First production use of actionCreateContext — the second aggregator
introduced in step 1 and unit-tested at the building-block level, but
not yet exercised against a real caller. Helper file stays 0-diff for
the sixth consecutive migration.
The migration uncovers one real API gap and resolves it at the policy
layer rather than at the helper:
* actionCreateContext always calls actionEnforceCanViewPage. The
Departments create-decision was the only Departments authorize
branch that did not emit can_view_page (View and EditContext both
did). Adding 'can_view_page' => true to the create-capabilities
map is tautological — every actor that survives the deny() guards
at lines 69-70 and 75-76 can by definition see the page. No new
forbidden path is created. View, Create, and EditContext now share
the same capability shape.
Three drift decisions reproduced where applicable:
* notFoundFlashScopeKey is N/A (no model lookup in create flow).
* t() consistency: all three Flash::success('Department created', …)
calls now flow through t().
* Defensive scope consumption: $canManageAllTenants reads
$tenantScope['scope'] === 'all', mirroring the edit-action pattern.
The GET tenant filter rewrites from is_array($allowedTenantIds) to
the three-way scope-tuple form.
AuthzAdminMasterDataContractTest gets a single-line assertion update
(AuthorizationService::class → actionCreateContext() pattern). The
aggregator wraps the same authorize call internally, so this is a
pattern-rename, not a semantic shift.
ActionContextCsrfPairingContractTest now covers six callers (five
edits + departments-create) and stays green.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
83 lines
5.3 KiB
PHP
83 lines
5.3 KiB
PHP
<?php
|
|
|
|
namespace MintyPHP\Tests\Architecture;
|
|
|
|
use PHPUnit\Framework\TestCase;
|
|
|
|
class AuthzAdminMasterDataContractTest extends TestCase
|
|
{
|
|
use ProjectFileAssertionSupport;
|
|
|
|
public function testAdminDepartmentsEditAndDeleteUseCentralPolicies(): void
|
|
{
|
|
$indexContent = $this->readProjectFile('pages/admin/departments/index().php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $indexContent);
|
|
$this->assertStringContainsString('DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_VIEW', $indexContent);
|
|
|
|
$dataContent = $this->readProjectFile('pages/admin/departments/data().php');
|
|
$this->assertStringContainsString('Guard::requireAbilityDecisionOrForbidden(DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_VIEW);', $dataContent);
|
|
$this->assertStringContainsString('DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_VIEW', $dataContent);
|
|
|
|
$createContent = $this->readProjectFile('pages/admin/departments/create().php');
|
|
$this->assertStringContainsString('actionCreateContext(', $createContent);
|
|
$this->assertStringContainsString('DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_CREATE', $createContent);
|
|
|
|
$editContent = $this->readProjectFile('pages/admin/departments/edit($id).php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $editContent);
|
|
$this->assertStringContainsString('DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_CONTEXT', $editContent);
|
|
$this->assertStringContainsString('DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_EDIT_SUBMIT', $editContent);
|
|
|
|
$deleteContent = $this->readProjectFile('pages/admin/departments/delete($id).php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $deleteContent);
|
|
$this->assertStringContainsString('DepartmentAuthorizationPolicy::ABILITY_ADMIN_DEPARTMENTS_DELETE', $deleteContent);
|
|
}
|
|
|
|
public function testAdminRolesActionsUseCentralPolicies(): void
|
|
{
|
|
$indexContent = $this->readProjectFile('pages/admin/roles/index().php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $indexContent);
|
|
$this->assertStringContainsString('RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_VIEW', $indexContent);
|
|
|
|
$dataContent = $this->readProjectFile('pages/admin/roles/data().php');
|
|
$this->assertStringContainsString('Guard::requireAbilityOrForbidden(RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_VIEW);', $dataContent);
|
|
$this->assertStringContainsString('RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_VIEW', $dataContent);
|
|
|
|
$createContent = $this->readProjectFile('pages/admin/roles/create().php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $createContent);
|
|
$this->assertStringContainsString('RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_CREATE', $createContent);
|
|
|
|
$editContent = $this->readProjectFile('pages/admin/roles/edit($id).php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $editContent);
|
|
$this->assertStringContainsString('RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_EDIT_CONTEXT', $editContent);
|
|
$this->assertStringContainsString('RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_EDIT_SUBMIT', $editContent);
|
|
|
|
$deleteContent = $this->readProjectFile('pages/admin/roles/delete($id).php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $deleteContent);
|
|
$this->assertStringContainsString('RoleAuthorizationPolicy::ABILITY_ADMIN_ROLES_DELETE', $deleteContent);
|
|
}
|
|
|
|
public function testAdminPermissionsActionsUseCentralPolicies(): void
|
|
{
|
|
$indexContent = $this->readProjectFile('pages/admin/permissions/index().php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $indexContent);
|
|
$this->assertStringContainsString('PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_VIEW', $indexContent);
|
|
|
|
$dataContent = $this->readProjectFile('pages/admin/permissions/data().php');
|
|
$this->assertStringContainsString('Guard::requireAbilityOrForbidden(PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_VIEW);', $dataContent);
|
|
$this->assertStringContainsString('PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_VIEW', $dataContent);
|
|
|
|
$createContent = $this->readProjectFile('pages/admin/permissions/create().php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $createContent);
|
|
$this->assertStringContainsString('PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_CREATE', $createContent);
|
|
|
|
$editContent = $this->readProjectFile('pages/admin/permissions/edit($id).php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $editContent);
|
|
$this->assertStringContainsString('PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_EDIT_CONTEXT', $editContent);
|
|
$this->assertStringContainsString('PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_EDIT_SUBMIT', $editContent);
|
|
|
|
$deleteContent = $this->readProjectFile('pages/admin/permissions/delete($id).php');
|
|
$this->assertStringContainsString('AuthorizationService::class', $deleteContent);
|
|
$this->assertStringContainsString('PermissionAuthorizationPolicy::ABILITY_ADMIN_PERMISSIONS_DELETE', $deleteContent);
|
|
}
|
|
}
|