44 lines
1.9 KiB
PHP
44 lines
1.9 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
|
|
class ApiBatch18CanonicalIdentifierImmutabilityContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_batch18_canonicalidentifierimmutability_stays_controlled(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['students', 'users', 'parents', 'family', 'guardian', 'invoices', 'payments', 'attendance', 'scores']);
|
|
$payload = [
|
|
'id' => 999999,
|
|
'uuid' => '00000000-0000-0000-0000-000000000000',
|
|
'user_id' => 999999,
|
|
'student_id' => 999999,
|
|
'parent_id' => 999999,
|
|
'invoice_id' => 999999,
|
|
'created_at' => '1999-01-01T00:00:00Z',
|
|
'updated_at' => '2099-01-01T00:00:00Z',
|
|
];
|
|
|
|
foreach (array_slice($routes, 0, 100) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
$uri = $route->uri();
|
|
$actor = $this->actorFor($uri);
|
|
|
|
if (str_contains($uri, 'admin') || str_contains($uri, 'roles') || str_contains($uri, 'permissions')) {
|
|
$actor = $this->studentUser;
|
|
}
|
|
|
|
$response = $this->requestAs($actor, $method, $uri, $this->payloadFor($method, $uri) + $payload);
|
|
$this->assertControlled($response, $method, $uri);
|
|
$this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' crashed during Batch 18 canonical identifier immutability probe.');
|
|
|
|
$body = strtolower($response->getContent());
|
|
foreach (['sqlstate', 'stack trace', 'app_key', 'remember_token', 'api_token', 'massassignmentexception', 'foreign key constraint'] as $leak) {
|
|
$this->assertStringNotContainsString($leak, $body, $method.' '.$uri.' leaked '.$leak.' during Batch 18 canonical identifier immutability probe.');
|
|
}
|
|
}
|
|
}
|
|
}
|