33 lines
1.9 KiB
PHP
33 lines
1.9 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBatch14AuditTrailTamperResistanceContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_audit_and_log_routes_reject_client_supplied_actor_and_timestamp_fields(): void
|
|
{
|
|
foreach (array_slice($this->apiRoutesContainingAny(['audit', 'log', 'activity', 'history', 'trace']), 0, 35) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$response = $this->requestAs($this->actorFor($route->uri()), $method, $route->uri(), $this->payloadFor($method, $route->uri()) + [
|
|
'created_by' => $this->admin->id, 'updated_by' => $this->admin->id, 'deleted_by' => $this->admin->id, 'actor_id' => $this->admin->id, 'ip_address' => '127.0.0.1', 'user_agent' => 'forged-user-agent', 'created_at' => '1999-01-01 00:00:00', 'updated_at' => '1999-01-01 00:00:00', 'deleted_at' => '1999-01-01 00:00:00',
|
|
]);
|
|
$this->assertControlled($response, $method, $route->uri());
|
|
$this->assertStringNotContainsString('sqlstate', strtolower($response->getContent()));
|
|
}
|
|
}
|
|
|
|
public function test_non_admin_users_cannot_clear_or_rewrite_audit_history(): void
|
|
{
|
|
foreach (array_slice($this->apiRoutesContainingAny(['audit', 'log', 'history', 'activity']), 0, 25) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH', 'DELETE'], true)) { continue; }
|
|
foreach ([$this->parent, $this->teacher, $this->studentUser] as $actor) {
|
|
$response = $this->requestAs($actor, $method, $route->uri(), ['action' => 'clear', 'purge' => true, 'rewrite' => true]);
|
|
$this->assertStatusIn($response, [400, 401, 403, 404, 405, 409, 419, 422], $method . ' ' . $route->uri());
|
|
}
|
|
}
|
|
}
|
|
}
|