76 lines
3.0 KiB
PHP
76 lines
3.0 KiB
PHP
<?php
|
|
|
|
namespace Tests\Feature\Api\V1\FullSurface;
|
|
|
|
use Tests\Feature\Api\V1\FullSurface\Support\FullSurfaceE2EContractCase;
|
|
|
|
class ApiMassAssignmentAndOverpostingContractTest extends FullSurfaceE2EContractCase
|
|
{
|
|
public function test_write_endpoints_ignore_or_reject_privilege_escalation_fields(): void
|
|
{
|
|
$dangerousFields = [
|
|
'id' => 999999,
|
|
'user_id' => $this->admin->id,
|
|
'role_id' => $this->ids['roleId'],
|
|
'is_admin' => true,
|
|
'is_super_admin' => true,
|
|
'email_verified_at' => now()->toISOString(),
|
|
'created_by' => $this->admin->id,
|
|
'updated_by' => $this->admin->id,
|
|
'deleted_at' => now()->toISOString(),
|
|
'balance' => -999999,
|
|
'amount_paid' => -999999,
|
|
'status' => 'approved',
|
|
'permissions' => ['*'],
|
|
'roles' => ['administrator'],
|
|
];
|
|
|
|
foreach ($this->apiRoutes() as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
$uri = $route->uri();
|
|
$payload = $this->payloadFor($method, $uri) + $dangerousFields;
|
|
$response = $this->requestAs($this->actorFor($uri), $method, $uri, $payload);
|
|
|
|
$this->assertControlled($response, $method, $uri);
|
|
|
|
if ($this->isJsonString($response->getContent())) {
|
|
$json = json_encode($response->json(), JSON_THROW_ON_ERROR);
|
|
$this->assertStringNotContainsString('"is_super_admin":true', $json, "{$uri} accepted is_super_admin overpost.");
|
|
$this->assertStringNotContainsString('"permissions":["*"]', $json, "{$uri} echoed wildcard permissions overpost.");
|
|
}
|
|
}
|
|
}
|
|
|
|
public function test_parent_and_teacher_cannot_overpost_owner_ids_to_reassign_records(): void
|
|
{
|
|
foreach ($this->apiRoutesContainingAny(['parents', 'profile', 'students', 'attendance', 'messages', 'emergency-contacts']) as $route) {
|
|
$method = $this->primaryMethod($route);
|
|
|
|
if (! in_array($method, ['POST', 'PUT', 'PATCH'], true)) {
|
|
continue;
|
|
}
|
|
|
|
$payload = $this->payloadFor($method, $route->uri()) + [
|
|
'parent_id' => 999999,
|
|
'student_id' => 999999,
|
|
'family_id' => 999999,
|
|
'class_section_id' => 999999,
|
|
'teacher_id' => 999999,
|
|
];
|
|
|
|
$parentResponse = $this->requestAs($this->parent, $method, $route->uri(), $payload);
|
|
$this->assertStatusIn($parentResponse, [200, 201, 202, 204, 400, 401, 403, 404, 409, 422], "Parent overpost {$route->uri()}");
|
|
|
|
if ($parentResponse->getStatusCode() < 300) {
|
|
$body = $parentResponse->getContent();
|
|
$this->assertStringNotContainsString('999999', $body, "Parent overpost should not be reflected by {$route->uri()}.");
|
|
}
|
|
}
|
|
}
|
|
}
|