insertGetId([ 'name' => 'E2E Foreign Year', 'start_date' => '2020-09-01', 'end_date' => '2021-06-30', 'status' => 'closed', 'created_at' => now(), 'updated_at' => now(), ]); $routes = array_slice($this->apiRoutesContainingAny(['school-year', 'school_year', 'attendance', 'scores', 'grading', 'invoice', 'payment', 'report-card']), 0, 120); foreach ($routes as $route) { $method = $this->primaryMethod($route); $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'school_year_id' => $foreignYearId, 'school_year' => 'E2E Foreign Year', 'semester' => 'Archived Semester', ]; $response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload); $this->assertControlled($response, $method, $uri); $this->assertNoServerError($response, 'foreign school year scope at '.$method.' '.$uri); } } public function test_cross_school_year_filters_do_not_return_unscoped_private_data(): void { $routes = array_slice($this->apiRoutesContainingAny(['students', 'attendance', 'invoices', 'payments', 'reports', 'classes']), 0, 90); foreach ($routes as $route) { if ($this->primaryMethod($route) !== 'GET') { continue; } $uri = $route->uri(); $response = $this->requestAs($this->actorFor($uri), 'GET', $uri, [ 'school_year' => '1900-1901', 'semester' => 'Nonexistent', ]); $this->assertControlled($response, 'GET', $uri); $this->assertNoServerError($response, 'cross-year read filter at GET '.$uri); } } }