Merge branch 'Fix-CWE-362' into dev

2025-08-16 00:27:49 +02:00 · 2025-03-04 11:59:17 +01:00
parent 46c1131b10 c8b5bd32a6
commit ab5d6873f1
17 changed files with 170 additions and 88 deletions
--- a/tests/Api/v1/Controllers/GroupControllerTest.php
+++ b/tests/Api/v1/Controllers/GroupControllerTest.php
@ -145,6 +145,26 @@ class GroupControllerTest extends FeatureTestCase
        ]);
    }

+    #[Test]
+    public function test_store_with_existing_group_name_returns_validation_error()
+    {
+        $this->actingAs($this->user, 'api-guard')
+            ->json('POST', '/api/v1/groups', [
+                'name' => $this->userGroupA->name,
+            ])
+            ->assertStatus(422);
+    }
+
+    #[Test]
+    public function test_store_with_all_group_name_returns_validation_error()
+    {
+        $this->actingAs($this->user, 'api-guard')
+            ->json('POST', '/api/v1/groups', [
+                'name' => __('commons.all'),
+            ])
+            ->assertStatus(422);
+    }
+
    #[Test]
    public function test_store_invalid_data_returns_validation_error()
    {
@ -193,6 +213,20 @@ class GroupControllerTest extends FeatureTestCase
            ]);
    }

+    #[Test]
+    public function test_show_missing_group_with_id_0_returns_the_virtual_all_group_resource()
+    {
+        $userTwofaccounts = $this->user->twofaccounts;
+
+        $response = $this->actingAs($this->user, 'api-guard')
+            ->json('GET', '/api/v1/groups/0')
+            ->assertOk()
+            ->assertJsonFragment([
+                'name'               => __('commons.all'),
+                'twofaccounts_count' => $userTwofaccounts->count(),
+            ]);
+    }
+
    #[Test]
    public function test_update_returns_updated_group_resource()
    {
@ -392,6 +426,15 @@ class GroupControllerTest extends FeatureTestCase
            ]);
    }

+    #[Test]
+    public function test_accounts_of_the_all_group_returns_user_twofaccounts_collection()
+    {
+        $response = $this->actingAs($this->user, 'api-guard')
+            ->json('GET', '/api/v1/groups/0/twofaccounts')
+            ->assertOk()
+            ->assertJsonCount(2);
+    }
+
    /**
     * test Group deletion via API
     */
@ -430,6 +473,17 @@ class GroupControllerTest extends FeatureTestCase
            ]);
    }

+    #[Test]
+    public function test_destroy_the_all_group_is_forbidden()
+    {
+        $response = $this->actingAs($this->anotherUser, 'api-guard')
+            ->json('DELETE', '/api/v1/groups/0')
+            ->assertForbidden()
+            ->assertJsonStructure([
+                'message',
+            ]);
+    }
+
    #[Test]
    public function test_destroy_group_resets_user_preferences()
    {