57 lines
2.4 KiB
PHP
57 lines
2.4 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiCalendarScheduleConflictContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_calendar_event_and_school_schedule_routes_handle_conflicts_and_invalid_ranges(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['calendar', 'schedule', 'event', 'school-day', 'semester']);
|
|
|
|
foreach ($routes as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
$uri = $route->uri();
|
|
$payload = $this->payloadFor($method, $uri) + [
|
|
'title' => 'E2E Conflict Probe',
|
|
'start_date' => '2026-06-20',
|
|
'end_date' => '2025-09-01',
|
|
'start_time' => '18:00',
|
|
'end_time' => '08:00',
|
|
'school_year' => self::E2E_PREV_SCHOOL_YEAR,
|
|
'recurrence' => 'FREQ=MINUTELY;INTERVAL=0',
|
|
];
|
|
|
|
$response = $this->requestAs($this->admin, $method, $uri, $payload);
|
|
$this->assertNoServerError($response, "$method $uri invalid schedule conflict");
|
|
$this->assertControlled($response, $method, $uri);
|
|
}
|
|
}
|
|
|
|
public function test_calendar_list_routes_tolerate_window_queries_and_do_not_leak_unscoped_private_events(): void
|
|
{
|
|
$routes = $this->apiRoutesContainingAny(['calendar', 'schedule', 'event']);
|
|
|
|
foreach ($routes as $route) {
|
|
if ($this->primaryMethod($route) !== 'GET') {
|
|
continue;
|
|
}
|
|
|
|
$uri = $route->uri();
|
|
$query = '?from=1900-01-01&to=2100-12-31&scope=all&include_private=true';
|
|
|
|
foreach (['parent' => $this->parent, 'teacher' => $this->teacher, 'student' => $this->studentUser] as $label => $actor) {
|
|
$response = $this->requestAs($actor, 'GET', $uri . $query);
|
|
$this->assertNoServerError($response, "$label GET $uri calendar scope");
|
|
$this->assertStatusIn($response, [200, 204, 302, 400, 401, 403, 404, 409, 419, 422], "$label GET $uri calendar scope");
|
|
$this->assertStringNotContainsStringIgnoringCase('private_note', $response->getContent(), "$uri should not expose private event notes to $label.");
|
|
}
|
|
}
|
|
}
|
|
}
|