Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch16PermissionDriftDetectionContractTest.php
T
2026-06-09 01:03:53 -04:00

37 lines
1.5 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch16PermissionDriftDetectionContractTest extends FullSurfaceE2EContractCase
{
public function test_batch16_permission_names_and_route_families_do_not_drift_into_unguarded_mutations(): void
{
$mutatingRoutes = array_filter($this->apiRoutes(), fn ($route) => in_array($this->primaryMethod($route), ['POST', 'PUT', 'PATCH', 'DELETE'], true));
$sensitiveNeedles = ['users', 'roles', 'permissions', 'settings', 'finance', 'inventory', 'school-year', 'attendance', 'scores'];
foreach (array_slice($mutatingRoutes, 0, 100) as $route) {
$uri = $route->uri();
$isSensitive = false;
foreach ($sensitiveNeedles as $needle) {
$isSensitive = $isSensitive || str_contains($uri, $needle);
}
if (! $isSensitive) {
continue;
}
$method = $this->primaryMethod($route);
$response = $this->requestAs($this->studentUser, $method, $uri, $this->payloadFor($method, $uri) + [
'permissions' => ['*'],
'role' => 'administrator',
'can_manage_everything' => true,
]);
$this->assertControlled($response, $method, $uri);
$this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' should not crash during permission-drift probes.');
}
}
}