Files
alrahma_sunday_school_api/tests/Feature/Api/V1/FullSurface/ApiBatch19AppendOnlyAuditLedgerContractTest.php
T
2026-06-11 11:46:12 -04:00

42 lines
1.9 KiB
PHP

<?php
namespace Tests\Feature\Api\V1\FullSurface;
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
class ApiBatch19AppendOnlyAuditLedgerContractTest extends FullSurfaceE2EContractCase
{
public function test_batch19_append_only_audit_ledger_stays_controlled(): void
{
$routes = $this->apiRoutesContainingAny(['audit', 'logs', 'ledger', 'history', 'timeline', 'activity', 'finance', 'payments', 'refunds']);
$payload = [
'delete_audit' => true,
'rewrite_history' => true,
'created_by' => 999999,
'updated_by' => 999999,
'actor_id' => 999999,
'source_ip' => '127.0.0.1',
'reason' => 'client supplied audit rewrite',
];
foreach (array_slice($routes, 0, 110) as $route) {
$method = $this->primaryMethod($route);
$uri = $route->uri();
$actor = $this->actorFor($uri);
if (str_contains($uri, 'admin') || str_contains($uri, 'roles') || str_contains($uri, 'permissions') || str_contains($uri, 'backup') || str_contains($uri, 'restore')) {
$actor = $this->studentUser;
}
$response = $this->requestAs($actor, $method, $uri, $this->payloadFor($method, $uri) + $payload);
$this->assertControlled($response, $method, $uri);
$this->assertNotEquals(500, $response->getStatusCode(), $method.' '.$uri.' crashed during Batch 19 append-only audit ledger behavior probe.');
$body = strtolower($response->getContent());
foreach (['sqlstate', 'stack trace', 'app_key', 'remember_token', 'api_token', 'massassignmentexception', 'foreign key constraint', 'database.sqlite'] as $leak) {
$this->assertStringNotContainsString($leak, $body, $method.' '.$uri.' leaked '.$leak.' during Batch 19 append-only audit ledger behavior probe.');
}
}
}
}