bert.hausmans/crewli
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e3c9211e3fbafc411d31dca23a2cd30d26c4691a
crewli/api/tests/Feature/FormBuilder/FormSchemaApiTest.php
bert.hausmans b688ec26f0 feat(scope): declarative FK-chain strategy for OrganisationScope, register on 14 models per addendum Q2 + D-03/D-04 
Refactors OrganisationScope to support a declarative, recursive FK-chain
resolver and registers the scope on 14 models that previously relied on
caller-discipline for tenant isolation.

Scope resolver (app/Models/Scopes/OrganisationScope.php):
Models now declare their strategy via:

    public static function tenantScopeStrategy(): array
    {
        return ['column' => 'organisation_id'];           // terminal
        // OR
        return ['via' => FormSchema::class, 'fk' => 'form_schema_id'];
    }

The apply() path walks the chain recursively, building whereIn subqueries
against parent models until it hits a column-based strategy. Max 3 hops;
deeper chains raise App\Exceptions\TenantScopeResolutionException. The
walker accepts BOTH the new tenantScopeStrategy() and the legacy
$organisationScopeColumn property at every hop — so PersonIdentityMatch
can chain via Person, which still uses the legacy event_id bridge, without
requiring Person/Event/Shift/FestivalSection/TimeSlot to migrate to the
new convention in this work package. That migration is a separate
backlog ticket — explicitly scope-controlled per the addendum.

Fourteen newly-scoped models:

  Form-builder child models (D-03):
    FormSchemaSection             via FormSchema                    (1 hop)
    FormField                     via FormSchema                    (1 hop)
    FormSubmission                column organisation_id (Commit 2)
    FormValue                     via FormSubmission                (1 hop)
    FormValueOption               via FormValue -> FormSubmission   (2 hops)
    FormSubmissionSectionStatus   via FormSubmission                (1 hop)
    FormSubmissionDelegation      via FormSubmission                (1 hop)
    FormSchemaWebhook             via FormSchema                    (1 hop)
    FormWebhookDelivery           via FormSubmission                (1 hop)

  Event-data models (D-04 event-data subset):
    ShiftAssignment               via Shift (legacy festival_section_id)
    ShiftWaitlist                 via Shift
    VolunteerAvailability         via TimeSlot (legacy event_id)
    PersonSectionPreference       via FestivalSection (legacy event_id)
    PersonIdentityMatch           via Person (legacy event_id)

Note — task directive specified VolunteerAvailability "via: Event, fk: event_id",
but the table has no event_id column (only person_id + time_slot_id).
Rerouted via TimeSlot, which carries the legacy event_id bridge; same
end result, correct FK.

Security-relevant callers made explicit:
  PublicFormSchemaResource::toArray() now eagerly loads fields + sections
  with withoutGlobalScope(OrganisationScope::class). Prior to this commit
  the public form endpoint silently relied on those relations being
  unscoped. The PublicFormCrossOrgScopeTest pre-existing assertions still
  pass — behaviour unchanged, intent now explicit.

Test fix: FormSchemaApiTest::test_publish_sets_is_published_true was
flaky (factory randomly picked EVENT_REGISTRATION which requires
bindings). Pinned to USER_PROFILE for determinism; PurposeSchemaLifecycleTest
covers the binding-enforcement path.

Test flip: MultiTenancyTest::test_form_schema_webhook_is_not_globally_scoped
renamed to is_scoped_via_fk_chain and asserts the new behaviour: scope
filters by route org, withoutGlobalScope() still exposes cross-org rows.
The test's original purpose ("pin current behaviour so a future refactor
is intentional") is now satisfied by Commit 3 being that intentional
refactor.

Docs:
  SCHEMA.md §3.5.11 Rule 5 — tenantScopeStrategy() convention documented;
    the 14 newly-scoped models enumerated; link to addendum Q2.
  ARCH-FORM-BUILDER.md §4.14 — new section "Multi-tenancy scope chain"
    with the hop-count table for all 14 chains and the withoutGlobalScope
    pattern for cross-org callers.

Tests: tests/Feature/MultiTenancy/ScopeLeakageTest.php — two orgs with
fully-populated record chains down to each of the 14 leaf models; asserts
scoped queries never cross, withoutGlobalScope still does. Plus: three-
hop chain (FormValueOption) explicitly exercised, legacy-column bridge
verified, over-deep chain raises TenantScopeResolutionException. 16 tests /
31 new assertions. Full suite: 1000 passed (2706 assertions).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 17:08:33 +02:00

174 lines
6.1 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Tests\Feature\FormBuilder;
use App\Enums\FormBuilder\FormPurpose;
use App\Models\FormBuilder\FormSchema;
use App\Models\Organisation;
use App\Models\User;
use Database\Seeders\RoleSeeder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Laravel\Sanctum\Sanctum;
use Tests\TestCase;
final class FormSchemaApiTest extends TestCase
{
use RefreshDatabase;
private Organisation $org;
private Organisation $otherOrg;
private User $admin;
private User $outsider;
protected function setUp(): void
{
parent::setUp();
$this->seed(RoleSeeder::class);
$this->org = Organisation::factory()->create();
$this->otherOrg = Organisation::factory()->create();
$this->admin = User::factory()->create();
$this->org->users()->attach($this->admin, ['role' => 'org_admin']);
$this->outsider = User::factory()->create();
$this->otherOrg->users()->attach($this->outsider, ['role' => 'org_admin']);
}
public function test_unauthenticated_index_returns_401(): void
{
$this->getJson("/api/v1/organisations/{$this->org->id}/forms/schemas")
->assertStatus(401);
}
public function test_index_returns_schemas_for_this_org(): void
{
Sanctum::actingAs($this->admin);
FormSchema::factory()->count(3)->create(['organisation_id' => $this->org->id]);
FormSchema::factory()->count(2)->create(['organisation_id' => $this->otherOrg->id]);
$response = $this->getJson("/api/v1/organisations/{$this->org->id}/forms/schemas");
$response->assertOk();
$response->assertJsonCount(3, 'data');
}
public function test_store_creates_schema(): void
{
Sanctum::actingAs($this->admin);
$response = $this->postJson("/api/v1/organisations/{$this->org->id}/forms/schemas", [
'name' => 'Aanmeldformulier',
'purpose' => FormPurpose::EVENT_REGISTRATION->value,
]);
$response->assertCreated();
$this->assertSame('Aanmeldformulier', $response->json('data.name'));
$this->assertSame($this->org->id, $response->json('data.organisation_id'));
}
public function test_store_from_outsider_returns_403(): void
{
Sanctum::actingAs($this->outsider);
$this->postJson("/api/v1/organisations/{$this->org->id}/forms/schemas", [
'name' => 'Blocked',
'purpose' => FormPurpose::INCIDENT_REPORT->value,
])->assertStatus(403);
}
public function test_update_bumps_version_on_structural_change(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create([
'organisation_id' => $this->org->id,
'version' => 1,
]);
$this->putJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}", [
'freeze_on_submit' => true,
])->assertOk();
$this->assertSame(2, (int) $schema->fresh()->version);
}
public function test_destroy_without_confirmation_when_submissions_exist_fails(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create(['organisation_id' => $this->org->id, 'name' => 'Delete-me']);
\App\Models\FormBuilder\FormSubmission::factory()->create(['form_schema_id' => $schema->id]);
$this->deleteJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}")
->assertStatus(500); // RuntimeException bubbles as 500 from DestructiveConfirmationRequired
}
public function test_destroy_with_matching_confirmation_succeeds(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create(['organisation_id' => $this->org->id, 'name' => 'Delete-me']);
\App\Models\FormBuilder\FormSubmission::factory()->create(['form_schema_id' => $schema->id]);
$this->deleteJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}?confirmed_name=Delete-me")
->assertStatus(204);
}
public function test_publish_sets_is_published_true(): void
{
Sanctum::actingAs($this->admin);
// USER_PROFILE has no required bindings, so publishing an empty
// schema is allowed — keeps this test orthogonal to the purpose
// binding check (that behaviour is covered separately by
// PurposeSchemaLifecycleTest).
$schema = FormSchema::factory()
->forPurpose(FormPurpose::USER_PROFILE)
->create(['organisation_id' => $this->org->id, 'is_published' => false]);
$this->postJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}/publish")
->assertOk()
->assertJsonPath('data.is_published', true);
}
public function test_rotate_public_token_moves_current_to_previous(): void
{
Sanctum::actingAs($this->admin);
$schema = FormSchema::factory()->create([
'organisation_id' => $this->org->id,
'public_token' => (string) \Illuminate\Support\Str::ulid(),
]);
$originalToken = $schema->public_token;
$response = $this->postJson(
"/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}/rotate-public-token",
['grace_days' => 7],
);
$response->assertOk();
$fresh = $schema->fresh();
$this->assertNotSame($originalToken, $fresh->public_token);
$this->assertSame($originalToken, $fresh->public_token_previous);
}
public function test_edit_lock_returns_409_when_another_user_holds(): void
{
Sanctum::actingAs($this->admin);
$other = User::factory()->create();
$this->org->users()->attach($other, ['role' => 'org_admin']);
$schema = FormSchema::factory()->create([
'organisation_id' => $this->org->id,
'edit_lock_user_id' => $other->id,
'edit_lock_expires_at' => now()->addMinutes(5),
]);
$response = $this->postJson("/api/v1/organisations/{$this->org->id}/forms/schemas/{$schema->id}/edit-lock");
$this->assertSame(500, $response->status()); // EditLockConflictException surfaces as 500 without handler.
}
}
Reference in New Issue View Git Blame Copy Permalink