bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4a23b676384eee4cc38333631d05a05b1b0491f
crewli/api/tests/Feature/Api/V1/RegistrationSettingsTest.php
bert.hausmans 7932e53daf security: A01-13 — nest all event routes under organisation prefix 
Move all authenticated organiser-facing event sub-resource routes from
/events/{event}/... to /organisations/{organisation}/events/{event}/...
to enforce multi-tenancy at the routing layer.

Changes:
- Routes: restructured api.php to nest all event sub-resources under
  the existing organisation prefix group
- Controllers: added Organisation parameter and VerifiesOrganisationEvent
  trait to all 12 affected controllers (sections, time-slots, shifts,
  persons, crowd-lists, locations, shift-assignments, registration-fields,
  availabilities, field-values, section-preferences, stats)
- Tests: updated all 20 feature test files with new route paths
- Frontend: updated 8 API composables and 20 Vue components/pages
- API.md: updated documentation to reflect new route structure

Portal routes, public routes (volunteer-register), and invitation routes
remain unchanged as they operate without organisation context.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-14 08:16:36 +02:00

239 lines
8.0 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\Api\V1;
use App\Models\Event;
use App\Models\FestivalSection;
use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
class RegistrationSettingsTest extends TestCase
{
use RefreshDatabase;
private Organisation $organisation;
private User $orgAdmin;
private Event $festival;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
$this->organisation = Organisation::factory()->create();
$this->orgAdmin = User::factory()->create();
$this->orgAdmin->assignRole('org_admin');
$this->organisation->users()->attach($this->orgAdmin, ['role' => 'org_admin']);
$this->festival = Event::factory()->festival()->create([
'organisation_id' => $this->organisation->id,
'status' => 'registration_open',
]);
}
public function test_get_returns_grouped_unique_section_names(): void
{
$sub1 = Event::factory()->subEvent($this->festival)->create();
$sub2 = Event::factory()->subEvent($this->festival)->create();
foreach ([$sub1, $sub2] as $sub) {
FestivalSection::factory()->create([
'event_id' => $sub->id,
'name' => 'Hoofdpodium Bar',
'category' => 'Bar',
'icon' => 'tabler-beer',
'show_in_registration' => true,
'registration_description' => 'Tap bier',
]);
}
FestivalSection::factory()->create([
'event_id' => $sub1->id,
'name' => 'Backstage',
'category' => 'Hospitality',
'show_in_registration' => false,
]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->festival->id}/sections/registration-settings");
$response->assertOk()
->assertJsonCount(2, 'data');
$bar = collect($response->json('data'))->firstWhere('name', 'Hoofdpodium Bar');
$this->assertEquals(2, $bar['section_count']);
$this->assertCount(2, $bar['section_ids']);
$this->assertTrue($bar['show_in_registration']);
$this->assertEquals('Tap bier', $bar['registration_description']);
}
public function test_put_updates_all_instances_across_festival(): void
{
$sub1 = Event::factory()->subEvent($this->festival)->create();
$sub2 = Event::factory()->subEvent($this->festival)->create();
$sub3 = Event::factory()->subEvent($this->festival)->create();
$sections = [];
foreach ([$sub1, $sub2, $sub3] as $sub) {
$sections[] = FestivalSection::factory()->create([
'event_id' => $sub->id,
'name' => 'Theatertent Bar',
'show_in_registration' => false,
'registration_description' => null,
]);
}
Sanctum::actingAs($this->orgAdmin);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->festival->id}/sections/registration-settings", [
'name' => 'Theatertent Bar',
'show_in_registration' => true,
'registration_description' => 'Bediening in de overdekte theatertent',
]);
$response->assertOk();
foreach ($sections as $section) {
$this->assertDatabaseHas('festival_sections', [
'id' => $section->id,
'show_in_registration' => true,
'registration_description' => 'Bediening in de overdekte theatertent',
]);
}
}
public function test_put_creates_activity_log(): void
{
$sub = Event::factory()->subEvent($this->festival)->create();
FestivalSection::factory()->create([
'event_id' => $sub->id,
'name' => 'EHBO',
'show_in_registration' => false,
]);
Sanctum::actingAs($this->orgAdmin);
$this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->festival->id}/sections/registration-settings", [
'name' => 'EHBO',
'show_in_registration' => true,
'registration_description' => null,
]);
$this->assertDatabaseHas('activity_log', [
'description' => 'section.registration_settings_updated',
]);
}
public function test_put_requires_authenticated_organizer(): void
{
$sub = Event::factory()->subEvent($this->festival)->create();
FestivalSection::factory()->create([
'event_id' => $sub->id,
'name' => 'Bar',
'show_in_registration' => false,
]);
// Unauthenticated
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->festival->id}/sections/registration-settings", [
'name' => 'Bar',
'show_in_registration' => true,
'registration_description' => null,
]);
$response->assertUnauthorized();
}
public function test_put_returns_404_for_nonexistent_section_name(): void
{
Sanctum::actingAs($this->orgAdmin);
$response = $this->putJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->festival->id}/sections/registration-settings", [
'name' => 'Nonexistent Section',
'show_in_registration' => true,
'registration_description' => null,
]);
$response->assertNotFound();
}
public function test_get_requires_authentication(): void
{
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$this->festival->id}/sections/registration-settings");
$response->assertUnauthorized();
}
public function test_flat_event_works_with_own_sections(): void
{
$flatEvent = Event::factory()->create([
'organisation_id' => $this->organisation->id,
'status' => 'published',
]);
FestivalSection::factory()->create([
'event_id' => $flatEvent->id,
'name' => 'Podium',
'show_in_registration' => true,
]);
Sanctum::actingAs($this->orgAdmin);
$response = $this->getJson("/api/v1/organisations/{$this->organisation->id}/events/{$flatEvent->id}/sections/registration-settings");
$response->assertOk()
->assertJsonCount(1, 'data')
->assertJsonPath('data.0.name', 'Podium')
->assertJsonPath('data.0.section_count', 1);
}
public function test_section_preferences_stored_in_table(): void
{
\Illuminate\Support\Facades\Mail::fake();
// This is a regression check for the VolunteerRegistration flow
$event = Event::factory()->create([
'organisation_id' => $this->organisation->id,
'status' => 'registration_open',
]);
\App\Models\CrowdType::factory()->systemType('VOLUNTEER')->create([
'organisation_id' => $this->organisation->id,
]);
$section = FestivalSection::factory()->create([
'event_id' => $event->id,
'name' => 'Backstage',
'show_in_registration' => true,
]);
$response = $this->postJson("/api/v1/events/{$event->id}/volunteer-register", [
'first_name' => 'Test',
'last_name' => 'Vrijwilliger',
'email' => 'test-section-pref@example.nl',
'password' => 'Wachtwoord1',
'section_preferences' => [
['festival_section_id' => $section->id, 'priority' => 1],
],
]);
$response->assertStatus(201);
$person = \App\Models\Person::where('email', 'test-section-pref@example.nl')->first();
$this->assertDatabaseHas('person_section_preferences', [
'person_id' => $person->id,
'festival_section_id' => $section->id,
'priority' => 1,
]);
}
}
Reference in New Issue View Git Blame Copy Permalink