ronald/timebank-cc-public
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
2547717edb4226753f78e0521a16ee09adf1e67a
timebank-cc-public/tests/Feature/Security/Authorization/MessageSettingsAuthorizationTest.php
Ronald Huynen 2547717edb Initial commit
2026-03-23 21:37:59 +01:00

285 lines
8.4 KiB
PHP
Raw Blame History

<?php
namespace Tests\Feature\Security\Authorization;
use App\Models\Admin;
use App\Models\Bank;
use App\Models\Organization;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Livewire\Livewire;
use Tests\TestCase;
/**
* Message Settings Authorization Tests
*
* Tests that users can only modify their own profile message settings
* and cannot manipulate session to modify other profiles' settings.
*
* @group security
* @group authorization
* @group idor
* @group critical
*/
class MessageSettingsAuthorizationTest extends TestCase
{
use RefreshDatabase;
/**
* Test user can access their own message settings
*
* @test
*/
public function user_can_access_own_message_settings()
{
$user = User::factory()->create();
$this->actingAs($user, 'web');
session(['activeProfileType' => User::class]);
session(['activeProfileId' => $user->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
$response->assertStatus(200);
$response->assertSet('systemMessage', true); // Default value
}
/**
* Test user cannot access another user's message settings via session manipulation
*
* @test
*/
public function user_cannot_access_another_users_message_settings()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$this->actingAs($user1, 'web');
// Malicious attempt: manipulate session to access user2's settings
session(['activeProfileType' => User::class]);
session(['activeProfileId' => $user2->id]); // Different user!
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
$response->assertStatus(403);
}
/**
* Test user cannot update another user's message settings
*
* @test
*/
public function user_cannot_update_another_users_message_settings()
{
$user1 = User::factory()->create();
$user2 = User::factory()->create();
$this->actingAs($user1, 'web');
// Malicious attempt: manipulate session to update user2's settings
session(['activeProfileType' => User::class]);
session(['activeProfileId' => $user2->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class)
->set('systemMessage', false)
->call('updateMessageSettings');
$response->assertStatus(403);
}
/**
* Test organization can access their own message settings
*
* @test
*/
public function organization_can_access_own_message_settings()
{
$user = User::factory()->create();
$organization = Organization::factory()->create();
$organization->users()->attach($user->id);
$this->actingAs($organization, 'organization');
session(['activeProfileType' => Organization::class]);
session(['activeProfileId' => $organization->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
$response->assertStatus(200);
}
/**
* Test organization cannot access another organization's message settings
*
* @test
*/
public function organization_cannot_access_another_organizations_message_settings()
{
$user = User::factory()->create();
$org1 = Organization::factory()->create();
$org2 = Organization::factory()->create();
$org1->users()->attach($user->id);
// User is NOT linked to org2
$this->actingAs($org1, 'organization');
// Malicious attempt: manipulate session to access org2's settings
session(['activeProfileType' => Organization::class]);
session(['activeProfileId' => $org2->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
$response->assertStatus(403);
}
/**
* Test admin can access their own message settings
*
* @test
*/
public function admin_can_access_own_message_settings()
{
$user = User::factory()->create();
$admin = Admin::factory()->create();
$admin->users()->attach($user->id);
$this->actingAs($admin, 'admin');
session(['activeProfileType' => Admin::class]);
session(['activeProfileId' => $admin->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
$response->assertStatus(200);
}
/**
* Test bank can access their own message settings
*
* @test
*/
public function bank_can_access_own_message_settings()
{
$user = User::factory()->create();
$bank = Bank::factory()->create();
$bank->managers()->attach($user->id);
$this->actingAs($bank, 'bank');
session(['activeProfileType' => Bank::class]);
session(['activeProfileId' => $bank->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
$response->assertStatus(200);
}
/**
* Test user can update their own message settings
*
* @test
*/
public function user_can_update_own_message_settings()
{
$user = User::factory()->create();
$this->actingAs($user, 'web');
session(['activeProfileType' => User::class]);
session(['activeProfileId' => $user->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class)
->set('systemMessage', false)
->set('paymentReceived', true)
->set('chatUnreadDelay', 24)
->call('updateMessageSettings');
$response->assertStatus(200);
$response->assertDispatched('saved');
// Verify settings were saved
$this->assertDatabaseHas('message_settings', [
'messageable_type' => User::class,
'messageable_id' => $user->id,
'system_message' => false,
'payment_received' => true,
'chat_unread_delay' => 24,
]);
}
/**
* Test cross-profile access: user logged in as user trying to access org settings
*
* @test
*/
public function user_cannot_access_organization_message_settings_via_session()
{
$user = User::factory()->create();
$organization = Organization::factory()->create();
$user->organizations()->attach($organization->id);
// Login as regular user (web guard)
$this->actingAs($user, 'web');
// Try to access organization settings via session manipulation
session(['activeProfileType' => Organization::class]);
session(['activeProfileId' => $organization->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
// Should fail because authenticated as User but trying to access Organization profile
$response->assertStatus(403);
}
/**
* Test unauthenticated user cannot access message settings
*
* @test
*/
public function unauthenticated_user_cannot_access_message_settings()
{
$user = User::factory()->create();
session(['activeProfileType' => User::class]);
session(['activeProfileId' => $user->id]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
$response->assertStatus(401);
}
/**
* Test message settings default values are created on first access
*
* @test
*/
public function message_settings_default_values_created_on_first_access()
{
$user = User::factory()->create();
$this->actingAs($user, 'web');
session(['activeProfileType' => User::class]);
session(['activeProfileId' => $user->id]);
// User has no message settings yet
$this->assertDatabaseMissing('message_settings', [
'messageable_type' => User::class,
'messageable_id' => $user->id,
]);
$response = Livewire::test(\App\Http\Livewire\Profile\UpdateMessageSettingsForm::class);
$response->assertStatus(200);
// Default settings should be created
$this->assertDatabaseHas('message_settings', [
'messageable_type' => User::class,
'messageable_id' => $user->id,
'system_message' => true,
'payment_received' => true,
'star_received' => true,
]);
}
}
Reference in New Issue View Git Blame Copy Permalink