', 'email' => 'test-user@example.com', 'cellphone' => '5555555555', 'address_street' => '123 Main', 'city' => 'City', 'state' => 'CT', 'zip' => '12345', 'accept_school_policy' => 1, 'status' => 'Active', 'is_verified' => 1, 'is_suspended' => 0, 'password' => 'hashed', 'semester' => 'Fall', ], $overrides)); } }