ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Initial commit

Browse Source
This commit is contained in:
Ronald Huynen
2026-03-23 21:37:59 +01:00
commit 2547717edb
2193 changed files with 972171 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

734
tests/Feature/Security/Financial/TransactionAuthorizationTest.php Normal file
View File

@@ -0,0 +1,734 @@
<?php
namespace Tests\Feature\Security\Financial;
use App\Models\Account;
use App\Models\Admin;
use App\Models\Bank;
use App\Models\Organization;
use App\Models\Transaction;
use App\Models\TransactionType;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Auth;
use Tests\TestCase;
/**
* Transaction Authorization Tests
*
* Tests who can create what types of transactions:
* - User -> User: Work, Gift (no Donation, no Currency creation/removal)
* - User -> Organization: Work, Gift, Donation
* - Organization -> User: Work, Gift
* - Organization -> Organization: Work, Gift, Donation
* - Bank -> Any: Currency creation/removal, all other types
* - Internal migrations (same accountable): Migration type enforced
*
* Tests account ownership validation and balance limits enforcement.
*
* @group security
* @group critical
* @group financial
* @group transaction-authorization
*/
class TransactionAuthorizationTest extends TestCase
{
use RefreshDatabase;
// ==========================================
// ACCOUNT OWNERSHIP TESTS
// ==========================================
/**
* Test that users can only create transactions from accounts they own
*/
public function test_user_can_only_create_transactions_from_owned_accounts()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$ownedAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
]);
$unownedAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Try to create transaction from unowned account
$response = $this->postJson('/api/transactions', [
'from_account_id' => $unownedAccount->id,
'to_account_id' => $ownedAccount->id,
'amount' => 60,
'description' => 'Unauthorized transaction',
'transaction_type_id' => 1,
]);
// Should be rejected (403 or validation error)
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
}
/**
* Test that organizations can only use their own accounts
*/
public function test_organization_can_only_use_own_accounts()
{
$user = User::factory()->create();
$org1 = Organization::factory()->create();
$org2 = Organization::factory()->create();
$user->organizations()->attach($org1->id);
$org1Account = Account::factory()->create([
'accountable_type' => Organization::class,
'accountable_id' => $org1->id,
]);
$org2Account = Account::factory()->create([
'accountable_type' => Organization::class,
'accountable_id' => $org2->id,
]);
// Login as organization1
Auth::guard('web')->login($user);
Auth::guard('organization')->login($org1);
session(['active_guard' => 'organization']);
// Try to create transaction from org2's account
$response = $this->postJson('/api/transactions', [
'from_account_id' => $org2Account->id,
'to_account_id' => $org1Account->id,
'amount' => 60,
'description' => 'Unauthorized organization transaction',
'transaction_type_id' => 1,
]);
// Should be rejected
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
}
/**
* Test that banks can only use their managed accounts
*/
public function test_bank_can_only_use_managed_accounts()
{
$user = User::factory()->create();
$bank1 = Bank::factory()->create();
$bank2 = Bank::factory()->create();
$user->banksManaged()->attach($bank1->id);
$bank1Account = Account::factory()->create([
'accountable_type' => Bank::class,
'accountable_id' => $bank1->id,
]);
$bank2Account = Account::factory()->create([
'accountable_type' => Bank::class,
'accountable_id' => $bank2->id,
]);
// Login as bank1
Auth::guard('web')->login($user);
Auth::guard('bank')->login($bank1);
session(['active_guard' => 'bank']);
// Try to create transaction from bank2's account
$response = $this->postJson('/api/transactions', [
'from_account_id' => $bank2Account->id,
'to_account_id' => $bank1Account->id,
'amount' => 60,
'description' => 'Unauthorized bank transaction',
'transaction_type_id' => 1,
]);
// Should be rejected
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
}
// ==========================================
// TRANSACTION TYPE AUTHORIZATION TESTS
// ==========================================
/**
* Test User -> User transactions allow Work and Gift types
*/
public function test_user_to_user_allows_work_and_gift()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$account1 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
]);
$account2 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Work type (ID 1) should be allowed
$transaction1 = Transaction::create([
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 60,
'description' => 'Work transaction',
'transaction_type_id' => 1, // Work
'creator_user_id' => $user1->id,
]);
$this->assertDatabaseHas('transactions', [
'id' => $transaction1->id,
'transaction_type_id' => 1,
]);
// Gift type (ID 2) should be allowed
$transaction2 = Transaction::create([
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 30,
'description' => 'Gift transaction',
'transaction_type_id' => 2, // Gift
'creator_user_id' => $user1->id,
]);
$this->assertDatabaseHas('transactions', [
'id' => $transaction2->id,
'transaction_type_id' => 2,
]);
}
/**
* Test User -> User transactions reject Donation type
*/
public function test_user_to_user_rejects_donation()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$account1 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
]);
$account2 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Donation type (ID 3) should be rejected for User -> User
// This should be caught by application logic, not just database constraint
try {
$response = $this->postJson('/api/transactions', [
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 60,
'description' => 'Invalid donation',
'transaction_type_id' => 3, // Donation
]);
// Should be rejected
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
} catch (\Exception $e) {
// Exception is also acceptable
$this->assertTrue(true);
}
}
/**
* Test User -> Organization allows Donation type
*/
public function test_user_to_organization_allows_donation()
{
$user = User::factory()->create();
$organization = Organization::factory()->create();
$userAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user->id,
]);
$orgAccount = Account::factory()->create([
'accountable_type' => Organization::class,
'accountable_id' => $organization->id,
]);
$this->actingAs($user, 'web');
// Donation type (ID 3) should be allowed for User -> Organization
$transaction = Transaction::create([
'from_account_id' => $userAccount->id,
'to_account_id' => $orgAccount->id,
'amount' => 120,
'description' => 'Donation to organization',
'transaction_type_id' => 3, // Donation
'creator_user_id' => $user->id,
]);
$this->assertDatabaseHas('transactions', [
'id' => $transaction->id,
'transaction_type_id' => 3,
'from_account_id' => $userAccount->id,
'to_account_id' => $orgAccount->id,
]);
}
/**
* Test that regular users cannot create currency creation transactions
*/
public function test_users_cannot_create_currency_creation_transactions()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$account1 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
]);
$account2 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Currency creation type (ID 4) should be rejected for regular users
try {
$response = $this->postJson('/api/transactions', [
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 60,
'description' => 'Invalid currency creation',
'transaction_type_id' => 4, // Currency creation
]);
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
} catch (\Exception $e) {
$this->assertTrue(true);
}
}
/**
* Test that regular users cannot create currency removal transactions
*/
public function test_users_cannot_create_currency_removal_transactions()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$account1 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
]);
$account2 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Currency removal type (ID 5) should be rejected for regular users
try {
$response = $this->postJson('/api/transactions', [
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 60,
'description' => 'Invalid currency removal',
'transaction_type_id' => 5, // Currency removal
]);
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
} catch (\Exception $e) {
$this->assertTrue(true);
}
}
// ==========================================
// INTERNAL MIGRATION TESTS
// ==========================================
/**
* Test that internal migrations (same accountable) use Migration type
*/
public function test_internal_migration_uses_migration_type()
{
$user = User::factory()->create();
// Create two accounts for the same user
$account1 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user->id,
'name' => 'time',
]);
$account2 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user->id,
'name' => 'savings',
]);
$this->actingAs($user, 'web');
// Internal transfer should automatically use Migration type (ID 6)
// Even if user tries to specify different type, it should be overridden
$transaction = Transaction::create([
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 100,
'description' => 'Transfer between own accounts',
'transaction_type_id' => 1, // User specifies Work, but should be changed to Migration
'creator_user_id' => $user->id,
]);
// Verify transaction was created with Migration type
// Note: This depends on TransactionController logic enforcing type 6 for internal transfers
$this->assertDatabaseHas('transactions', [
'id' => $transaction->id,
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
]);
// The transaction_type_id should be 6 (Migration) if controller logic is correct
// This test documents expected behavior
}
// ==========================================
// BALANCE LIMIT ENFORCEMENT TESTS
// ==========================================
/**
* Test that transactions respect sender's minimum balance limit
*/
public function test_transaction_respects_sender_minimum_limit()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$account1 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
'limit_min' => -100, // Can go 100 minutes into negative
]);
$account2 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Current balance: 0
// Minimum allowed: -100
// Transfer budget: 0 - (-100) = 100 minutes
// Transaction of 100 minutes should succeed
$transaction1 = Transaction::create([
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 100,
'description' => 'Max allowed payment',
'transaction_type_id' => 1,
'creator_user_id' => $user1->id,
]);
$this->assertDatabaseHas('transactions', ['id' => $transaction1->id]);
// Transaction of 1 more minute should fail (would exceed limit)
try {
$response = $this->postJson('/api/transactions', [
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 1,
'description' => 'Over limit payment',
'transaction_type_id' => 1,
]);
// Should be rejected
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
} catch (\Exception $e) {
$this->assertTrue(true);
}
}
/**
* Test that transactions respect receiver's maximum balance limit
*/
public function test_transaction_respects_receiver_maximum_limit()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$account1 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
'limit_min' => -1000, // Large sending capacity
]);
$account2 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
'limit_min' => 0,
'limit_max' => 100, // Can only receive up to 100 minutes
]);
$this->actingAs($user1, 'web');
// Receiver current balance: 0
// Receiver maximum allowed: 100
// Receiver can accept: 100 - 0 = 100 minutes
// Transaction of 100 minutes should succeed
$transaction1 = Transaction::create([
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 100,
'description' => 'Max receivable payment',
'transaction_type_id' => 1,
'creator_user_id' => $user1->id,
]);
$this->assertDatabaseHas('transactions', ['id' => $transaction1->id]);
// Transaction of 1 more minute should fail (would exceed receiver's limit)
try {
$response = $this->postJson('/api/transactions', [
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 1,
'description' => 'Over receiver limit payment',
'transaction_type_id' => 1,
]);
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
} catch (\Exception $e) {
$this->assertTrue(true);
}
}
/**
* Test that organizations have higher balance limits than users
*/
public function test_organizations_have_higher_limits_than_users()
{
$user = User::factory()->create();
$organization = Organization::factory()->create();
$userAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user->id,
]);
$orgAccount = Account::factory()->create([
'accountable_type' => Organization::class,
'accountable_id' => $organization->id,
]);
// Get limits from configuration
$userLimitMax = timebank_config('accounts.user.limit_max');
$userLimitMin = timebank_config('accounts.user.limit_min');
$orgLimitMax = timebank_config('accounts.organization.limit_max');
$orgLimitMin = timebank_config('accounts.organization.limit_min');
// Organizations should have higher limits
$this->assertGreaterThan($userLimitMax, $orgLimitMax,
'Organizations should have higher maximum balance limit than users');
// Organizations should be able to go more negative (give more)
$this->assertLessThan($userLimitMin, $orgLimitMin,
'Organizations should be able to go more negative than users');
}
// ==========================================
// DELETED/INACTIVE ACCOUNT PROTECTION TESTS
// ==========================================
/**
* Test that transactions cannot be created from deleted accounts
*/
public function test_cannot_create_transaction_from_deleted_account()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$deletedAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
'deleted_at' => now()->subDay(),
]);
$activeAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Should not allow transaction from deleted account
try {
$response = $this->postJson('/api/transactions', [
'from_account_id' => $deletedAccount->id,
'to_account_id' => $activeAccount->id,
'amount' => 60,
'description' => 'From deleted account',
'transaction_type_id' => 1,
]);
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
} catch (\Exception $e) {
$this->assertTrue(true);
}
}
/**
* Test that transactions cannot be created to deleted accounts
*/
public function test_cannot_create_transaction_to_deleted_account()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$activeAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
]);
$deletedAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
'deleted_at' => now()->subDay(),
]);
$this->actingAs($user1, 'web');
// Should not allow transaction to deleted account
try {
$response = $this->postJson('/api/transactions', [
'from_account_id' => $activeAccount->id,
'to_account_id' => $deletedAccount->id,
'amount' => 60,
'description' => 'To deleted account',
'transaction_type_id' => 1,
]);
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
} catch (\Exception $e) {
$this->assertTrue(true);
}
}
/**
* Test that transactions cannot be created from/to inactive accountables
*/
public function test_cannot_create_transaction_to_inactive_accountable()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create(['inactive_at' => now()->subDay()]);
$activeAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
]);
$inactiveAccount = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Should not allow transaction to account of inactive user
try {
$response = $this->postJson('/api/transactions', [
'from_account_id' => $activeAccount->id,
'to_account_id' => $inactiveAccount->id,
'amount' => 60,
'description' => 'To inactive user',
'transaction_type_id' => 1,
]);
$this->assertNotEquals(200, $response->status());
$this->assertNotEquals(201, $response->status());
} catch (\Exception $e) {
$this->assertTrue(true);
}
}
// ==========================================
// TRANSACTION TYPE EXISTENCE TESTS
// ==========================================
/**
* Test that all required transaction types exist in database
*/
public function test_all_transaction_types_exist()
{
// Required transaction types:
// 1. Work
// 2. Gift
// 3. Donation
// 4. Currency creation
// 5. Currency removal
// 6. Migration
$this->assertDatabaseHas('transaction_types', ['id' => 1, 'name' => 'Work']);
$this->assertDatabaseHas('transaction_types', ['id' => 2, 'name' => 'Gift']);
$this->assertDatabaseHas('transaction_types', ['id' => 3, 'name' => 'Donation']);
$this->assertDatabaseHas('transaction_types', ['id' => 4, 'name' => 'Currency creation']);
$this->assertDatabaseHas('transaction_types', ['id' => 5, 'name' => 'Currency removal']);
$this->assertDatabaseHas('transaction_types', ['id' => 6, 'name' => 'Migration']);
}
/**
* Test that transactions require valid transaction type
*/
public function test_transaction_requires_valid_type()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$account1 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user1->id,
]);
$account2 = Account::factory()->create([
'accountable_type' => User::class,
'accountable_id' => $user2->id,
]);
$this->actingAs($user1, 'web');
// Non-existent transaction type should be rejected
$this->expectException(\Exception::class);
Transaction::create([
'from_account_id' => $account1->id,
'to_account_id' => $account2->id,
'amount' => 60,
'description' => 'Invalid type',
'transaction_type_id' => 999, // Non-existent type
'creator_user_id' => $user1->id,
]);
}
}