Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiMassAssignmentAndOverpostingContractTest.php
T
2026-06-08 23:45:55 -04:00

76 lines
3.0 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiMassAssignmentAndOverpostingContractTest extends FullSurfaceE2EContractCase
{
public function test_write_endpoints_ignore_or_reject_privilege_escalation_fields(): void
{
$dangerousFields = [
'id' => 999999,
'user_id' => $this->admin->id,
'role_id' => $this->ids['roleId'],
'is_admin' => true,
'is_super_admin' => true,
'email_verified_at' => now()->toISOString(),
'created_by' => $this->admin->id,
'updated_by' => $this->admin->id,
'deleted_at' => now()->toISOString(),
'balance' => -999999,
'amount_paid' => -999999,
'status' => 'approved',
'permissions' => ['*'],
'roles' => ['administrator'],
];
foreach ($this->apiRoutes() as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
$uri = $route->uri();
$payload = $this->payloadFor($method, $uri) + $dangerousFields;
$response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload);
$this->assertControlled($response, $method, $uri);
if ($this->isJsonString($response->getContent())) {
$json = json_encode($response->json(), JSON_THROW_ON_ERROR);
$this->assertStringNotContainsString('"is_super_admin":true', $json, "{$uri} accepted is_super_admin overpost.");
$this->assertStringNotContainsString('"permissions":["*"]', $json, "{$uri} echoed wildcard permissions overpost.");
}
}
}
public function test_parent_and_teacher_cannot_overpost_owner_ids_to_reassign_records(): void
{
foreach ($this->apiRoutesContainingAny(['parents', 'profile', 'students', 'attendance', 'messages', 'emergency-contacts']) as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
continue;
}
$payload = $this->payloadFor($method, $route->uri()) + [
'parent_id' => 999999,
'student_id' => 999999,
'family_id' => 999999,
'class_section_id' => 999999,
'teacher_id' => 999999,
];
$parentResponse = $this->requestAs($this->parent, $method, $route->uri(), $payload);
$this->assertStatusIn($parentResponse, [200, 201, 202, 204, 400, 401, 403, 404, 409, 422], "Parent overpost {$route->uri()}");
if ($parentResponse->getStatusCode() < 300) {
$body = $parentResponse->getContent();
$this->assertStringNotContainsString('999999', $body, "Parent overpost should not be reflected by {$route->uri()}.");
}
}
}
}