apiRoutesContainingAny(['password', 'reset', 'forgot', 'verify', 'verification', 'credential', 'profile']); foreach ($routes as $route) { $method = $this->primaryMethod($route); $payload = $this->payloadFor($method, $route->uri()) + [ 'email' => 'does-not-exist-batch13@example.test', 'token' => str_repeat('x', 2048), 'password' => 'short', 'password_confirmation' => 'different', 'current_password' => 'wrong-password', ]; $response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $payload); $this->assertControlled($response, $method, $route->uri()); $body = strtolower($response->getContent()); $this->assertStringNotContainsString('password_resets', $body); $this->assertStringNotContainsString('remember_token', $body); $this->assertStringNotContainsString('reset_token', $body); } } public function test_low_privilege_users_cannot_change_other_users_credentials(): void { $routes = $this->apiRoutesContainingAny(['users', 'profile', 'password', 'credential']); foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } $response = $this->requestAs($this->parent, $method, $route->uri(), [ 'user_id' => $this->admin->id, 'email' => $this->admin->email, 'password' => 'NewPassword123!', 'password_confirmation' => 'NewPassword123!', 'role' => 'administrator', ]); $this->assertControlled($response, $method, $route->uri()); $this->assertNotContains($response->getStatusCode(), [200, 201]); } } }