Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiDataMinimizationByRoleContractTest.php
T
2026-06-09 02:32:58 -04:00

34 lines
1.5 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiDataMinimizationByRoleContractTest extends FullSurfaceE2EContractCase
{
public function test_parent_and_student_responses_do_not_expose_back_office_finance_or_admin_fields(): void
{
$routes = array_slice($this->apiRoutesContainingAny(['parent', 'parents', 'student', 'students', 'dashboard', 'profile', 'invoices']), 0, 120);
$forbidden = ['cost_basis', 'internal_notes', 'admin_notes', 'deleted_at', 'password', 'remember_token', 'permissions', 'roles_raw', 'salary', 'ssn'];
foreach ($routes as $route) {
if ($this->primaryMethod($route) !== 'GET') {
continue;
}
$uri = $route->uri();
foreach ([$this->parent, $this->studentUser] as $actor) {
$response = $this->requestAs($actor, 'GET', $uri);
$this->assertControlled($response, 'GET', $uri);
$this->assertNoServerError($response, 'data minimization at GET ' . $uri);
if ($response->getStatusCode() >= 200 && $response->getStatusCode() < 300) {
foreach ($forbidden as $field) {
$this->assertStringNotContainsString('"' . $field . '"', $response->getContent(), 'Low-privilege response leaked ' . $field . ' at GET ' . $uri);
}
}
}
}
}
}