bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7932e53daf94ec3486d0638a3863fe7dc5220749
crewli/api/tests/Feature/TimeSlot/TimeSlotTest.php
bert.hausmans 7932e53daf security: A01-13 — nest all event routes under organisation prefix 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 08:16:36 +02:00

238 lines
7.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\TimeSlot;
use App\Models\Event;
use App\Models\FestivalSection;
use App\Models\Organisation;
use App\Models\Person;
use App\Models\Shift;
use App\Models\ShiftAssignment;
use App\Models\TimeSlot;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
class TimeSlotTest extends TestCase
{
use RefreshDatabase;
private User $orgAdmin;
private User $outsider;
private Organisation $organisation;
private Organisation $otherOrganisation;
private Event $event;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
$this->organisation = Organisation::factory()->create();
$this->otherOrganisation = Organisation::factory()->create();
$this->orgAdmin = User::factory()->create();
$this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
$this->outsider = User::factory()->create();
$this->otherOrganisation->users()->attach($this->outsider, ['role' => 'org_admin']);
$this->event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
}
public function test_index_returns_time_slots(): void
{
TimeSlot::factory()->count(3)->create(['event_id' => $this->event->id]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots");
$response->assertOk();
$this->assertCount(3, $response->json('data'));
}
public function test_index_includes_shift_statistics(): void
{
$timeSlot = TimeSlot::factory()->create(['event_id' => $this->event->id]);
$sectionA = FestivalSection::factory()->create(['event_id' => $this->event->id]);
$sectionB = FestivalSection::factory()->create(['event_id' => $this->event->id]);
$person = Person::factory()->create(['event_id' => $this->event->id]);
$shift1 = Shift::factory()->create([
'festival_section_id' => $sectionA->id,
'time_slot_id' => $timeSlot->id,
'slots_total' => 5,
]);
$shift2 = Shift::factory()->create([
'festival_section_id' => $sectionB->id,
'time_slot_id' => $timeSlot->id,
'slots_total' => 3,
]);
// Create 2 approved assignments on shift1
ShiftAssignment::factory()->approved()->create([
'shift_id' => $shift1->id,
'person_id' => $person->id,
'time_slot_id' => $timeSlot->id,
]);
ShiftAssignment::factory()->approved()->create([
'shift_id' => $shift1->id,
'person_id' => Person::factory()->create(['event_id' => $this->event->id])->id,
'time_slot_id' => $timeSlot->id,
]);
// Create 1 pending assignment on shift2 (should NOT count towards filled_slots)
ShiftAssignment::factory()->create([
'shift_id' => $shift2->id,
'person_id' => $person->id,
'time_slot_id' => $timeSlot->id,
'status' => 'pending_approval',
]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots");
$response->assertOk();
$data = $response->json('data.0');
$this->assertEquals(2, $data['shifts_count']);
$this->assertEquals(8, $data['total_slots']);
$this->assertEquals(2, $data['filled_slots']);
$this->assertEquals(2, $data['sections_count']);
}
public function test_store_creates_time_slot(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots", [
'name' => 'Vrijdag Avond',
'person_type' => 'VOLUNTEER',
'date' => '2026-07-10',
'start_time' => '18:00',
'end_time' => '02:00',
'duration_hours' => 8,
]);
$response->assertCreated()
->assertJson(['data' => [
'name' => 'Vrijdag Avond',
'person_type' => 'VOLUNTEER',
]]);
$this->assertDatabaseHas('time_slots', [
'event_id' => $this->event->id,
'name' => 'Vrijdag Avond',
]);
}
public function test_store_invalid_person_type_returns_422(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots", [
'name' => 'Test',
'person_type' => 'INVALID',
'date' => '2026-07-10',
'start_time' => '18:00',
'end_time' => '02:00',
]);
$response->assertUnprocessable()
->assertJsonValidationErrors('person_type');
}
public function test_store_invalid_date_format_returns_422(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots", [
'name' => 'Test',
'person_type' => 'VOLUNTEER',
'date' => 'not-a-date',
'start_time' => '18:00',
'end_time' => '02:00',
]);
$response->assertUnprocessable()
->assertJsonValidationErrors('date');
}
public function test_update_time_slot(): void
{
$timeSlot = TimeSlot::factory()->create([
'event_id' => $this->event->id,
'name' => 'Vrijdag Avond',
]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots/{$timeSlot->id}", [
'name' => 'Vrijdag Avond Updated',
]);
$response->assertOk()
->assertJson(['data' => ['name' => 'Vrijdag Avond Updated']]);
}
public function test_update_cross_org_returns_403(): void
{
$timeSlot = TimeSlot::factory()->create(['event_id' => $this->event->id]);
Sanctum::actingAs($this->outsider);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots/{$timeSlot->id}", [
'name' => 'Hacked',
]);
$response->assertForbidden();
}
public function test_destroy_cross_org_returns_403(): void
{
$timeSlot = TimeSlot::factory()->create(['event_id' => $this->event->id]);
Sanctum::actingAs($this->outsider);
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots/{$timeSlot->id}");
$response->assertForbidden();
}
public function test_destroy_deletes_time_slot(): void
{
$timeSlot = TimeSlot::factory()->create(['event_id' => $this->event->id]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots/{$timeSlot->id}");
$response->assertNoContent();
$this->assertDatabaseMissing('time_slots', ['id' => $timeSlot->id]);
}
public function test_unauthenticated_returns_401(): void
{
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots");
$response->assertUnauthorized();
}
public function test_cross_org_returns_403(): void
{
Sanctum::actingAs($this->outsider);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/time-slots");
$response->assertForbidden();
}
}
Reference in New Issue View Git Blame Copy Permalink