42 lines
2.0 KiB
PHP
42 lines
2.0 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch19AttributeBasedAccessConditionContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_batch19_attribute_based_access_condition_stays_controlled(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['admin', 'users', 'roles', 'permissions', 'students', 'parents', 'family', 'finance', 'reports', 'attendance']);
|
|
$payload = [
|
|
'context_role' => 'administrator',
|
|
'acting_school_year_id' => 999999,
|
|
'acting_class_section_id' => 999999,
|
|
'acting_family_id' => 999999,
|
|
'scope' => 'all',
|
|
'condition' => '1=1',
|
|
'policy_context' => ['is_admin' => true, 'all_school' => true],
|
|
];
|
|
|
|
foreach (array_slice($routes, 0, 110) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$uri = $route->uri();
|
|
$actor = $this->actorFor($uri);
|
|
|
|
if (str_contains($uri, 'admin') || str_contains($uri, 'roles') || str_contains($uri, 'permissions') || str_contains($uri, 'backup') || str_contains($uri, 'restore')) {
|
|
$actor = $this->studentUser;
|
|
}
|
|
|
|
$response = $this->requestAs($actor, $method, $uri, $this->payloadFor($method, $uri) + $payload);
|
|
$this->assertControlled($response, $method, $uri);
|
|
$this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' crashed during Batch 19 attribute-based access condition boundaries probe.');
|
|
|
|
$body = strtolower($response->getContent());
|
|
foreach (['sqlstate', 'stack trace', 'app_key', 'remember_token', 'api_token', 'massassignmentexception', 'foreign key constraint', 'database.sqlite'] as $leak) {
|
|
$this->assertStringNotContainsString($leak, $body, $method.' '.$uri.' leaked '.$leak.' during Batch 19 attribute-based access condition boundaries probe.');
|
|
}
|
|
}
|
|
}
|
|
}
|