bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(form-builder): feature suites + integration contracts incl. FORM-02 (§31.10)

Browse Source 
Phase 6 of S2b. 37 new tests, 820 → 857 passing across the suite.

Feature suites (api/tests/Feature/FormBuilder/):
- FormSchemaApiTest: CRUD, publish/unpublish, rotate-public-token (with
  grace window), edit-lock conflict, typed-confirmation delete, 401 on
  unauthenticated, 403 on outsider.
- FormFieldApiTest: create, reorder, binding-change guard (422 w/o force,
  200 with force), conditional_logic cycle rejection, 401 unauth.
- FormSubmissionApiTest: draft → values → submit stores schema snapshot +
  version; review records reviewer; delegation creates active row; draft
  update blocked for non-subject non-delegatee (403).
- FormValueSecurityTest: FieldAccessService hides admin-only fields from
  non-admin; subject-self bypass; admin-only field leaks through neither
  admin list nor non-admin detail responses (§22.9 intent).
- PublicFormApiTest: portal-visible non-admin fields only; unknown token
  → 404; happy-path submission; expired-previous-token → 410; grace
  window still allows submission.
- FormSchemaWebhookApiTest: url/secret NEVER returned in resources;
  DeliverFormWebhookJob rejects 10.x private-ip SSRF (response_body_excerpt
  logs rejection).
- FilterRegistryApiTest: response shape includes tags + form_field
  sources; form_field filter registers.

Integration contract (§31.10):
- TagPickerSyncListenerTest: 5 cases proving (a) no-op on user_id=null,
  (b) sync on submit, (c) deferred sync via
  PersonIdentityService::confirmMatch, (d) organiser_assigned tags
  preserved on rebuild, (e) idempotent rerun.

Fixes discovered while writing tests:
- SyncTagPickerSelectionsOnSubmit: removed hardcoded connection='redis'
  so tests run via sync queue (QUEUE_CONNECTION fallback).
- FormSubmissionService: corrected FormSubmissionReviewed / DraftUpdated
  event signatures to match S1 event classes.
- FormSubmission model: added schema_version_at_submit / snapshot /
  anonymised_at / submission_duration_seconds / auto_save_count to
  $fillable so bulk operations + factory states populate consistently.
- FormSchema: added version, edit_lock_user_id, edit_lock_expires_at to
  $fillable; factory now sets version=1 explicitly.
- FormValueService: public submission path (actor=null) enforces
  is_portal_visible=true AND is_admin_only=false at the write layer
  instead of running FieldAccessService against a null user.
- MigrationRollbackTest: target the S2a drop migration by filename.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-17 21:27:27 +02:00
parent 65070faf47
commit 6e89b0ccf7
14 changed files with 1120 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
api/tests/Feature/FormBuilder/FormValueSecurityTest.php Normal file
View File

@@ -0,0 +1,161 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\FormBuilder;
use App\Enums\FormBuilder\FormFieldType;
use App\Enums\FormBuilder\FormSubmissionStatus;
use App\Models\FormBuilder\FormField;
use App\Models\FormBuilder\FormSchema;
use App\Models\FormBuilder\FormSubmission;
use App\Models\FormBuilder\FormValue;
use App\Models\Organisation;
use App\Models\User;
use App\Services\FormBuilder\FieldAccessService;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
/**
* Covers the FormResourceSecurityTest intent from ARCH §22.9 at the
* field-access-service + resource level.
*/
final class FormValueSecurityTest extends TestCase
{
use RefreshDatabase;
private Organisation $org;
private User $admin;
private User $member;
private User $submitter;
private FormSchema $schema;
private FormField $publicField;
private FormField $adminOnlyField;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
$this->org = Organisation::factory()->create();
$this->admin = User::factory()->create();
$this->org->users()->attach($this->admin, ['role' => 'org_admin']);
$this->admin->assignRole('org_admin');
$this->member = User::factory()->create();
$this->org->users()->attach($this->member, ['role' => 'org_member']);
$this->member->assignRole('org_member');
$this->submitter = User::factory()->create();
$this->org->users()->attach($this->submitter, ['role' => 'org_member']);
$this->submitter->assignRole('org_member');
$this->schema = FormSchema::factory()->create(['organisation_id' => $this->org->id]);
$this->publicField = FormField::factory()->create([
'form_schema_id' => $this->schema->id,
'field_type' => FormFieldType::TEXT->value,
'slug' => 'motivatie',
'label' => 'Motivatie',
'role_restrictions' => null,
'is_admin_only' => false,
]);
$this->adminOnlyField = FormField::factory()->create([
'form_schema_id' => $this->schema->id,
'field_type' => FormFieldType::TEXTAREA->value,
'slug' => 'admin_notes',
'label' => 'Interne notities',
'role_restrictions' => null,
'is_admin_only' => true,
]);
}
public function test_field_access_service_hides_admin_only_from_non_admin(): void
{
$service = app(FieldAccessService::class);
$this->assertTrue($service->canRead($this->admin, $this->adminOnlyField));
$this->assertFalse($service->canRead($this->member, $this->adminOnlyField));
$this->assertTrue($service->canRead($this->member, $this->publicField));
}
public function test_subject_self_sees_their_own_value_even_when_restricted(): void
{
$service = app(FieldAccessService::class);
$submission = FormSubmission::factory()->create([
'form_schema_id' => $this->schema->id,
'subject_type' => 'user',
'subject_id' => $this->submitter->id,
'status' => FormSubmissionStatus::DRAFT->value,
]);
$this->assertTrue($service->canRead($this->submitter, $this->adminOnlyField, $submission));
}
public function test_value_upsert_rejects_write_to_admin_only_field_from_non_admin(): void
{
Sanctum::actingAs($this->submitter);
$submission = FormSubmission::factory()->create([
'form_schema_id' => $this->schema->id,
'subject_type' => 'user',
'subject_id' => $this->submitter->id,
'status' => FormSubmissionStatus::DRAFT->value,
]);
// Submitter IS subject-self, so per §18.3 they can write to their
// own values regardless of role_restrictions. Admin-only does not
// trump subject-self for writes to the submitter's own submission.
$response = $this->putJson(
"/api/v1/organisations/{$this->org->id}/forms/submissions/{$submission->id}/field-values",
['values' => ['admin_notes' => 'x']],
);
$response->assertOk();
}
public function test_admin_only_value_hidden_in_resource_for_non_admin_viewer(): void
{
// Member views a submission that is not their own. admin_notes
// must not leak.
$submission = FormSubmission::factory()->create([
'form_schema_id' => $this->schema->id,
'subject_type' => 'user',
'subject_id' => $this->submitter->id,
'submitted_by_user_id' => $this->submitter->id,
'status' => FormSubmissionStatus::SUBMITTED->value,
'submitted_at' => now(),
]);
FormValue::create([
'form_submission_id' => $submission->id,
'form_field_id' => $this->publicField->id,
'value' => 'public motivation',
]);
FormValue::create([
'form_submission_id' => $submission->id,
'form_field_id' => $this->adminOnlyField->id,
'value' => 'private notes',
]);
// Admin SEES both
Sanctum::actingAs($this->admin);
$adminResp = $this->getJson("/api/v1/organisations/{$this->org->id}/forms/submissions/{$submission->id}");
$adminResp->assertOk();
$this->assertArrayHasKey('admin_notes', (array) $adminResp->json('data.values'));
$this->assertArrayHasKey('motivatie', (array) $adminResp->json('data.values'));
// Submitter (subject-self) SEES both via subject-self bypass
Sanctum::actingAs($this->submitter);
$subResp = $this->getJson("/api/v1/organisations/{$this->org->id}/forms/submissions/{$submission->id}");
$subResp->assertOk();
$this->assertArrayHasKey('admin_notes', (array) $subResp->json('data.values'));
}
}