apiRoutesContainingAny(['students', 'parents', 'family', 'guardian', 'reports', 'dashboard', 'invoices', 'attendance', 'classes']); $payload = [ 'include' => 'user.roles.permissions,password,remember_token,api_token,medical_notes,custody_order,diagnosis,payments.refunds.provider_payload', 'expand' => 'student.parent.user.roles.permissions,guardian.users,payments.transactions.raw_payload', 'fields' => 'id,email,phone,password,remember_token,api_token,medical_notes,custody_order,raw_provider_response', ]; foreach (array_slice($routes, 0, 110) as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $actor = $this->actorFor($uri); if (str_contains($uri, 'admin') || str_contains($uri, 'roles') || str_contains($uri, 'permissions') || str_contains($uri, 'backup') || str_contains($uri, 'restore')) { $actor = $this->studentUser; } $response = $this->requestAs($actor, $method, $uri, $this->payloadFor($method, $uri) + $payload); $this->assertControlled($response, $method, $uri); $this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' crashed during Batch 19 nested relationship redaction probe.'); $body = strtolower($response->getContent()); foreach (['sqlstate', 'stack trace', 'app_key', 'remember_token', 'api_token', 'massassignmentexception', 'foreign key constraint', 'database.sqlite'] as $leak) { $this->assertStringNotContainsString($leak, $body, $method.' '.$uri.' leaked '.$leak.' during Batch 19 nested relationship redaction probe.'); } } } }