apiRoutesContainingAny(['calendar', 'schedule', 'event', 'school-day', 'semester']); foreach ($routes as $route) { $method = $this->primaryMethod($route); if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) { continue; } $uri = $route->uri(); $payload = $this->payloadFor($method, $uri) + [ 'title' => 'E2E Conflict Probe', 'start_date' => '2026-06-20', 'end_date' => '2025-09-01', 'start_time' => '18:00', 'end_time' => '08:00', 'school_year' => self::E2E_PREV_SCHOOL_YEAR, 'recurrence' => 'FREQ=MINUTELY;INTERVAL=0', ]; $response = $this->requestAs($this->admin, $method, $uri, $payload); $this->assertNoServerError($response, "$method $uri invalid schedule conflict"); $this->assertControlled($response, $method, $uri); } } public function test_calendar_list_routes_tolerate_window_queries_and_do_not_leak_unscoped_private_events(): void { $routes = $this->apiRoutesContainingAny(['calendar', 'schedule', 'event']); foreach ($routes as $route) { if ($this->primaryMethod($route) !== 'GET') { continue; } $uri = $route->uri(); $query = '?from=1900-01-01&to=2100-12-31&scope=all&include_private=true'; foreach (['parent' => $this->parent, 'teacher' => $this->teacher, 'student' => $this->studentUser] as $label => $actor) { $response = $this->requestAs($actor, 'GET', $uri . $query); $this->assertNoServerError($response, "$label GET $uri calendar scope"); $this->assertStatusIn($response, [200, 204, 302, 400, 401, 403, 404, 409, 419, 422], "$label GET $uri calendar scope"); $this->assertStringNotContainsStringIgnoringCase('private_note', $response->getContent(), "$uri should not expose private event notes to $label."); } } } }