replace-hardcoded-hex-strings/tests/Integration/Api/Client/Server/Subuser/SubuserAuthorizationTest.php

<?php

namespace App\Tests\Integration\Api\Client\Server\Subuser;

use App\Jobs\RevokeSftpAccessJob;
use App\Models\Subuser;
use App\Models\User;
use App\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
use Illuminate\Support\Facades\Bus;
use PHPUnit\Framework\Attributes\DataProvider;

class SubuserAuthorizationTest extends ClientApiIntegrationTestCase
{
    /**
     * Test that mismatched subusers are not accessible to a server.
     */
    #[DataProvider('methodDataProvider')]
    public function test_user_cannot_access_resource_belonging_to_other_servers(string $method): void
    {
        Bus::fake([RevokeSftpAccessJob::class]);

        // Generic subuser, the specific resource we're trying to access.
        /** @var User $internal */
        $internal = User::factory()->create();

        // The API $user is the owner of $server1.
        [$user, $server1] = $this->generateTestAccount();
        // Will be a subuser of $server2.
        $server2 = $this->createServerModel();
        // And as no access to $server3.
        $server3 = $this->createServerModel();

        // Set the API $user as a subuser of server 2, but with no permissions
        // to do anything with the subusers for that server.
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);

        Subuser::factory()->create(['server_id' => $server1->id, 'user_id' => $internal->id]);
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $internal->id]);
        Subuser::factory()->create(['server_id' => $server3->id, 'user_id' => $internal->id]);

        // This route is acceptable since they're accessing a subuser on their own server.
        $this->actingAs($user)->json($method, $this->link($server1, '/users/' . $internal->uuid))->assertStatus($method === 'POST' ? 422 : ($method === 'DELETE' ? 204 : 200));

        // This route can be revealed since the subuser belongs to the correct server, but
        // errors out with a 403 since $user does not have the right permissions for this.
        $this->actingAs($user)->json($method, $this->link($server2, '/users/' . $internal->uuid))->assertForbidden();
        $this->actingAs($user)->json($method, $this->link($server3, '/users/' . $internal->uuid))->assertNotFound();

        if ($method === 'DELETE') {
            Bus::assertDispatchedTimes(function (RevokeSftpAccessJob $job) use ($server1, $internal) {
                return $job->user === $internal->uuid && $job->target->is($server1);
            });
        } else {
            Bus::assertNotDispatched(RevokeSftpAccessJob::class);
        }
    }

    public static function methodDataProvider(): array
    {
        return [['GET'], ['POST'], ['DELETE']];
    }
}
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`<?php`

Switch namespace back to App 2024-03-12 22:39:16 -04:00			`namespace App\Tests\Integration\Api\Client\Server\Subuser;`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
Add changes from upstream (#2293) Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com> 2026-04-20 17:25:54 +02:00			`use App\Jobs\RevokeSftpAccessJob;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Models\Subuser;`
Enable "ordered imports" (#1746) 2025-09-24 13:34:19 +02:00			`use App\Models\User;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;`
Add changes from upstream (#2293) Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com> 2026-04-20 17:25:54 +02:00			`use Illuminate\Support\Facades\Bus;`
Use PestPHP (#962) * Install Pest * Don’t use bootstrap file anymore * Fix comment * Think this is needed * Reset this * Switch dataproviders to attributes * Fix these * Support in memory databases * Fix this migration * Switch this back for now * Add missing import * Truncate and reseed database * These are replaced now * Switch ci to use pest 2025-01-30 16:39:17 -05:00			`use PHPUnit\Framework\Attributes\DataProvider;`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
			`class SubuserAuthorizationTest extends ClientApiIntegrationTestCase`
			`{`
			`/**`
			`* Test that mismatched subusers are not accessible to a server.`
			`*/`
Use PestPHP (#962) * Install Pest * Don’t use bootstrap file anymore * Fix comment * Think this is needed * Reset this * Switch dataproviders to attributes * Fix these * Support in memory databases * Fix this migration * Switch this back for now * Add missing import * Truncate and reseed database * These are replaced now * Switch ci to use pest 2025-01-30 16:39:17 -05:00			`#[DataProvider('methodDataProvider')]`
chore: Upgrade Dependencies (#1005) * chore: yarn upgrade * chore: composer upgrade * chore: php artisan filament:upgrade * chore: update filament-monaco-editor-views * chore: update filament-monaco-editor-configs * chore: move turnstile-views to plugins * fix monaco-editor loader & css 2025-02-25 14:22:07 +01:00			`public function test_user_cannot_access_resource_belonging_to_other_servers(string $method): void`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`{`
Add changes from upstream (#2293) Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com> 2026-04-20 17:25:54 +02:00			`Bus::fake([RevokeSftpAccessJob::class]);`

Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`// Generic subuser, the specific resource we're trying to access.`
Run `composer update` and update model phpdocs (#2275) 2026-03-17 09:09:01 +01:00			`/** @var User $internal */`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$internal = User::factory()->create();`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
			`// The API $user is the owner of $server1.`
			`[$user, $server1] = $this->generateTestAccount();`
			`// Will be a subuser of $server2.`
			`$server2 = $this->createServerModel();`
			`// And as no access to $server3.`
			`$server3 = $this->createServerModel();`

			`// Set the API $user as a subuser of server 2, but with no permissions`
			`// to do anything with the subusers for that server.`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`Subuser::factory()->create(['server_id' => $server1->id, 'user_id' => $internal->id]);`
			`Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $internal->id]);`
			`Subuser::factory()->create(['server_id' => $server3->id, 'user_id' => $internal->id]);`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
			`// This route is acceptable since they're accessing a subuser on their own server.`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$this->actingAs($user)->json($method, $this->link($server1, '/users/' . $internal->uuid))->assertStatus($method === 'POST' ? 422 : ($method === 'DELETE' ? 204 : 200));`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00
			`// This route can be revealed since the subuser belongs to the correct server, but`
			`// errors out with a 403 since $user does not have the right permissions for this.`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`$this->actingAs($user)->json($method, $this->link($server2, '/users/' . $internal->uuid))->assertForbidden();`
			`$this->actingAs($user)->json($method, $this->link($server3, '/users/' . $internal->uuid))->assertNotFound();`
Add changes from upstream (#2293) Co-authored-by: DaneEveritt <dane@daneeveritt.com> Co-authored-by: danny6167 <danielb@purpleflaghosting.com> Co-authored-by: MrSoulPenguin <28676680+MrSoulPenguin@users.noreply.github.com> 2026-04-20 17:25:54 +02:00
			`if ($method === 'DELETE') {`
			`Bus::assertDispatchedTimes(function (RevokeSftpAccessJob $job) use ($server1, $internal) {`
			`return $job->user === $internal->uuid && $job->target->is($server1);`
			`});`
			`} else {`
			`Bus::assertNotDispatched(RevokeSftpAccessJob::class);`
			`}`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`}`

Laravel 10 (#4706) 2023-02-23 12:30:16 -07:00			`public static function methodDataProvider(): array`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`{`
Update to Laravel 8 Co-authored-by: Matthew Penner <me@matthewp.io> 2021-01-23 12:09:16 -08:00			`return [['GET'], ['POST'], ['DELETE']];`
Add test coverage to cehck the authorization state of client resources 2021-01-19 21:20:55 -08:00			`}`
			`}`