Add admin access control tests
- 401 for unauthenticated requests - 403 for authenticated non-admin users - 200 with full user list for admin (looks up existing ADMIN_EMAIL user, skips gracefully if not present in DB) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
ffdc983553
commit
462401d41a
1 changed files with 47 additions and 0 deletions
|
|
@ -776,6 +776,53 @@ class AppIntegrationTest extends WebTestCase
|
|||
$this->assertSame('Stück', $data['unit']);
|
||||
}
|
||||
|
||||
// ── Admin ─────────────────────────────────────────────────────────────────
|
||||
|
||||
public function testAdminUsersUnauthenticated(): void
|
||||
{
|
||||
$this->json($this->client, 'GET', '/api/admin/users');
|
||||
$this->assertSame(401, $this->client->getResponse()->getStatusCode());
|
||||
}
|
||||
|
||||
public function testAdminUsersNonAdminForbidden(): void
|
||||
{
|
||||
$user = $this->createUser('adminblocked');
|
||||
$client = $this->authClient($user);
|
||||
$data = $this->json($client, 'GET', '/api/admin/users');
|
||||
|
||||
$this->assertArrayHasKey('error', $data);
|
||||
$this->assertSame(403, $client->getResponse()->getStatusCode());
|
||||
}
|
||||
|
||||
public function testAdminUsersReturnsAllUsers(): void
|
||||
{
|
||||
$adminEmail = $_ENV['ADMIN_EMAIL'] ?? '';
|
||||
if (!$adminEmail) {
|
||||
$this->markTestSkipped('ADMIN_EMAIL not configured');
|
||||
}
|
||||
|
||||
$admin = $this->em->getRepository(User::class)->findOneBy(['email' => $adminEmail]);
|
||||
if (!$admin) {
|
||||
$this->markTestSkipped("Admin user $adminEmail not found in DB");
|
||||
}
|
||||
|
||||
$this->createUser('adminlistother');
|
||||
|
||||
$client = $this->authClient($admin);
|
||||
$data = $this->json($client, 'GET', '/api/admin/users');
|
||||
|
||||
$this->assertSame(200, $client->getResponse()->getStatusCode());
|
||||
$this->assertIsArray($data);
|
||||
$emails = array_column($data, 'email');
|
||||
$this->assertContains($adminEmail, $emails);
|
||||
$this->assertContains('adminlistother@test.dudi', $emails);
|
||||
foreach ($data as $row) {
|
||||
$this->assertArrayHasKey('email', $row);
|
||||
$this->assertArrayHasKey('username', $row);
|
||||
$this->assertArrayHasKey('registered', $row);
|
||||
}
|
||||
}
|
||||
|
||||
public function testGoalDeleteReturnsOkForNonExistentGoal(): void
|
||||
{
|
||||
$user = $this->createUser('goaldelmissing');
|
||||
|
|
|
|||
Loading…
Reference in a new issue