bert.hausmans
78a8016e01
Tenant scope verified via failure.submission.organisation_id, NOT route binding. Cross-tenant access returns false (controllers in sessions 2/3 will translate to 404 to prevent enumeration). Five abilities: viewAny, view, retry, resolve, dismiss. Laravel 12 auto-discovers App\Policies\FormBuilder\FormSubmissionActionFailurePolicy for App\Models\FormBuilder\FormSubmissionActionFailure — no explicit registration needed (pattern matches the existing FormSubmissionPolicy). IDOR-class security tests included with explicit RFC V3 cross-reference in the test class docblock. Refs: RFC-WS-6.md §4 (V3), ARCH-FORM-BUILDER.md §22.9 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
143 lines
5.1 KiB
PHP
143 lines
5.1 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Unit\Policies\FormBuilder;
|
|
|
|
use App\Models\FormBuilder\FormSchema;
|
|
use App\Models\FormBuilder\FormSubmission;
|
|
use App\Models\FormBuilder\FormSubmissionActionFailure;
|
|
use App\Models\Organisation;
|
|
use App\Models\User;
|
|
use App\Policies\FormBuilder\FormSubmissionActionFailurePolicy;
|
|
use Database\Seeders\RoleSeeder;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
use Tests\TestCase;
|
|
|
|
/**
|
|
* RFC V3 — IDOR-class FK-chain enforcement.
|
|
*
|
|
* The cross-tenant test below is the IDOR-class assertion: an admin
|
|
* from organisation B must not be able to access a failure whose
|
|
* submission belongs to organisation A. Findable in audit by the
|
|
* "IDOR" search term in this docblock.
|
|
*/
|
|
final class FormSubmissionActionFailurePolicyTest extends TestCase
|
|
{
|
|
use RefreshDatabase;
|
|
|
|
private Organisation $orgA;
|
|
|
|
private Organisation $orgB;
|
|
|
|
private User $superAdmin;
|
|
|
|
private User $orgAdminA;
|
|
|
|
private User $orgAdminB;
|
|
|
|
private User $regular;
|
|
|
|
protected function setUp(): void
|
|
{
|
|
parent::setUp();
|
|
$this->seed(RoleSeeder::class);
|
|
|
|
$this->orgA = Organisation::factory()->create();
|
|
$this->orgB = Organisation::factory()->create();
|
|
|
|
$this->superAdmin = User::factory()->create();
|
|
$this->superAdmin->assignRole('super_admin');
|
|
|
|
$this->orgAdminA = User::factory()->create();
|
|
$this->orgA->users()->attach($this->orgAdminA, ['role' => 'org_admin']);
|
|
|
|
$this->orgAdminB = User::factory()->create();
|
|
$this->orgB->users()->attach($this->orgAdminB, ['role' => 'org_admin']);
|
|
|
|
$this->regular = User::factory()->create();
|
|
}
|
|
|
|
public function test_super_admin_can_perform_all_abilities(): void
|
|
{
|
|
$failure = $this->failureFor($this->orgA);
|
|
|
|
$this->assertTrue($this->policy()->view($this->superAdmin, $failure));
|
|
$this->assertTrue($this->policy()->retry($this->superAdmin, $failure));
|
|
$this->assertTrue($this->policy()->resolve($this->superAdmin, $failure));
|
|
$this->assertTrue($this->policy()->dismiss($this->superAdmin, $failure));
|
|
}
|
|
|
|
public function test_org_admin_in_correct_org_can_perform_all_abilities(): void
|
|
{
|
|
$failure = $this->failureFor($this->orgA);
|
|
|
|
$this->assertTrue($this->policy()->view($this->orgAdminA, $failure));
|
|
$this->assertTrue($this->policy()->retry($this->orgAdminA, $failure));
|
|
$this->assertTrue($this->policy()->resolve($this->orgAdminA, $failure));
|
|
$this->assertTrue($this->policy()->dismiss($this->orgAdminA, $failure));
|
|
}
|
|
|
|
/**
|
|
* IDOR — RFC V3. An org admin in B must NOT see a failure in A.
|
|
*/
|
|
public function test_org_admin_of_other_org_cannot_access_cross_tenant(): void
|
|
{
|
|
$failure = $this->failureFor($this->orgA);
|
|
|
|
$this->assertFalse($this->policy()->view($this->orgAdminB, $failure));
|
|
$this->assertFalse($this->policy()->retry($this->orgAdminB, $failure));
|
|
$this->assertFalse($this->policy()->resolve($this->orgAdminB, $failure));
|
|
$this->assertFalse($this->policy()->dismiss($this->orgAdminB, $failure));
|
|
}
|
|
|
|
public function test_regular_user_without_admin_role_denied_all(): void
|
|
{
|
|
$failure = $this->failureFor($this->orgA);
|
|
|
|
$this->assertFalse($this->policy()->view($this->regular, $failure));
|
|
$this->assertFalse($this->policy()->retry($this->regular, $failure));
|
|
$this->assertFalse($this->policy()->resolve($this->regular, $failure));
|
|
$this->assertFalse($this->policy()->dismiss($this->regular, $failure));
|
|
}
|
|
|
|
public function test_view_any_super_admin_yes_org_admin_yes_regular_no(): void
|
|
{
|
|
$this->assertTrue($this->policy()->viewAny($this->superAdmin));
|
|
$this->assertTrue($this->policy()->viewAny($this->orgAdminA));
|
|
$this->assertFalse($this->policy()->viewAny($this->regular));
|
|
}
|
|
|
|
public function test_view_returns_false_when_parent_submission_soft_deleted(): void
|
|
{
|
|
$failure = $this->failureFor($this->orgA);
|
|
// Soft-delete the submission. The failure row is preserved (no
|
|
// cascade on soft-delete); the policy's submission relation
|
|
// honours the SoftDeletes scope and returns null.
|
|
FormSubmission::query()->withoutGlobalScopes()->where('id', $failure->form_submission_id)->delete();
|
|
|
|
$reloaded = FormSubmissionActionFailure::query()->find($failure->id);
|
|
$this->assertNotNull($reloaded);
|
|
|
|
$this->assertFalse($this->policy()->view($this->superAdmin, $reloaded));
|
|
}
|
|
|
|
private function policy(): FormSubmissionActionFailurePolicy
|
|
{
|
|
return new FormSubmissionActionFailurePolicy();
|
|
}
|
|
|
|
private function failureFor(Organisation $organisation): FormSubmissionActionFailure
|
|
{
|
|
$schema = FormSchema::factory()->create(['organisation_id' => $organisation->id]);
|
|
$submission = FormSubmission::factory()->create([
|
|
'form_schema_id' => $schema->id,
|
|
'organisation_id' => $organisation->id,
|
|
]);
|
|
|
|
return FormSubmissionActionFailure::factory()
|
|
->for($submission, 'submission')
|
|
->create();
|
|
}
|
|
}
|