Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch13DiscountVoucherScholarshipAbuseContractTest.php
T
2026-06-08 23:45:55 -04:00

59 lines
2.2 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch13DiscountVoucherScholarshipAbuseContractTest extends FullSurfaceE2EContractCase
{
public function test_discount_and_voucher_routes_reject_abusive_amounts_and_scope_overrides(): void
{
$routes = $this->apiRoutesContainingAny(['discount', 'voucher', 'scholarship', 'fee', 'tuition', 'waiver']);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
$payload = $this->payloadFor($method, $route->uri()) + [
'voucher_id' => $this->ids['voucherId'],
'discount_type' => 'percent',
'percentage' => 1000,
'amount' => -9999.99,
'applies_to_all' => true,
'family_id' => 99999999,
'student_id' => 99999999,
'approved_by' => $this->parent->id,
];
$response = $this->requestAs($this->admin, $method, $route->uri(), $payload);
$this->assertControlled($response, $method, $route->uri());
$this->assertStringNotContainsString('SQLSTATE', $response->getContent());
}
}
public function test_parent_cannot_self_grant_discounts_or_scholarships(): void
{
$routes = $this->apiRoutesContainingAny(['discount', 'voucher', 'scholarship', 'waiver']);
foreach ($routes as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'], true)) {
continue;
}
$response = $this->requestAs($this->parent, $method, $route->uri(), [
'student_id' => $this->ids['studentId'],
'amount' => 9999,
'percentage' => 100,
'approved' => true,
'reason' => 'self-granted',
]);
$this->assertControlled($response, $method, $route->uri());
$this->assertNotContains($response->getStatusCode(), [200, 201]);
}
}
}