create(['role' => 'user']); $page = PreregistrationPage::query()->create([ 'slug' => (string) Str::uuid(), 'user_id' => $user->id, 'title' => 'Fest', 'heading' => 'Fest', 'intro_text' => null, 'thank_you_message' => null, 'expired_message' => null, 'ticketshop_url' => null, 'start_date' => now()->subDay(), 'end_date' => now()->addMonth(), 'phone_enabled' => false, 'background_image' => null, 'logo_image' => null, 'is_active' => true, ]); $subscriber = Subscriber::query()->create([ 'preregistration_page_id' => $page->id, 'first_name' => 'Ada', 'last_name' => 'Lovelace', 'email' => 'ada@example.com', ]); $response = $this->actingAs($user)->delete(route('admin.pages.subscribers.destroy', [$page, $subscriber])); $response->assertRedirect(route('admin.pages.subscribers.index', $page)); $response->assertSessionHas('status'); $this->assertDatabaseMissing('subscribers', ['id' => $subscriber->id]); } public function test_other_user_cannot_delete_subscriber(): void { $owner = User::factory()->create(['role' => 'user']); $intruder = User::factory()->create(['role' => 'user']); $page = PreregistrationPage::query()->create([ 'slug' => (string) Str::uuid(), 'user_id' => $owner->id, 'title' => 'Fest', 'heading' => 'Fest', 'intro_text' => null, 'thank_you_message' => null, 'expired_message' => null, 'ticketshop_url' => null, 'start_date' => now()->subDay(), 'end_date' => now()->addMonth(), 'phone_enabled' => false, 'background_image' => null, 'logo_image' => null, 'is_active' => true, ]); $subscriber = Subscriber::query()->create([ 'preregistration_page_id' => $page->id, 'first_name' => 'A', 'last_name' => 'B', 'email' => 'x@example.com', ]); $response = $this->actingAs($intruder)->delete(route('admin.pages.subscribers.destroy', [$page, $subscriber])); $response->assertForbidden(); $this->assertDatabaseHas('subscribers', ['id' => $subscriber->id]); } public function test_cannot_delete_subscriber_using_wrong_page_in_url(): void { $user = User::factory()->create(['role' => 'user']); $pageA = PreregistrationPage::query()->create([ 'slug' => (string) Str::uuid(), 'user_id' => $user->id, 'title' => 'A', 'heading' => 'A', 'intro_text' => null, 'thank_you_message' => null, 'expired_message' => null, 'ticketshop_url' => null, 'start_date' => now()->subDay(), 'end_date' => now()->addMonth(), 'phone_enabled' => false, 'background_image' => null, 'logo_image' => null, 'is_active' => true, ]); $pageB = PreregistrationPage::query()->create([ 'slug' => (string) Str::uuid(), 'user_id' => $user->id, 'title' => 'B', 'heading' => 'B', 'intro_text' => null, 'thank_you_message' => null, 'expired_message' => null, 'ticketshop_url' => null, 'start_date' => now()->subDay(), 'end_date' => now()->addMonth(), 'phone_enabled' => false, 'background_image' => null, 'logo_image' => null, 'is_active' => true, ]); $subscriber = Subscriber::query()->create([ 'preregistration_page_id' => $pageB->id, 'first_name' => 'A', 'last_name' => 'B', 'email' => 'y@example.com', ]); $response = $this->actingAs($user)->delete(route('admin.pages.subscribers.destroy', [$pageA, $subscriber])); $response->assertForbidden(); $this->assertDatabaseHas('subscribers', ['id' => $subscriber->id]); } }