added unit tests
This commit is contained in:
85
tests/Integration/RbacIntegrationTest.php
Normal file
85
tests/Integration/RbacIntegrationTest.php
Normal file
@ -0,0 +1,85 @@
|
||||
<?php
|
||||
|
||||
declare(strict_types=1);
|
||||
|
||||
namespace Tests\Integration;
|
||||
|
||||
use Tests\Support\DatabaseSeeder;
|
||||
use Tests\Support\QdbTestCase;
|
||||
|
||||
final class RbacIntegrationTest extends QdbTestCase
|
||||
{
|
||||
public function testSupervisorCannotCreateSupervisorUser(): void
|
||||
{
|
||||
$token = $this->api()->loginWebAndGetToken(
|
||||
DatabaseSeeder::SUPERVISOR_USERNAME,
|
||||
DatabaseSeeder::PASSWORD
|
||||
)['token'];
|
||||
$res = $this->api()->withToken($token, 'POST', 'users', [
|
||||
'username' => 'new_supervisor',
|
||||
'password' => 'Secret1!',
|
||||
'role' => 'supervisor',
|
||||
'location' => 'Elsewhere',
|
||||
]);
|
||||
$this->assertApiError($res, 'FORBIDDEN', 403);
|
||||
}
|
||||
|
||||
public function testSupervisorCannotAssignClientToForeignCoach(): void
|
||||
{
|
||||
[$pdo, $tmpDb, $lockFp] = qdb_open(true);
|
||||
$foreignSupervisorId = 'sv-foreign-' . bin2hex(random_bytes(4));
|
||||
$foreignCoachId = 'coach-foreign-' . bin2hex(random_bytes(4));
|
||||
$pdo->prepare('INSERT INTO supervisor (supervisorID, username, location) VALUES (:id, :u, :loc)')
|
||||
->execute([':id' => $foreignSupervisorId, ':u' => 'foreign_sv', ':loc' => 'Region B']);
|
||||
$pdo->prepare('INSERT INTO coach (coachID, supervisorID, username) VALUES (:id, :sid, :u)')
|
||||
->execute([':id' => $foreignCoachId, ':sid' => $foreignSupervisorId, ':u' => 'foreign_coach']);
|
||||
qdb_save($tmpDb, $lockFp);
|
||||
|
||||
$token = $this->api()->loginWebAndGetToken(
|
||||
DatabaseSeeder::SUPERVISOR_USERNAME,
|
||||
DatabaseSeeder::PASSWORD
|
||||
)['token'];
|
||||
$res = $this->api()->withToken($token, 'POST', 'clients', [
|
||||
'clientCode' => 'CLIENT-FOREIGN-001',
|
||||
'coachID' => $foreignCoachId,
|
||||
]);
|
||||
$this->assertApiError($res, 'NOT_FOUND', 404);
|
||||
}
|
||||
|
||||
public function testCoachMobileTokenRejectedOnWebSettings(): void
|
||||
{
|
||||
$token = $this->api()->loginMobileAndGetToken(
|
||||
DatabaseSeeder::COACH_USERNAME,
|
||||
DatabaseSeeder::PASSWORD
|
||||
)['token'];
|
||||
$res = $this->api()->withToken($token, 'GET', 'settings');
|
||||
$this->assertApiError($res, 'FORBIDDEN', 403);
|
||||
}
|
||||
|
||||
public function testCoachCannotCreateAnswerOptionOnWeb(): void
|
||||
{
|
||||
$token = $this->api()->loginMobileAndGetToken(
|
||||
DatabaseSeeder::COACH_USERNAME,
|
||||
DatabaseSeeder::PASSWORD
|
||||
)['token'];
|
||||
$res = $this->api()->withToken($token, 'POST', 'answer_options', [
|
||||
'questionID' => $this->fixture()->questionId,
|
||||
'optionKey' => 'blocked',
|
||||
'defaultText' => 'Blocked',
|
||||
]);
|
||||
$this->assertApiError($res, 'FORBIDDEN', 403);
|
||||
}
|
||||
|
||||
public function testSupervisorCannotReassignCoach(): void
|
||||
{
|
||||
$token = $this->api()->loginWebAndGetToken(
|
||||
DatabaseSeeder::SUPERVISOR_USERNAME,
|
||||
DatabaseSeeder::PASSWORD
|
||||
)['token'];
|
||||
$res = $this->api()->withToken($token, 'PUT', 'users', [
|
||||
'userID' => $this->fixture()->coachUserId,
|
||||
'supervisorID' => $this->fixture()->supervisorId,
|
||||
]);
|
||||
$this->assertApiError($res, 'FORBIDDEN', 403);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user