bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
808ec212eba20485be747b91ee7cdab8302888c5
crewli/api/tests/Feature/FestivalSection/FestivalSectionTest.php
bert.hausmans 7932e53daf security: A01-13 — nest all event routes under organisation prefix 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 08:16:36 +02:00

256 lines
8.0 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\FestivalSection;
use App\Models\Event;
use App\Models\FestivalSection;
use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
class FestivalSectionTest extends TestCase
{
use RefreshDatabase;
private User $orgAdmin;
private User $outsider;
private Organisation $organisation;
private Organisation $otherOrganisation;
private Event $event;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
$this->organisation = Organisation::factory()->create();
$this->otherOrganisation = Organisation::factory()->create();
$this->orgAdmin = User::factory()->create();
$this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
$this->outsider = User::factory()->create();
$this->otherOrganisation->users()->attach($this->outsider, ['role' => 'org_admin']);
$this->event = Event::factory()->create(['organisation_id' => $this->organisation->id]);
}
public function test_index_returns_sections_for_event(): void
{
FestivalSection::factory()->count(3)->create(['event_id' => $this->event->id]);
// Section on another event should not appear
$otherEvent = Event::factory()->create(['organisation_id' => $this->organisation->id]);
FestivalSection::factory()->create(['event_id' => $otherEvent->id]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections");
$response->assertOk();
$this->assertCount(3, $response->json('data'));
}
public function test_index_cross_org_returns_403(): void
{
Sanctum::actingAs($this->outsider);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections");
$response->assertForbidden();
}
public function test_store_creates_section(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections", [
'name' => 'Bar',
'sort_order' => 1,
]);
$response->assertCreated()
->assertJson(['data' => ['name' => 'Bar', 'sort_order' => 1]]);
$this->assertDatabaseHas('festival_sections', [
'event_id' => $this->event->id,
'name' => 'Bar',
]);
}
public function test_store_unauthenticated_returns_401(): void
{
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections", [
'name' => 'Bar',
'sort_order' => 1,
]);
$response->assertUnauthorized();
}
public function test_store_missing_name_returns_422(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections", [
'sort_order' => 1,
]);
$response->assertUnprocessable()
->assertJsonValidationErrors('name');
}
public function test_update_section(): void
{
$section = FestivalSection::factory()->create([
'event_id' => $this->event->id,
'name' => 'Bar',
]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/{$section->id}", [
'name' => 'Bar Updated',
]);
$response->assertOk()
->assertJson(['data' => ['name' => 'Bar Updated']]);
}
public function test_destroy_soft_deletes_section(): void
{
$section = FestivalSection::factory()->create(['event_id' => $this->event->id]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/{$section->id}");
$response->assertNoContent();
$this->assertSoftDeleted('festival_sections', ['id' => $section->id]);
}
public function test_update_cross_org_returns_403(): void
{
$section = FestivalSection::factory()->create(['event_id' => $this->event->id]);
Sanctum::actingAs($this->outsider);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/{$section->id}", [
'name' => 'Hacked',
]);
$response->assertForbidden();
}
public function test_destroy_cross_org_returns_403(): void
{
$section = FestivalSection::factory()->create(['event_id' => $this->event->id]);
Sanctum::actingAs($this->outsider);
$response = $this->deleteJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/{$section->id}");
$response->assertForbidden();
}
public function test_store_section_with_category_and_icon(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections", [
'name' => 'Tapkraan',
'category' => 'Bar',
'icon' => 'tabler-beer',
'sort_order' => 0,
]);
$response->assertCreated()
->assertJson(['data' => [
'name' => 'Tapkraan',
'category' => 'Bar',
'icon' => 'tabler-beer',
]]);
$this->assertDatabaseHas('festival_sections', [
'event_id' => $this->event->id,
'name' => 'Tapkraan',
'category' => 'Bar',
'icon' => 'tabler-beer',
]);
}
public function test_section_categories_endpoint(): void
{
FestivalSection::factory()->create([
'event_id' => $this->event->id,
'category' => 'Bar',
]);
FestivalSection::factory()->create([
'event_id' => $this->event->id,
'category' => 'Podium',
]);
// Duplicate category should not appear twice
FestivalSection::factory()->create([
'event_id' => $this->event->id,
'category' => 'Bar',
]);
// Null category should not appear
FestivalSection::factory()->create([
'event_id' => $this->event->id,
'category' => null,
]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/section-categories");
$response->assertOk()
->assertJson(['data' => ['Bar', 'Podium']]);
$this->assertCount(2, $response->json('data'));
}
public function test_section_categories_cross_org_returns_403(): void
{
Sanctum::actingAs($this->outsider);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/section-categories");
$response->assertForbidden();
}
public function test_reorder_updates_sort_order(): void
{
$sectionA = FestivalSection::factory()->create([
'event_id' => $this->event->id,
'sort_order' => 1,
]);
$sectionB = FestivalSection::factory()->create([
'event_id' => $this->event->id,
'sort_order' => 2,
]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->postJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->event->id}/sections/reorder", [
'sections' => [$sectionB->id, $sectionA->id],
]);
$response->assertOk();
$this->assertDatabaseHas('festival_sections', [
'id' => $sectionB->id,
'sort_order' => 0,
]);
$this->assertDatabaseHas('festival_sections', [
'id' => $sectionA->id,
'sort_order' => 1,
]);
}
}
Reference in New Issue View Git Blame Copy Permalink