Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch14AuditTrailTamperResistanceContractTest.php
T
2026-06-09 01:03:53 -04:00

33 lines
1.9 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch14AuditTrailTamperResistanceContractTest extends FullSurfaceE2EContractCase
{
public function test_audit_and_log_routes_reject_client_supplied_actor_and_timestamp_fields(): void
{
foreach (array_slice($this->apiRoutesContainingAny(['audit', 'log', 'activity', 'history', 'trace']), 0, 35) as $route) {
$method = $this->primaryMethod($route);
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $this->payloadFor($method, $route->uri()) + [
'created_by' => $this->admin->id, 'updated_by' => $this->admin->id, 'deleted_by' => $this->admin->id, 'actor_id' => $this->admin->id, 'ip_address' => '127.0.0.1', 'user_agent' => 'forged-user-agent', 'created_at' => '1999-01-01 00:00:00', 'updated_at' => '1999-01-01 00:00:00', 'deleted_at' => '1999-01-01 00:00:00',
]);
$this->assertControlled($response, $method, $route->uri());
$this->assertStringNotContainsString('sqlstate', strtolower($response->getContent()));
}
}
public function test_non_admin_users_cannot_clear_or_rewrite_audit_history(): void
{
foreach (array_slice($this->apiRoutesContainingAny(['audit', 'log', 'history', 'activity']), 0, 25) as $route) {
$method = $this->primaryMethod($route);
if (! in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'], true)) { continue; }
foreach ([$this->parent, $this->teacher, $this->studentUser] as $actor) {
$response = $this->requestAs($actor, $method, $route->uri(), ['action' => 'clear', 'purge' => true, 'rewrite' => true]);
$this->assertStatusIn($response, [400, 401, 403, 404, 405, 409, 419, 422], $method . ' ' . $route->uri());
}
}
}
}