feat(form-builder): retry/resolve/dismiss API endpoints + dual-route auth (WS-6)

Two route groups: /api/v1/admin/form-failures (super_admin platform) and /api/v1/organisations/{organisation}/form-failures (org_admin scoped). Same controller, policy authorises via FK chain (RFC V3). Cross-tenant access returns 404 not 403 to prevent enumeration. Resolve takes optional note; Dismiss requires DismissalReasonType enum with conditional note (mandatory for 'other'). Both via FormRequest validation with explicit i18n message keys. Implementation note: Laravel implicit model binding for nested-namespace ULID models doesn't pick up reliably across nested route groups. Using manual resolveFailure() helper that loads withoutGlobalScopes() (so cross-tenant access still reaches the policy, which translates denied → 404 per V3). Policy explicitly checks soft-delete via deleted_at since withoutGlobalScopes bypasses SoftDeletes too. Policy registered explicitly in AppServiceProvider — auto-discovery doesn't reliably resolve App\Models\FormBuilder\* → App\Policies\FormBuilder\*. NOT: admin UI (session 3). Not: public form routes (no API contract notification needed). Refs: RFC-WS-6.md §3 (Q5), §4 (V2, V3) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 15:34:23 +02:00
parent 84d57c5bbc
commit d0e17f2824
9 changed files with 509 additions and 3 deletions
--- a/api/tests/Feature/FormBuilder/Api/FormSubmissionActionFailureControllerTest.php
+++ b/api/tests/Feature/FormBuilder/Api/FormSubmissionActionFailureControllerTest.php
@@ -0,0 +1,147 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\FormBuilder\Api;
+
+use App\Enums\FormBuilder\DismissalReasonType;
+use App\Models\FormBuilder\FormSchema;
+use App\Models\FormBuilder\FormSubmission;
+use App\Models\FormBuilder\FormSubmissionActionFailure;
+use App\Models\Organisation;
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+/**
+ * RFC-WS-6 §3 (Q5) + §4 (V3) — admin endpoints. Cross-tenant access
+ * MUST return 404, never 403, to prevent enumeration. The IDOR-class
+ * tests below assert this contract explicitly.
+ */
+final class FormSubmissionActionFailureControllerTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private Organisation $orgA;
+
+    private Organisation $orgB;
+
+    private User $superAdmin;
+
+    private User $orgAdminA;
+
+    private User $orgAdminB;
+
+    private FormSubmissionActionFailure $failureInOrgA;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+
+        $this->orgA = Organisation::factory()->create();
+        $this->orgB = Organisation::factory()->create();
+
+        $this->superAdmin = User::factory()->create();
+        $this->superAdmin->assignRole('super_admin');
+
+        $this->orgAdminA = User::factory()->create();
+        $this->orgA->users()->attach($this->orgAdminA, ['role' => 'org_admin']);
+
+        $this->orgAdminB = User::factory()->create();
+        $this->orgB->users()->attach($this->orgAdminB, ['role' => 'org_admin']);
+
+        $schema = FormSchema::factory()->create(['organisation_id' => $this->orgA->id]);
+        $submission = FormSubmission::factory()->create([
+            'form_schema_id' => $schema->id,
+            'organisation_id' => $this->orgA->id,
+        ]);
+        $this->failureInOrgA = FormSubmissionActionFailure::factory()
+            ->for($submission, 'submission')
+            ->create();
+    }
+
+    public function test_unauthenticated_returns_401(): void
+    {
+        $this->getJson("/api/v1/admin/form-failures/{$this->failureInOrgA->id}")
+            ->assertStatus(401);
+    }
+
+    public function test_super_admin_can_view_failure(): void
+    {
+        $this->withoutExceptionHandling();
+        Sanctum::actingAs($this->superAdmin); $this
+            ->getJson("/api/v1/admin/form-failures/{$this->failureInOrgA->id}")
+            ->assertOk()
+            ->assertJsonPath('data.id', (string) $this->failureInOrgA->id);
+    }
+
+    public function test_org_admin_can_view_own_org_failure(): void
+    {
+        Sanctum::actingAs($this->orgAdminA);
+        $this->getJson("/api/v1/organisations/{$this->orgA->id}/form-failures/{$this->failureInOrgA->id}")
+            ->assertOk();
+    }
+
+    /**
+     * RFC V3 IDOR-class — admin from org B must NOT see a failure
+     * whose submission belongs to org A. 404, NOT 403.
+     */
+    public function test_cross_tenant_access_returns_404_not_403(): void
+    {
+        Sanctum::actingAs($this->orgAdminB); $this
+            ->getJson("/api/v1/organisations/{$this->orgA->id}/form-failures/{$this->failureInOrgA->id}")
+            ->assertStatus(404);
+    }
+
+    public function test_resolve_endpoint_with_note(): void
+    {
+        Sanctum::actingAs($this->superAdmin); $this
+            ->postJson("/api/v1/admin/form-failures/{$this->failureInOrgA->id}/resolve", [
+                'note' => 'fixed via direct edit',
+            ])
+            ->assertOk()
+            ->assertJsonPath('data.state', 'resolved')
+            ->assertJsonPath('data.resolved_note', 'fixed via direct edit');
+    }
+
+    public function test_dismiss_endpoint_with_enum_reason(): void
+    {
+        Sanctum::actingAs($this->superAdmin); $this
+            ->postJson("/api/v1/admin/form-failures/{$this->failureInOrgA->id}/dismiss", [
+                'reason_type' => DismissalReasonType::SCHEMA_DELETED->value,
+            ])
+            ->assertOk()
+            ->assertJsonPath('data.state', 'dismissed')
+            ->assertJsonPath('data.dismissed_reason_type', DismissalReasonType::SCHEMA_DELETED->value);
+    }
+
+    public function test_dismiss_other_without_note_fails_422(): void
+    {
+        Sanctum::actingAs($this->superAdmin); $this
+            ->postJson("/api/v1/admin/form-failures/{$this->failureInOrgA->id}/dismiss", [
+                'reason_type' => DismissalReasonType::OTHER->value,
+            ])
+            ->assertStatus(422)
+            ->assertJsonValidationErrors(['note']);
+    }
+
+    public function test_cross_tenant_dismiss_returns_404(): void
+    {
+        Sanctum::actingAs($this->orgAdminB); $this
+            ->postJson("/api/v1/organisations/{$this->orgA->id}/form-failures/{$this->failureInOrgA->id}/dismiss", [
+                'reason_type' => DismissalReasonType::OTHER->value,
+                'note' => 'evil',
+            ])
+            ->assertStatus(404);
+    }
+
+    public function test_cross_tenant_resolve_returns_404(): void
+    {
+        Sanctum::actingAs($this->orgAdminB); $this
+            ->postJson("/api/v1/organisations/{$this->orgA->id}/form-failures/{$this->failureInOrgA->id}/resolve", [])
+            ->assertStatus(404);
+    }
+}