86 lines
3.8 KiB
PHP
86 lines
3.8 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiBusinessRuleEdgeCaseContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_school_year_semester_and_class_mismatch_payloads_fail_without_crashing(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['students', 'class', 'attendance', 'scores', 'report-card', 'teacher']);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
$uri = $route->uri();
|
|
$payload = $this->payloadFor($method, $uri) + [
|
|
'school_year' => '1900-1901',
|
|
'semester' => 'Summer-Does-Not-Exist',
|
|
'class_section_id' => 999999,
|
|
'student_id' => 999999,
|
|
];
|
|
|
|
$response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload);
|
|
$this->assertNoServerError($response, "$method $uri mismatched academic context");
|
|
$this->assertStatusIn($response, [200, 201, 202, 204, 302, 400, 401, 403, 404, 409, 419, 422], "$method $uri mismatched academic context");
|
|
$this->assertStringNotContainsStringIgnoringCase('foreign key constraint', $response->getContent(), $uri . ' should validate academic context before DB failure leaks.');
|
|
}
|
|
}
|
|
|
|
public function test_financial_amount_rules_reject_zero_negative_and_precision_abuse_cleanly(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['finance', 'payment', 'refund', 'invoice', 'fee', 'installment', 'charge']);
|
|
$amounts = [0, -0.01, -999999, '0.0000000000001', '1000000000000000000000000.99'];
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
foreach ($amounts as $amount) {
|
|
$uri = $route->uri();
|
|
$payload = $this->payloadFor($method, $uri);
|
|
$payload['amount'] = $amount;
|
|
$payload['total'] = $amount;
|
|
$payload['balance'] = $amount;
|
|
|
|
$response = $this->requestAs($this->admin, $method, $uri, $payload);
|
|
$this->assertNoServerError($response, "$method $uri amount $amount");
|
|
$this->assertStringNotContainsStringIgnoringCase('decimal', $response->getContent(), $uri . ' should not leak decimal cast internals.');
|
|
$this->assertStringNotContainsStringIgnoringCase('SQLSTATE', $response->getContent(), $uri . ' should not leak SQLSTATE for financial edge cases.');
|
|
}
|
|
}
|
|
}
|
|
|
|
public function test_attendance_status_and_time_edge_cases_are_controlled(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['attendance', 'late', 'dismissal', 'absence']);
|
|
$statuses = ['present', 'absent', 'late', 'excused', 'early_dismissal', 'not-a-real-status'];
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
foreach ($statuses as $status) {
|
|
$uri = $route->uri();
|
|
$payload = $this->payloadFor($method, $uri) + [
|
|
'status' => $status,
|
|
'arrival_time' => '25:99',
|
|
'dismissal_time' => '-01:00',
|
|
];
|
|
|
|
$response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload);
|
|
$this->assertNoServerError($response, "$method $uri status $status");
|
|
$this->assertControlled($response, $method, $uri);
|
|
}
|
|
}
|
|
}
|
|
}
|