90f9857b06
API CI/CD / Validate (composer + pint) (push) Successful in 3m7s
API CI/CD / Test (PHPUnit) (push) Failing after 5m46s
API CI/CD / Build frontend assets (push) Successful in 1m2s
API CI/CD / Security audit (push) Failing after 49s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped
163 lines
4.8 KiB
PHP
163 lines
4.8 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Middleware;
|
|
|
|
use App\Models\User;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Facades\Route;
|
|
use Laravel\Sanctum\Sanctum;
|
|
use Tests\TestCase;
|
|
|
|
class RequirePermissionMiddlewareTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
public function test_denies_when_missing_permission(): void
|
|
{
|
|
Route::middleware('perm:edit_students')->get('/test-perm', fn () => 'ok');
|
|
|
|
$user = User::query()->create([
|
|
'firstname' => 'No',
|
|
'lastname' => 'Perm',
|
|
'email' => 'noperm@example.com',
|
|
'cellphone' => '5555555555',
|
|
'address_street' => '123 Main',
|
|
'city' => 'City',
|
|
'state' => 'CT',
|
|
'zip' => '12345',
|
|
'accept_school_policy' => 1,
|
|
'status' => 'Active',
|
|
'is_verified' => 1,
|
|
'is_suspended' => 0,
|
|
'password' => 'hashed',
|
|
'semester' => 'Fall',
|
|
]);
|
|
|
|
$response = $this->actingAs($user)->get('/test-perm', ['Accept' => 'application/json']);
|
|
|
|
$response->assertStatus(403);
|
|
}
|
|
|
|
public function test_allows_when_permission_assigned(): void
|
|
{
|
|
$permissionId = DB::table('permissions')->insertGetId([
|
|
'name' => 'edit_students',
|
|
'description' => 'Edit students',
|
|
]);
|
|
|
|
$roleId = DB::table('roles')->insertGetId([
|
|
'name' => 'admin',
|
|
'priority' => 1,
|
|
]);
|
|
|
|
$user = User::query()->create([
|
|
'firstname' => 'Has',
|
|
'lastname' => 'Perm',
|
|
'email' => 'hasperm@example.com',
|
|
'cellphone' => '5555555555',
|
|
'address_street' => '123 Main',
|
|
'city' => 'City',
|
|
'state' => 'CT',
|
|
'zip' => '12345',
|
|
'accept_school_policy' => 1,
|
|
'status' => 'Active',
|
|
'is_verified' => 1,
|
|
'is_suspended' => 0,
|
|
'password' => 'hashed',
|
|
'semester' => 'Fall',
|
|
]);
|
|
|
|
DB::table('user_roles')->insert([
|
|
'user_id' => $user->id,
|
|
'role_id' => $roleId,
|
|
]);
|
|
|
|
DB::table('role_permissions')->insert([
|
|
'role_id' => $roleId,
|
|
'permission_id' => $permissionId,
|
|
'can_read' => 1,
|
|
]);
|
|
|
|
Route::middleware('perm:edit_students')->get('/test-perm-ok', fn () => 'ok');
|
|
|
|
$response = $this->actingAs($user)->get('/test-perm-ok');
|
|
|
|
$response->assertOk();
|
|
$response->assertSee('ok');
|
|
}
|
|
|
|
public function test_multi_auth_blocks_suspended_sanctum_user(): void
|
|
{
|
|
Route::middleware('multi.auth')->get('/test-active-account', fn () => 'ok');
|
|
|
|
$user = $this->createUser([
|
|
'email' => 'suspended@example.com',
|
|
'is_verified' => 1,
|
|
'is_suspended' => 1,
|
|
]);
|
|
|
|
Sanctum::actingAs($user);
|
|
|
|
$this->get('/test-active-account', ['Accept' => 'application/json'])
|
|
->assertStatus(403)
|
|
->assertJsonPath('message', 'Account unavailable.');
|
|
}
|
|
|
|
public function test_permission_middleware_blocks_unverified_user_even_with_permission(): void
|
|
{
|
|
$permissionId = DB::table('permissions')->insertGetId([
|
|
'name' => 'edit_students',
|
|
'description' => 'Edit students',
|
|
]);
|
|
|
|
$roleId = DB::table('roles')->insertGetId([
|
|
'name' => 'admin',
|
|
'priority' => 1,
|
|
]);
|
|
|
|
$user = $this->createUser([
|
|
'email' => 'unverified-perm@example.com',
|
|
'is_verified' => 0,
|
|
'is_suspended' => 0,
|
|
]);
|
|
|
|
DB::table('user_roles')->insert([
|
|
'user_id' => $user->id,
|
|
'role_id' => $roleId,
|
|
]);
|
|
|
|
DB::table('role_permissions')->insert([
|
|
'role_id' => $roleId,
|
|
'permission_id' => $permissionId,
|
|
'can_read' => 1,
|
|
]);
|
|
|
|
Route::middleware('perm:edit_students')->get('/test-perm-unverified', fn () => 'ok');
|
|
|
|
$this->actingAs($user)->get('/test-perm-unverified', ['Accept' => 'application/json'])
|
|
->assertStatus(403)
|
|
->assertJsonPath('message', 'Account unavailable.');
|
|
}
|
|
|
|
private function createUser(array $overrides = []): User
|
|
{
|
|
return User::query()->create(array_merge([
|
|
'firstname' => 'Test',
|
|
'lastname' => 'User',
|
|
'email' => 'test-user@example.com',
|
|
'cellphone' => '5555555555',
|
|
'address_street' => '123 Main',
|
|
'city' => 'City',
|
|
'state' => 'CT',
|
|
'zip' => '12345',
|
|
'accept_school_policy' => 1,
|
|
'status' => 'Active',
|
|
'is_verified' => 1,
|
|
'is_suspended' => 0,
|
|
'password' => 'hashed',
|
|
'semester' => 'Fall',
|
|
], $overrides));
|
|
}
|
|
}
|