bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
545d6d4cd05b2a0b53fa11d03d740ffeb628ed76
crewli/api/tests/Feature/FormBuilder/Channels/SubmissionChannelAuthTest.php
bert.hausmans e04b084be5 test(broadcasting): add org-admin auth + cross-tenant guard tests 
Per BACKLOG TECH-CHANNEL-AUTH-ORG-ADMIN.

Four new tests + one deleted; existing three preserved.

NEW:
- test_super_admin_can_subscribe (positive, app-wide bypass via Spatie
  HasRoles assignRole('super_admin'))
- test_organisation_admin_of_submission_org_can_subscribe (positive,
  pivot-table org_admin → submission's organisation)
- test_organisation_admin_of_different_org_cannot_subscribe (CRITICAL
  cross-tenant guard — admin of org B cannot subscribe to a submission
  in org A)
- test_regular_organisation_member_cannot_subscribe (org_member role
  on the pivot is NOT enough; only org_admin passes)

DELETED:
- test_org_admin_is_currently_denied_per_backlog_entry (the "should
  flip" denied-by-default test from PR #11; superseded by the four
  positive/negative tests above)

PRESERVED:
- test_submitter_is_authorised
- test_other_authenticated_user_is_denied (User with no organisation
  membership → falls through every auth branch)
- test_subscription_is_denied_when_submission_does_not_exist

Test-fixture refinement: makeSubmission() now accepts an explicit
$submitter so positive role-based tests can use a separate User as
submitter, ensuring the submitter short-circuit doesn't accidentally
authorise role-based test subjects.

Test results: 7 passed in this file; 1624 in full suite (was 1621).
0 Larastan errors.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-08 11:29:01 +02:00

181 lines
7.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\FormBuilder\Channels;
use App\Models\FormBuilder\FormSchema;
use App\Models\FormBuilder\FormSubmission;
use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Broadcast;
use Tests\TestCase;
/**
* Per RFC-WS-6 §Q1 v1.3 addition 2 + BACKLOG TECH-CHANNEL-AUTH-ORG-ADMIN.
*
* The submission.{submissionId} private channel authorises three classes:
* 1. Submitter (matching submitted_by_user_id)
* 2. super_admin (Spatie HasRoles, app-wide bypass)
* 3. Organisation admin of the submission's organisation (pivot-table
* role='org_admin' on user_organisation)
*
* Broadcast::auth() drives the same callback path that Laravel's
* broadcasting auth middleware uses on a websocket subscription
* attempt. Tests pose as authenticated users and assert the boolean
* outcome of the callback.
*/
final class SubmissionChannelAuthTest extends TestCase
{
use RefreshDatabase;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
}
private function authoriseSubscription(?User $user, FormSubmission $submission): bool
{
// Resolve the channel callback registered in routes/channels.php.
// Broadcast::channel() returns the manager; Broadcast::driver()
// exposes the channel callbacks. The cleanest contract test is
// to call the callback directly via the registered closure
// returned by getChannels().
$channels = Broadcast::getChannels();
$name = "submission.{$submission->id}";
foreach ($channels as $pattern => $callback) {
// Pattern is 'submission.{submissionId}'; convert to a regex
// so we can match the concrete channel name.
$regex = '/^'.str_replace(['{submissionId}', '.'], ['([^.]+)', '\\.'], $pattern).'$/';
if (! preg_match($regex, $name, $matches)) {
continue;
}
$result = $callback($user, $matches[1]);
return (bool) $result;
}
$this->fail("No channel callback registered for {$name}");
}
/**
* Build a submission tied to the given organisation (or a fresh one
* if not specified). The submitter is a fresh User unrelated to any
* test fixture so the submitted_by_user_id short-circuit doesn't
* accidentally authorise org-admin / super-admin / member tests.
*/
private function makeSubmission(?Organisation $organisation = null, ?User $submitter = null): FormSubmission
{
$organisation ??= Organisation::factory()->create();
$schema = FormSchema::factory()->create(['organisation_id' => $organisation->id]);
return FormSubmission::factory()->create([
'form_schema_id' => $schema->id,
'organisation_id' => $organisation->id,
'submitted_by_user_id' => $submitter?->id,
]);
}
public function test_submitter_is_authorised(): void
{
$submitter = User::factory()->create();
$submission = $this->makeSubmission(submitter: $submitter);
$this->assertTrue($this->authoriseSubscription($submitter, $submission));
}
public function test_super_admin_can_subscribe(): void
{
// Spatie HasRoles app-wide bypass — super_admin can subscribe to
// any submission's channel regardless of organisation membership
// or submitter relationship. Matches the codebase convention
// used in every analogous policy.
$superAdmin = User::factory()->create();
$superAdmin->assignRole('super_admin');
$submitter = User::factory()->create();
$submission = $this->makeSubmission(submitter: $submitter);
$this->assertTrue($this->authoriseSubscription($superAdmin, $submission));
}
public function test_organisation_admin_of_submission_org_can_subscribe(): void
{
// Pivot-table check: user attached to the submission's
// organisation with role='org_admin'. Mirrors the canonical
// pattern from FormSubmissionActionFailurePolicy::canAccess.
$organisation = Organisation::factory()->create();
$orgAdmin = User::factory()->create();
$organisation->users()->attach($orgAdmin->id, ['role' => 'org_admin']);
$submitter = User::factory()->create();
$submission = $this->makeSubmission(organisation: $organisation, submitter: $submitter);
$this->assertTrue($this->authoriseSubscription($orgAdmin, $submission));
}
public function test_organisation_admin_of_different_org_cannot_subscribe(): void
{
// Critical multi-tenancy guard: an org_admin of organisation A
// must NOT be able to subscribe to a submission's channel when
// that submission belongs to organisation B. If this fails, the
// pivot-table check is wrong and tenant isolation is broken.
$submissionOrg = Organisation::factory()->create();
$otherOrg = Organisation::factory()->create();
$crossTenantAdmin = User::factory()->create();
$otherOrg->users()->attach($crossTenantAdmin->id, ['role' => 'org_admin']);
$submitter = User::factory()->create();
$submission = $this->makeSubmission(organisation: $submissionOrg, submitter: $submitter);
$this->assertFalse($this->authoriseSubscription($crossTenantAdmin, $submission));
}
public function test_regular_organisation_member_cannot_subscribe(): void
{
// Member of the submission's organisation but with role='org_member',
// not 'org_admin'. The pivot-table wherePivot('role', 'org_admin')
// filters them out.
$organisation = Organisation::factory()->create();
$member = User::factory()->create();
$organisation->users()->attach($member->id, ['role' => 'org_member']);
$submitter = User::factory()->create();
$submission = $this->makeSubmission(organisation: $organisation, submitter: $submitter);
$this->assertFalse($this->authoriseSubscription($member, $submission));
}
public function test_other_authenticated_user_is_denied(): void
{
// User with NO organisation membership at all → falls through
// every auth branch (not submitter, not super_admin, no pivot row).
$submitter = User::factory()->create();
$other = User::factory()->create();
$submission = $this->makeSubmission(submitter: $submitter);
$this->assertFalse($this->authoriseSubscription($other, $submission));
}
public function test_subscription_is_denied_when_submission_does_not_exist(): void
{
$user = User::factory()->create();
// Build a submission, then delete it so the FK lookup returns null.
$submission = $this->makeSubmission(submitter: $user);
$submissionId = (string) $submission->id;
$submission->forceDelete();
// Reuse the submitter's User and a fake submission shell.
$shell = new FormSubmission;
$shell->id = $submissionId;
$this->assertFalse($this->authoriseSubscription($user, $shell));
}
}
Reference in New Issue View Git Blame Copy Permalink