apiRoutesContainingAny(['parent', 'parents', 'student', 'students', 'dashboard', 'profile', 'invoices']), 0, 120); $forbidden = ['cost_basis', 'internal_notes', 'admin_notes', 'deleted_at', 'password', 'remember_token', 'permissions', 'roles_raw', 'salary', 'ssn']; foreach ($routes as $route) { if ($this->primaryMethod($route) !== 'GET') { continue; } $uri = $route->uri(); foreach ([$this->parent, $this->studentUser] as $actor) { $response = $this->requestAs($actor, 'GET', $uri); $this->assertControlled($response, 'GET', $uri); $this->assertNoServerError($response, 'data minimization at GET '.$uri); if ($response->getStatusCode() >= 200 && $response->getStatusCode() < 300) { foreach ($forbidden as $field) { $this->assertStringNotContainsString('"'.$field.'"', $response->getContent(), 'Low-privilege response leaked '.$field.' at GET '.$uri); } } } } } }