ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
main
timebank-cc-public/tests/Feature/Security/Authorization/PostsManageAuthorizationTest.php
Ronald Huynen 2547717edb Initial commit
2026-03-23 21:37:59 +01:00

236 lines
6.7 KiB
PHP
Raw Permalink Blame History

<?php
namespace Tests\Feature\Security\Authorization;
use App\Models\Admin;
use App\Models\Bank;
use App\Models\Organization;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;
use Tests\TestCase;
/**
* Posts Management Authorization Tests
*
* Tests that only admins and central banks can access post management,
* and prevents IDOR/cross-guard attacks.
*
* @group security
* @group authorization
* @group admin
* @group critical
*/
class PostsManageAuthorizationTest extends TestCase
{
use RefreshDatabase;
/**
* Test admin can access posts management
*
* @test
*/
public function admin_can_access_posts_management()
{
$admin = Admin::factory()->create();
$this->actingAs($admin, 'admin');
session(['activeProfileType' => Admin::class, 'activeProfileId' => $admin->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
$response->assertStatus(200);
}
/**
* Test central bank (level 0) can access posts management
*
* @test
*/
public function central_bank_can_access_posts_management()
{
$bank = Bank::factory()->create(['level' => 0]);
$this->actingAs($bank, 'bank');
session(['activeProfileType' => Bank::class, 'activeProfileId' => $bank->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
$response->assertStatus(200);
}
/**
* Test regular bank (level 1) CANNOT access posts management
*
* @test
*/
public function regular_bank_cannot_access_posts_management()
{
$bank = Bank::factory()->create(['level' => 1]);
$this->actingAs($bank, 'bank');
session(['activeProfileType' => Bank::class, 'activeProfileId' => $bank->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
$response->assertStatus(403);
}
/**
* Test user CANNOT access posts management
*
* @test
*/
public function user_cannot_access_posts_management()
{
$user = User::factory()->create();
$this->actingAs($user, 'web');
session(['activeProfileType' => User::class, 'activeProfileId' => $user->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
$response->assertStatus(403);
}
/**
* Test organization CANNOT access posts management
*
* @test
*/
public function organization_cannot_access_posts_management()
{
$user = User::factory()->create();
$organization = Organization::factory()->create();
$organization->users()->attach($user->id);
$this->actingAs($user, 'web');
$this->actingAs($organization, 'organization');
session(['activeProfileType' => Organization::class, 'activeProfileId' => $organization->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
$response->assertStatus(403);
}
/**
* Test web user CANNOT access posts via cross-guard attack (targeting admin profile)
*
* @test
*/
public function web_user_cannot_access_posts_via_cross_guard_admin_attack()
{
$user = User::factory()->create();
$admin = Admin::factory()->create();
$admin->users()->attach($user->id); // User is linked to admin
// User authenticated on 'web' guard
$this->actingAs($user, 'web');
// Malicious: manipulate session to target admin profile
session(['activeProfileType' => Admin::class, 'activeProfileId' => $admin->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
// Should be blocked by ProfileAuthorizationHelper (cross-guard validation)
$response->assertStatus(403);
}
/**
* Test web user CANNOT access posts via cross-guard attack (targeting bank profile)
*
* @test
*/
public function web_user_cannot_access_posts_via_cross_guard_bank_attack()
{
$user = User::factory()->create();
$bank = Bank::factory()->create(['level' => 0]);
$bank->managers()->attach($user->id); // User is manager of bank
// User authenticated on 'web' guard
$this->actingAs($user, 'web');
// Malicious: manipulate session to target bank profile
session(['activeProfileType' => Bank::class, 'activeProfileId' => $bank->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
// Should be blocked by ProfileAuthorizationHelper (cross-guard validation)
$response->assertStatus(403);
}
/**
* Test unauthenticated user CANNOT access posts management
*
* @test
*/
public function unauthenticated_user_cannot_access_posts_management()
{
$admin = Admin::factory()->create();
// Not authenticated
session(['activeProfileType' => Admin::class, 'activeProfileId' => $admin->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
// Should return 401 (not authenticated)
$response->assertStatus(401);
}
/**
* Test admin CANNOT access posts when session has no active profile
*
* @test
*/
public function admin_cannot_access_posts_without_active_profile()
{
$admin = Admin::factory()->create();
$this->actingAs($admin, 'admin');
// NO session activeProfileType/activeProfileId set
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
$response->assertStatus(403);
}
/**
* Test admin CANNOT access posts when session has invalid profile ID
*
* @test
*/
public function admin_cannot_access_posts_with_invalid_profile_id()
{
$admin = Admin::factory()->create();
$this->actingAs($admin, 'admin');
session(['activeProfileType' => Admin::class, 'activeProfileId' => 99999]); // Non-existent ID
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
$response->assertStatus(403);
}
/**
* Test admin CANNOT access posts management for different admin profile (IDOR)
*
* @test
*/
public function admin_cannot_access_posts_as_different_admin()
{
$admin1 = Admin::factory()->create();
$admin2 = Admin::factory()->create();
// Authenticated as admin1
$this->actingAs($admin1, 'admin');
// Malicious: manipulate session to target admin2 profile
session(['activeProfileType' => Admin::class, 'activeProfileId' => $admin2->id]);
$response = Livewire::test(\App\Http\Livewire\Posts\Manage::class);
// Should be blocked by ProfileAuthorizationHelper (different admin)
$response->assertStatus(403);
}
}
Reference in New Issue View Git Blame Copy Permalink