Files
nat-as-server/tests/Integration/RbacIntegrationTest.php
2026-06-04 21:40:59 +02:00

86 lines
3.1 KiB
PHP

<?php
declare(strict_types=1);
namespace Tests\Integration;
use Tests\Support\DatabaseSeeder;
use Tests\Support\QdbTestCase;
final class RbacIntegrationTest extends QdbTestCase
{
public function testSupervisorCannotCreateSupervisorUser(): void
{
$token = $this->api()->loginWebAndGetToken(
DatabaseSeeder::SUPERVISOR_USERNAME,
DatabaseSeeder::PASSWORD
)['token'];
$res = $this->api()->withToken($token, 'POST', 'users', [
'username' => 'new_supervisor',
'password' => 'Secret1!',
'role' => 'supervisor',
'location' => 'Elsewhere',
]);
$this->assertApiError($res, 'FORBIDDEN', 403);
}
public function testSupervisorCannotAssignClientToForeignCoach(): void
{
[$pdo, $tmpDb, $lockFp] = qdb_open(true);
$foreignSupervisorId = 'sv-foreign-' . bin2hex(random_bytes(4));
$foreignCoachId = 'coach-foreign-' . bin2hex(random_bytes(4));
$pdo->prepare('INSERT INTO supervisor (supervisorID, username, location) VALUES (:id, :u, :loc)')
->execute([':id' => $foreignSupervisorId, ':u' => 'foreign_sv', ':loc' => 'Region B']);
$pdo->prepare('INSERT INTO coach (coachID, supervisorID, username) VALUES (:id, :sid, :u)')
->execute([':id' => $foreignCoachId, ':sid' => $foreignSupervisorId, ':u' => 'foreign_coach']);
qdb_save($tmpDb, $lockFp);
$token = $this->api()->loginWebAndGetToken(
DatabaseSeeder::SUPERVISOR_USERNAME,
DatabaseSeeder::PASSWORD
)['token'];
$res = $this->api()->withToken($token, 'POST', 'clients', [
'clientCode' => 'CLIENT-FOREIGN-001',
'coachID' => $foreignCoachId,
]);
$this->assertApiError($res, 'NOT_FOUND', 404);
}
public function testCoachMobileTokenRejectedOnWebSettings(): void
{
$token = $this->api()->loginMobileAndGetToken(
DatabaseSeeder::COACH_USERNAME,
DatabaseSeeder::PASSWORD
)['token'];
$res = $this->api()->withToken($token, 'GET', 'settings');
$this->assertApiError($res, 'FORBIDDEN', 403);
}
public function testCoachCannotCreateAnswerOptionOnWeb(): void
{
$token = $this->api()->loginMobileAndGetToken(
DatabaseSeeder::COACH_USERNAME,
DatabaseSeeder::PASSWORD
)['token'];
$res = $this->api()->withToken($token, 'POST', 'answer_options', [
'questionID' => $this->fixture()->questionId,
'optionKey' => 'blocked',
'defaultText' => 'Blocked',
]);
$this->assertApiError($res, 'FORBIDDEN', 403);
}
public function testSupervisorCannotReassignCoach(): void
{
$token = $this->api()->loginWebAndGetToken(
DatabaseSeeder::SUPERVISOR_USERNAME,
DatabaseSeeder::PASSWORD
)['token'];
$res = $this->api()->withToken($token, 'PUT', 'users', [
'userID' => $this->fixture()->coachUserId,
'supervisorID' => $this->fixture()->supervisorId,
]);
$this->assertApiError($res, 'FORBIDDEN', 403);
}
}