MALIO-DEV/Starseed
3
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
027e80cc4b7e6543a713db5eadd5b9ebc610c6f0
Starseed/tests/Module/Commercial/Api/ClientSecurityTest.php
T

58 lines
2.0 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Tests\Module\Commercial\Api;
/**
* Tests de securite GENERIQUE de /api/clients (ERP-60).
*
* Couvre les garde-fous non dependants des roles metier :
* - 401 si requete anonyme (firewall JWT) ;
* - 403 si l'utilisateur authentifie ne porte pas `commercial.clients.view`.
*
* ⚠ La matrice RBAC differenciee par role metier (bureau / compta / commerciale
* / usine) et le test fonctionnel RG-1.04 sont DELEGUES a ERP-74 (#493) : ils
* exigent les roles seedes apres le merge de la stack. NE PAS les ajouter ici.
*
* @internal
*/
final class ClientSecurityTest extends AbstractCommercialApiTestCase
{
private const string LD = 'application/ld+json';
public function testAnonymousGetCollectionReturns401(): void
{
$client = self::createClient();
$client->request('GET', '/api/clients', ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(401);
}
public function testAnonymousGetItemReturns401(): void
{
$seed = $this->seedClient('Anon Item');
$client = self::createClient();
$client->request('GET', '/api/clients/'.$seed->getId(), ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(401);
}
public function testForbiddenWithoutClientsViewPermission(): void
{
// User authentifie portant une permission SANS rapport avec les clients.
$seed = $this->seedClient('Forbidden Target');
$credentials = $this->createUserWithPermission('core.users.view');
$client = $this->authenticatedClient($credentials['username'], $credentials['password']);
// Collection.
$client->request('GET', '/api/clients', ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(403);
// Detail.
$client->request('GET', '/api/clients/'.$seed->getId(), ['headers' => ['Accept' => self::LD]]);
self::assertResponseStatusCodeSame(403);
}
}
Reference in New Issue View Git Blame Copy Permalink