Initial commit

tests/Feature/Security/Authorization/PostsManageAuthorizationTest.php

@@ -0,0 +1,235 @@
+<?php
+
+namespace Tests\Feature\Security\Authorization;
+
+use App\Models\Admin;
+use App\Models\Bank;
+use App\Models\Organization;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Livewire\Livewire;
+use Tests\TestCase;
+
+/**
+ * Posts Management Authorization Tests
+ *
+ * Tests that only admins and central banks can access post management,
+ * and prevents IDOR/cross-guard attacks.
+ *
+ * @group security
+ * @group authorization
+ * @group admin
+ * @group critical
+ */
+class PostsManageAuthorizationTest extends TestCase
+{
+    use RefreshDatabase;
+
+    /**
+     * Test admin can access posts management
+     *
+     * @test
+     */
+    public function admin_can_access_posts_management()
+    {
+        $admin = Admin::factory()->create();
+
+        $this->actingAs($admin, 'admin');
+        session(['activeProfileType' => Admin::class, 'activeProfileId' => $admin->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        $response->assertStatus(200);
+    }
+
+    /**
+     * Test central bank (level 0) can access posts management
+     *
+     * @test
+     */
+    public function central_bank_can_access_posts_management()
+    {
+        $bank = Bank::factory()->create(['level' => 0]);
+
+        $this->actingAs($bank, 'bank');
+        session(['activeProfileType' => Bank::class, 'activeProfileId' => $bank->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        $response->assertStatus(200);
+    }
+
+    /**
+     * Test regular bank (level 1) CANNOT access posts management
+     *
+     * @test
+     */
+    public function regular_bank_cannot_access_posts_management()
+    {
+        $bank = Bank::factory()->create(['level' => 1]);
+
+        $this->actingAs($bank, 'bank');
+        session(['activeProfileType' => Bank::class, 'activeProfileId' => $bank->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        $response->assertStatus(403);
+    }
+
+    /**
+     * Test user CANNOT access posts management
+     *
+     * @test
+     */
+    public function user_cannot_access_posts_management()
+    {
+        $user = User::factory()->create();
+
+        $this->actingAs($user, 'web');
+        session(['activeProfileType' => User::class, 'activeProfileId' => $user->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        $response->assertStatus(403);
+    }
+
+    /**
+     * Test organization CANNOT access posts management
+     *
+     * @test
+     */
+    public function organization_cannot_access_posts_management()
+    {
+        $user = User::factory()->create();
+        $organization = Organization::factory()->create();
+        $organization->users()->attach($user->id);
+
+        $this->actingAs($user, 'web');
+        $this->actingAs($organization, 'organization');
+        session(['activeProfileType' => Organization::class, 'activeProfileId' => $organization->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        $response->assertStatus(403);
+    }
+
+    /**
+     * Test web user CANNOT access posts via cross-guard attack (targeting admin profile)
+     *
+     * @test
+     */
+    public function web_user_cannot_access_posts_via_cross_guard_admin_attack()
+    {
+        $user = User::factory()->create();
+        $admin = Admin::factory()->create();
+        $admin->users()->attach($user->id); // User is linked to admin
+
+        // User authenticated on 'web' guard
+        $this->actingAs($user, 'web');
+
+        // Malicious: manipulate session to target admin profile
+        session(['activeProfileType' => Admin::class, 'activeProfileId' => $admin->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        // Should be blocked by ProfileAuthorizationHelper (cross-guard validation)
+        $response->assertStatus(403);
+    }
+
+    /**
+     * Test web user CANNOT access posts via cross-guard attack (targeting bank profile)
+     *
+     * @test
+     */
+    public function web_user_cannot_access_posts_via_cross_guard_bank_attack()
+    {
+        $user = User::factory()->create();
+        $bank = Bank::factory()->create(['level' => 0]);
+        $bank->managers()->attach($user->id); // User is manager of bank
+
+        // User authenticated on 'web' guard
+        $this->actingAs($user, 'web');
+
+        // Malicious: manipulate session to target bank profile
+        session(['activeProfileType' => Bank::class, 'activeProfileId' => $bank->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        // Should be blocked by ProfileAuthorizationHelper (cross-guard validation)
+        $response->assertStatus(403);
+    }
+
+    /**
+     * Test unauthenticated user CANNOT access posts management
+     *
+     * @test
+     */
+    public function unauthenticated_user_cannot_access_posts_management()
+    {
+        $admin = Admin::factory()->create();
+
+        // Not authenticated
+        session(['activeProfileType' => Admin::class, 'activeProfileId' => $admin->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        // Should return 401 (not authenticated)
+        $response->assertStatus(401);
+    }
+
+    /**
+     * Test admin CANNOT access posts when session has no active profile
+     *
+     * @test
+     */
+    public function admin_cannot_access_posts_without_active_profile()
+    {
+        $admin = Admin::factory()->create();
+
+        $this->actingAs($admin, 'admin');
+        // NO session activeProfileType/activeProfileId set
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        $response->assertStatus(403);
+    }
+
+    /**
+     * Test admin CANNOT access posts when session has invalid profile ID
+     *
+     * @test
+     */
+    public function admin_cannot_access_posts_with_invalid_profile_id()
+    {
+        $admin = Admin::factory()->create();
+
+        $this->actingAs($admin, 'admin');
+        session(['activeProfileType' => Admin::class, 'activeProfileId' => 99999]); // Non-existent ID
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        $response->assertStatus(403);
+    }
+
+    /**
+     * Test admin CANNOT access posts management for different admin profile (IDOR)
+     *
+     * @test
+     */
+    public function admin_cannot_access_posts_as_different_admin()
+    {
+        $admin1 = Admin::factory()->create();
+        $admin2 = Admin::factory()->create();
+
+        // Authenticated as admin1
+        $this->actingAs($admin1, 'admin');
+
+        // Malicious: manipulate session to target admin2 profile
+        session(['activeProfileType' => Admin::class, 'activeProfileId' => $admin2->id]);
+
+        $response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
+
+        // Should be blocked by ProfileAuthorizationHelper (different admin)
+        $response->assertStatus(403);
+    }
+}