86 lines
3.1 KiB
PHP
86 lines
3.1 KiB
PHP
<?php
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace Tests\Integration;
|
|
|
|
use Tests\Support\DatabaseSeeder;
|
|
use Tests\Support\QdbTestCase;
|
|
|
|
final class RbacIntegrationTest extends QdbTestCase
|
|
{
|
|
public function testSupervisorCannotCreateSupervisorUser(): void
|
|
{
|
|
$token = $this->api()->loginWebAndGetToken(
|
|
DatabaseSeeder::SUPERVISOR_USERNAME,
|
|
DatabaseSeeder::PASSWORD
|
|
)['token'];
|
|
$res = $this->api()->withToken($token, 'POST', 'users', [
|
|
'username' => 'new_supervisor',
|
|
'password' => 'Secret1!',
|
|
'role' => 'supervisor',
|
|
'location' => 'Elsewhere',
|
|
]);
|
|
$this->assertApiError($res, 'FORBIDDEN', 403);
|
|
}
|
|
|
|
public function testSupervisorCannotAssignClientToForeignCoach(): void
|
|
{
|
|
[$pdo, $tmpDb, $lockFp] = qdb_open(true);
|
|
$foreignSupervisorId = 'sv-foreign-' . bin2hex(random_bytes(4));
|
|
$foreignCoachId = 'coach-foreign-' . bin2hex(random_bytes(4));
|
|
$pdo->prepare('INSERT INTO supervisor (supervisorID, username, location) VALUES (:id, :u, :loc)')
|
|
->execute([':id' => $foreignSupervisorId, ':u' => 'foreign_sv', ':loc' => 'Region B']);
|
|
$pdo->prepare('INSERT INTO coach (coachID, supervisorID, username) VALUES (:id, :sid, :u)')
|
|
->execute([':id' => $foreignCoachId, ':sid' => $foreignSupervisorId, ':u' => 'foreign_coach']);
|
|
qdb_save($tmpDb, $lockFp);
|
|
|
|
$token = $this->api()->loginWebAndGetToken(
|
|
DatabaseSeeder::SUPERVISOR_USERNAME,
|
|
DatabaseSeeder::PASSWORD
|
|
)['token'];
|
|
$res = $this->api()->withToken($token, 'POST', 'clients', [
|
|
'clientCode' => 'CLIENT-FOREIGN-001',
|
|
'coachID' => $foreignCoachId,
|
|
]);
|
|
$this->assertApiError($res, 'NOT_FOUND', 404);
|
|
}
|
|
|
|
public function testCoachMobileTokenRejectedOnWebSettings(): void
|
|
{
|
|
$token = $this->api()->loginMobileAndGetToken(
|
|
DatabaseSeeder::COACH_USERNAME,
|
|
DatabaseSeeder::PASSWORD
|
|
)['token'];
|
|
$res = $this->api()->withToken($token, 'GET', 'settings');
|
|
$this->assertApiError($res, 'FORBIDDEN', 403);
|
|
}
|
|
|
|
public function testCoachCannotCreateAnswerOptionOnWeb(): void
|
|
{
|
|
$token = $this->api()->loginMobileAndGetToken(
|
|
DatabaseSeeder::COACH_USERNAME,
|
|
DatabaseSeeder::PASSWORD
|
|
)['token'];
|
|
$res = $this->api()->withToken($token, 'POST', 'answer_options', [
|
|
'questionID' => $this->fixture()->questionId,
|
|
'optionKey' => 'blocked',
|
|
'defaultText' => 'Blocked',
|
|
]);
|
|
$this->assertApiError($res, 'FORBIDDEN', 403);
|
|
}
|
|
|
|
public function testSupervisorCannotReassignCoach(): void
|
|
{
|
|
$token = $this->api()->loginWebAndGetToken(
|
|
DatabaseSeeder::SUPERVISOR_USERNAME,
|
|
DatabaseSeeder::PASSWORD
|
|
)['token'];
|
|
$res = $this->api()->withToken($token, 'PUT', 'users', [
|
|
'userID' => $this->fixture()->coachUserId,
|
|
'supervisorID' => $this->fixture()->supervisorId,
|
|
]);
|
|
$this->assertApiError($res, 'FORBIDDEN', 403);
|
|
}
|
|
}
|