api()->loginWebAndGetToken( DatabaseSeeder::SUPERVISOR_USERNAME, DatabaseSeeder::PASSWORD )['token']; $res = $this->api()->withToken($token, 'POST', 'users', [ 'username' => 'new_supervisor', 'password' => 'Secret1!', 'role' => 'supervisor', 'location' => 'Elsewhere', ]); $this->assertApiError($res, 'FORBIDDEN', 403); } public function testSupervisorCannotAssignClientToForeignCoach(): void { [$pdo, $tmpDb, $lockFp] = qdb_open(true); $foreignSupervisorId = 'sv-foreign-' . bin2hex(random_bytes(4)); $foreignCoachId = 'coach-foreign-' . bin2hex(random_bytes(4)); $pdo->prepare('INSERT INTO supervisor (supervisorID, username, location) VALUES (:id, :u, :loc)') ->execute([':id' => $foreignSupervisorId, ':u' => 'foreign_sv', ':loc' => 'Region B']); $pdo->prepare('INSERT INTO coach (coachID, supervisorID, username) VALUES (:id, :sid, :u)') ->execute([':id' => $foreignCoachId, ':sid' => $foreignSupervisorId, ':u' => 'foreign_coach']); qdb_save($tmpDb, $lockFp); $token = $this->api()->loginWebAndGetToken( DatabaseSeeder::SUPERVISOR_USERNAME, DatabaseSeeder::PASSWORD )['token']; $res = $this->api()->withToken($token, 'POST', 'clients', [ 'clientCode' => 'CLIENT-FOREIGN-001', 'coachID' => $foreignCoachId, ]); $this->assertApiError($res, 'NOT_FOUND', 404); } public function testCoachMobileTokenRejectedOnWebSettings(): void { $token = $this->api()->loginMobileAndGetToken( DatabaseSeeder::COACH_USERNAME, DatabaseSeeder::PASSWORD )['token']; $res = $this->api()->withToken($token, 'GET', 'settings'); $this->assertApiError($res, 'FORBIDDEN', 403); } public function testCoachCannotCreateAnswerOptionOnWeb(): void { $token = $this->api()->loginMobileAndGetToken( DatabaseSeeder::COACH_USERNAME, DatabaseSeeder::PASSWORD )['token']; $res = $this->api()->withToken($token, 'POST', 'answer_options', [ 'questionID' => $this->fixture()->questionId, 'optionKey' => 'blocked', 'defaultText' => 'Blocked', ]); $this->assertApiError($res, 'FORBIDDEN', 403); } public function testSupervisorCannotReassignCoach(): void { $token = $this->api()->loginWebAndGetToken( DatabaseSeeder::SUPERVISOR_USERNAME, DatabaseSeeder::PASSWORD )['token']; $res = $this->api()->withToken($token, 'PUT', 'users', [ 'userID' => $this->fixture()->coachUserId, 'supervisorID' => $this->fixture()->supervisorId, ]); $this->assertApiError($res, 'FORBIDDEN', 403); } }