8661615717
API CI/CD / Validate (composer + pint) (push) Successful in 2m46s
API CI/CD / Test (PHPUnit) (push) Failing after 3m3s
API CI/CD / Build frontend assets (push) Failing after 5m22s
API CI/CD / Security audit (push) Failing after 34s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
34 lines
1.5 KiB
PHP
34 lines
1.5 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use PHPUnit\Framework\Attributes\Test;
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiImpersonationDelegationAndActingAsContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
#[Test]
|
|
public function impersonation_and_delegation_routes_are_admin_only_and_auditable(): void
|
|
{
|
|
$routes = array_slice($this->apiRoutesContainingAny(['impersonate', 'delegate', 'acting-as', 'switch-user', 'assume', 'behalf']), 0, 80);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$uri = $route->uri();
|
|
$payload = $this->payloadFor($method, $uri) + [
|
|
'user_id' => $this->admin->id,
|
|
'target_user_id' => $this->parent->id,
|
|
'reason' => 'E2E impersonation probe',
|
|
];
|
|
|
|
$adminResponse = $this->requestAs($this->admin, $method, $uri, $payload);
|
|
$parentResponse = $this->requestAs($this->parent, $method, $uri, $payload);
|
|
$teacherResponse = $this->requestAs($this->teacher, $method, $uri, $payload);
|
|
|
|
$this->assertControlled($adminResponse, $method, $uri);
|
|
$this->assertStatusIn($parentResponse, [401, 403, 404, 405, 409, 419, 422], "$method $uri should deny parent impersonation attempts.");
|
|
$this->assertStatusIn($teacherResponse, [401, 403, 404, 405, 409, 419, 422], "$method $uri should deny teacher impersonation attempts.");
|
|
}
|
|
}
|
|
}
|