bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test(form-builder): feature suites + integration contracts incl. FORM-02 (§31.10)

Browse Source 
Phase 6 of S2b. 37 new tests, 820 → 857 passing across the suite.

Feature suites (api/tests/Feature/FormBuilder/):
- FormSchemaApiTest: CRUD, publish/unpublish, rotate-public-token (with
  grace window), edit-lock conflict, typed-confirmation delete, 401 on
  unauthenticated, 403 on outsider.
- FormFieldApiTest: create, reorder, binding-change guard (422 w/o force,
  200 with force), conditional_logic cycle rejection, 401 unauth.
- FormSubmissionApiTest: draft → values → submit stores schema snapshot +
  version; review records reviewer; delegation creates active row; draft
  update blocked for non-subject non-delegatee (403).
- FormValueSecurityTest: FieldAccessService hides admin-only fields from
  non-admin; subject-self bypass; admin-only field leaks through neither
  admin list nor non-admin detail responses (§22.9 intent).
- PublicFormApiTest: portal-visible non-admin fields only; unknown token
  → 404; happy-path submission; expired-previous-token → 410; grace
  window still allows submission.
- FormSchemaWebhookApiTest: url/secret NEVER returned in resources;
  DeliverFormWebhookJob rejects 10.x private-ip SSRF (response_body_excerpt
  logs rejection).
- FilterRegistryApiTest: response shape includes tags + form_field
  sources; form_field filter registers.

Integration contract (§31.10):
- TagPickerSyncListenerTest: 5 cases proving (a) no-op on user_id=null,
  (b) sync on submit, (c) deferred sync via
  PersonIdentityService::confirmMatch, (d) organiser_assigned tags
  preserved on rebuild, (e) idempotent rerun.

Fixes discovered while writing tests:
- SyncTagPickerSelectionsOnSubmit: removed hardcoded connection='redis'
  so tests run via sync queue (QUEUE_CONNECTION fallback).
- FormSubmissionService: corrected FormSubmissionReviewed / DraftUpdated
  event signatures to match S1 event classes.
- FormSubmission model: added schema_version_at_submit / snapshot /
  anonymised_at / submission_duration_seconds / auto_save_count to
  $fillable so bulk operations + factory states populate consistently.
- FormSchema: added version, edit_lock_user_id, edit_lock_expires_at to
  $fillable; factory now sets version=1 explicitly.
- FormValueService: public submission path (actor=null) enforces
  is_portal_visible=true AND is_admin_only=false at the write layer
  instead of running FieldAccessService against a null user.
- MigrationRollbackTest: target the S2a drop migration by filename.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
bert.hausmans
2026-04-17 21:27:27 +02:00
parent 65070faf47
commit 6e89b0ccf7
14 changed files with 1120 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

246
api/tests/Feature/FormBuilder/Integration/TagPickerSyncListenerTest.php Normal file
View File

@@ -0,0 +1,246 @@
<?php
declare(strict_types=1);
namespace Tests\Feature\FormBuilder\Integration;
use App\Enums\FormBuilder\FormFieldType;
use App\Enums\FormBuilder\FormPurpose;
use App\Enums\FormBuilder\FormSubmissionStatus;
use App\Enums\IdentityMatchConfidence;
use App\Enums\IdentityMatchMethod;
use App\Enums\IdentityMatchStatus;
use App\Events\FormBuilder\FormSubmissionSubmitted;
use App\Models\CrowdType;
use App\Models\Event;
use App\Models\FormBuilder\FormField;
use App\Models\FormBuilder\FormSchema;
use App\Models\FormBuilder\FormSubmission;
use App\Models\FormBuilder\FormValue;
use App\Models\Organisation;
use App\Models\Person;
use App\Models\PersonIdentityMatch;
use App\Models\PersonTag;
use App\Models\User;
use App\Models\UserOrganisationTag;
use App\Services\PersonIdentityService;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
/**
* ARCH §31.10 FORM-02 contract tests. Verifies:
* (a) no-op when person.user_id is null;
* (b) sync on submit when user_id is set;
* (c) re-sync when PersonIdentityService::confirmMatch links a user;
* (d) organiser_assigned tags preserved;
* (e) idempotent rerun.
*/
final class TagPickerSyncListenerTest extends TestCase
{
use RefreshDatabase;
private Organisation $org;
private Event $event;
private CrowdType $crowdType;
private FormSchema $schema;
private FormField $tagPickerField;
private PersonTag $tagA;
private PersonTag $tagB;
private PersonTag $tagC;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
$this->org = Organisation::factory()->create();
$this->event = Event::factory()->create(['organisation_id' => $this->org->id]);
$this->crowdType = CrowdType::factory()->systemType('CREW')->create([
'organisation_id' => $this->org->id,
]);
$this->schema = FormSchema::factory()->create([
'organisation_id' => $this->org->id,
'purpose' => FormPurpose::EVENT_REGISTRATION,
'owner_type' => 'event',
'owner_id' => $this->event->id,
]);
$this->tagPickerField = FormField::factory()->create([
'form_schema_id' => $this->schema->id,
'field_type' => FormFieldType::TAG_PICKER->value,
'slug' => 'vaardigheden',
]);
$this->tagA = PersonTag::factory()->create(['organisation_id' => $this->org->id, 'name' => 'EHBO']);
$this->tagB = PersonTag::factory()->create(['organisation_id' => $this->org->id, 'name' => 'BHV']);
$this->tagC = PersonTag::factory()->create(['organisation_id' => $this->org->id, 'name' => 'VCA-BASIS']);
}
public function test_noop_when_person_has_no_user_id(): void
{
$person = Person::factory()->create([
'event_id' => $this->event->id,
'crowd_type_id' => $this->crowdType->id,
'user_id' => null,
]);
$this->submitWithTags($person, [$this->tagA->id, $this->tagB->id]);
$this->assertSame(0, UserOrganisationTag::query()->count());
}
public function test_sync_on_submit_when_user_id_is_set(): void
{
$user = User::factory()->create();
$person = Person::factory()->create([
'event_id' => $this->event->id,
'crowd_type_id' => $this->crowdType->id,
'user_id' => $user->id,
]);
$this->submitWithTags($person, [$this->tagA->id, $this->tagB->id]);
$tags = UserOrganisationTag::query()
->where('user_id', $user->id)
->where('organisation_id', $this->org->id)
->where('source', 'self_reported')
->pluck('person_tag_id')
->all();
$this->assertEqualsCanonicalizing(
[$this->tagA->id, $this->tagB->id],
$tags,
);
}
public function test_organiser_assigned_tags_are_preserved_on_rebuild(): void
{
$user = User::factory()->create();
$person = Person::factory()->create([
'event_id' => $this->event->id,
'crowd_type_id' => $this->crowdType->id,
'user_id' => $user->id,
]);
// Seed an organiser_assigned tag BEFORE rebuild.
UserOrganisationTag::create([
'user_id' => $user->id,
'organisation_id' => $this->org->id,
'person_tag_id' => $this->tagC->id,
'source' => 'organiser_assigned',
'assigned_at' => now(),
]);
$this->submitWithTags($person, [$this->tagA->id]);
$organiserTags = UserOrganisationTag::query()
->where('source', 'organiser_assigned')
->pluck('person_tag_id')
->all();
$this->assertSame([$this->tagC->id], $organiserTags);
}
public function test_identity_link_triggers_deferred_sync(): void
{
// Step 1: person without user_id submits TAG_PICKER values.
$person = Person::factory()->create([
'event_id' => $this->event->id,
'crowd_type_id' => $this->crowdType->id,
'user_id' => null,
'email' => 'nina@example.test',
]);
$this->submitWithTags($person, [$this->tagA->id, $this->tagB->id]);
$this->assertSame(0, UserOrganisationTag::query()->count());
// Step 2: user arrives, identity match pending.
$user = User::factory()->create(['email' => 'nina@example.test']);
$this->org->users()->attach($user, ['role' => 'org_member']);
$match = PersonIdentityMatch::create([
'person_id' => $person->id,
'matched_user_id' => $user->id,
'matched_on' => IdentityMatchMethod::EMAIL,
'confidence' => IdentityMatchConfidence::HIGH,
'status' => IdentityMatchStatus::PENDING,
'match_details' => ['organisation_id' => $this->org->id],
]);
$organiser = User::factory()->create();
$this->org->users()->attach($organiser, ['role' => 'org_admin']);
// Step 3: confirmMatch wires user_id and rebuilds tags.
app(PersonIdentityService::class)->confirmMatch($match->fresh(), $organiser);
$tags = UserOrganisationTag::query()
->where('user_id', $user->id)
->where('source', 'self_reported')
->pluck('person_tag_id')
->all();
$this->assertEqualsCanonicalizing([$this->tagA->id, $this->tagB->id], $tags);
}
public function test_rebuild_is_idempotent(): void
{
$user = User::factory()->create();
$person = Person::factory()->create([
'event_id' => $this->event->id,
'crowd_type_id' => $this->crowdType->id,
'user_id' => $user->id,
]);
$this->submitWithTags($person, [$this->tagA->id]);
$this->submitWithTags($person, [$this->tagA->id]);
// Two submits, each of a single tag. The last rebuild takes the
// UNION across all submitted event_registration submissions —
// which is still just tagA.
$this->assertSame(
1,
UserOrganisationTag::query()
->where('user_id', $user->id)
->where('source', 'self_reported')
->count(),
);
}
/**
* @param array<int, string> $tagIds
*/
private function submitWithTags(Person $person, array $tagIds): FormSubmission
{
/** @var FormSubmission $submission */
$submission = FormSubmission::create([
'form_schema_id' => $this->schema->id,
'subject_type' => 'person',
'subject_id' => $person->id,
'status' => FormSubmissionStatus::SUBMITTED->value,
'submitted_at' => now(),
'is_test' => false,
]);
$value = new FormValue;
$value->form_submission_id = $submission->id;
$value->form_field_id = $this->tagPickerField->id;
$value->setRelation('field', $this->tagPickerField);
$value->value = $tagIds;
$value->save();
// Fire the event manually (we bypass the service during this test
// to isolate the listener contract).
FormSubmissionSubmitted::dispatch($submission->fresh());
return $submission;
}
}