Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiImpersonationDelegationAndActingAsContractTest.php
root 8661615717
API CI/CD / Validate (composer + pint) (push) Successful in 2m46s
API CI/CD / Test (PHPUnit) (push) Failing after 3m3s
API CI/CD / Build frontend assets (push) Failing after 5m22s
API CI/CD / Security audit (push) Failing after 34s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
Update PHPUnit test metadata attributes
2026-06-25 20:04:18 -04:00

34 lines
1.5 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use PHPUnit\Framework\Attributes\Test;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiImpersonationDelegationAndActingAsContractTest extends FullSurfaceE2EContractCase
{
#[Test]
public function impersonation_and_delegation_routes_are_admin_only_and_auditable(): void
{
$routes = array_slice($this->apiRoutesContainingAny(['impersonate', 'delegate', 'acting-as', 'switch-user', 'assume', 'behalf']), 0, 80);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
$payload = $this->payloadFor($method, $uri) + [
'user_id' => $this->admin->id,
'target_user_id' => $this->parent->id,
'reason' => 'E2E impersonation probe',
];
$adminResponse = $this->requestAs($this->admin, $method, $uri, $payload);
$parentResponse = $this->requestAs($this->parent, $method, $uri, $payload);
$teacherResponse = $this->requestAs($this->teacher, $method, $uri, $payload);
$this->assertControlled($adminResponse, $method, $uri);
$this->assertStatusIn($parentResponse, [401, 403, 404, 405, 409, 419, 422], "$method $uri should deny parent impersonation attempts.");
$this->assertStatusIn($teacherResponse, [401, 403, 404, 405, 409, 419, 422], "$method $uri should deny teacher impersonation attempts.");
}
}
}