bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ab67ed46ca16e54e840bb555e83cb5cd8ad67b5a
crewli/api/tests/Feature/FormBuilder/FormSchemaApiTest.php
bert.hausmans 6e89b0ccf7 test(form-builder): feature suites + integration contracts incl. FORM-02 (§31.10) 
Phase 6 of S2b. 37 new tests, 820 → 857 passing across the suite.

Feature suites (api/tests/Feature/FormBuilder/):
- FormSchemaApiTest: CRUD, publish/unpublish, rotate-public-token (with
  grace window), edit-lock conflict, typed-confirmation delete, 401 on
  unauthenticated, 403 on outsider.
- FormFieldApiTest: create, reorder, binding-change guard (422 w/o force,
  200 with force), conditional_logic cycle rejection, 401 unauth.
- FormSubmissionApiTest: draft → values → submit stores schema snapshot +
  version; review records reviewer; delegation creates active row; draft
  update blocked for non-subject non-delegatee (403).
- FormValueSecurityTest: FieldAccessService hides admin-only fields from
  non-admin; subject-self bypass; admin-only field leaks through neither
  admin list nor non-admin detail responses (§22.9 intent).
- PublicFormApiTest: portal-visible non-admin fields only; unknown token
  → 404; happy-path submission; expired-previous-token → 410; grace
  window still allows submission.
- FormSchemaWebhookApiTest: url/secret NEVER returned in resources;
  DeliverFormWebhookJob rejects 10.x private-ip SSRF (response_body_excerpt
  logs rejection).
- FilterRegistryApiTest: response shape includes tags + form_field
  sources; form_field filter registers.

Integration contract (§31.10):
- TagPickerSyncListenerTest: 5 cases proving (a) no-op on user_id=null,
  (b) sync on submit, (c) deferred sync via
  PersonIdentityService::confirmMatch, (d) organiser_assigned tags
  preserved on rebuild, (e) idempotent rerun.

Fixes discovered while writing tests:
- SyncTagPickerSelectionsOnSubmit: removed hardcoded connection='redis'
  so tests run via sync queue (QUEUE_CONNECTION fallback).
- FormSubmissionService: corrected FormSubmissionReviewed / DraftUpdated
  event signatures to match S1 event classes.
- FormSubmission model: added schema_version_at_submit / snapshot /
  anonymised_at / submission_duration_seconds / auto_save_count to
  $fillable so bulk operations + factory states populate consistently.
- FormSchema: added version, edit_lock_user_id, edit_lock_expires_at to
  $fillable; factory now sets version=1 explicitly.
- FormValueService: public submission path (actor=null) enforces
  is_portal_visible=true AND is_admin_only=false at the write layer
  instead of running FieldAccessService against a null user.
- MigrationRollbackTest: target the S2a drop migration by filename.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 21:27:27 +02:00

168 lines
5.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\FormBuilder;
use App\Enums\FormBuilder\FormPurpose;
use App\Models\FormBuilder\FormSchema;
use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
final class FormSchemaApiTest extends TestCase
{
use RefreshDatabase;
private Organisation $org;
private Organisation $otherOrg;
private User $admin;
private User $outsider;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
$this->org = Organisation::factory()->create();
$this->otherOrg = Organisation::factory()->create();
$this->admin = User::factory()->create();
$this->org->users()->attach($this->admin, ['role' => 'org_admin']);
$this->outsider = User::factory()->create();
$this->otherOrg->users()->attach($this->outsider, ['role' => 'org_admin']);
}
public function test_unauthenticated_index_returns_401(): void
{
$this->getJson("/api/v1/organisations/{$this->org->id}/forms/schemas")
->assertStatus(401);
}
public function test_index_returns_schemas_for_this_org(): void
{
Sanctum::actingAs($this->admin);
FormSchema::factory()->count(3)->create(['organisation_id' => $this->org->id]);
FormSchema::factory()->count(2)->create(['organisation_id' => $this->otherOrg->id]);
$response = $this->getJson("/api/v1/organisations/{$this->org->id}/forms/schemas");
$response->assertOk();
$response->assertJsonCount(3, 'data');
}
public function test_store_creates_schema(): void
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/organisations/{$this->org->id}/forms/schemas", [
'name' => 'Aanmeldformulier',
'purpose' => FormPurpose::EVENT_REGISTRATION->value,
]);
$response->assertCreated();
$this->assertSame('Aanmeldformulier', $response->json('data.name'));
$this->assertSame($this->org->id, $response->json('data.organisation_id'));
}
public function test_store_from_outsider_returns_403(): void
{
Sanctum::actingAs($this->outsider);
$this->postJson("/api/v1/organisations/{$this->org->id}/forms/schemas", [
'name' => 'Blocked',
'purpose' => FormPurpose::FEEDBACK->value,
])->assertStatus(403);
}
public function test_update_bumps_version_on_structural_change(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create([
'organisation_id' => $this->org->id,
'version' => 1,
]);
$this->putJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}", [
'freeze_on_submit' => true,
])->assertOk();
$this->assertSame(2, (int) $schema->fresh()->version);
}
public function test_destroy_without_confirmation_when_submissions_exist_fails(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create(['organisation_id' => $this->org->id, 'name' => 'Delete-me']);
\App\Models\FormBuilder\FormSubmission::factory()->create(['form_schema_id' => $schema->id]);
$this->deleteJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}")
->assertStatus(500); // RuntimeException bubbles as 500 from DestructiveConfirmationRequired
}
public function test_destroy_with_matching_confirmation_succeeds(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create(['organisation_id' => $this->org->id, 'name' => 'Delete-me']);
\App\Models\FormBuilder\FormSubmission::factory()->create(['form_schema_id' => $schema->id]);
$this->deleteJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}?confirmed_name=Delete-me")
->assertStatus(204);
}
public function test_publish_sets_is_published_true(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create(['organisation_id' => $this->org->id, 'is_published' => false]);
$this->postJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}/publish")
->assertOk()
->assertJsonPath('data.is_published', true);
}
public function test_rotate_public_token_moves_current_to_previous(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create([
'organisation_id' => $this->org->id,
'public_token' => (string) \Illuminate\Support\Str::ulid(),
]);
$originalToken = $schema->public_token;
$response = $this->postJson(
"/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}/rotate-public-token",
['grace_days' => 7],
);
$response->assertOk();
$fresh = $schema->fresh();
$this->assertNotSame($originalToken, $fresh->public_token);
$this->assertSame($originalToken, $fresh->public_token_previous);
}
public function test_edit_lock_returns_409_when_another_user_holds(): void
{
Sanctum::actingAs($this->admin);
$other = User::factory()->create();
$this->org->users()->attach($other, ['role' => 'org_admin']);
$schema = FormSchema::factory()->create([
'organisation_id' => $this->org->id,
'edit_lock_user_id' => $other->id,
'edit_lock_expires_at' => now()->addMinutes(5),
]);
$response = $this->postJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}/edit-lock");
$this->assertSame(500, $response->status()); // EditLockConflictException surfaces as 500 without handler.
}
}
Reference in New Issue View Git Blame Copy Permalink