svc-admin01/snipe-it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
develop
snipe-it/tests/Feature/Users/Api/DeleteUsersTest.php
T
snipe e6ead7c6fa Added tests
2026-04-09 14:52:30 +01:00

289 lines
9.3 KiB
PHP
Raw Permalink Blame History

<?php
namespace Tests\Feature\Users\Api;
use App\Models\Company;
use App\Models\LicenseSeat;
use App\Models\Location;
use App\Models\User;
use Illuminate\Support\Facades\DB;
use Tests\Concerns\TestsFullMultipleCompaniesSupport;
use Tests\Concerns\TestsPermissionsRequirement;
use Tests\TestCase;
class DeleteUsersTest extends TestCase implements TestsFullMultipleCompaniesSupport, TestsPermissionsRequirement
{
public function test_requires_permission()
{
$user = User::factory()->create();
$this->actingAsForApi(User::factory()->create())
->deleteJson(route('api.users.destroy', $user))
->assertForbidden();
$this->assertNotSoftDeleted($user);
}
public function test_error_returned_via_api_if_user_does_not_exist()
{
$this->actingAsForApi(User::factory()->deleteUsers()->create())
->deleteJson(route('api.users.destroy', 'invalid-id'))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
}
public function test_error_returned_via_api_if_user_is_already_deleted()
{
$user = User::factory()->deletedUser()->create();
$this->actingAsForApi(User::factory()->deleteUsers()->create())
->deleteJson(route('api.users.destroy', $user))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
}
public function test_disallow_user_deletion_via_api_if_still_managing_people()
{
$manager = User::factory()->create();
User::factory()->count(5)->create(['manager_id' => $manager->id]);
$this->assertFalse($manager->isDeletable());
$this->actingAsForApi(User::factory()->deleteUsers()->create())
->deleteJson(route('api.users.destroy', $manager))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
}
public function test_disallow_user_deletion_via_api_if_still_managing_locations()
{
$manager = User::factory()->create();
Location::factory()->count(5)->create(['manager_id' => $manager->id]);
$this->assertFalse($manager->isDeletable());
$this->actingAsForApi(User::factory()->deleteUsers()->create())
->deleteJson(route('api.users.destroy', $manager))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
}
public function test_disallow_user_deletion_via_api_if_still_has_licenses()
{
$manager = User::factory()->create();
LicenseSeat::factory()->count(5)->create(['assigned_to' => $manager->id]);
$this->assertFalse($manager->isDeletable());
$this->actingAsForApi(User::factory()->deleteUsers()->create())
->deleteJson(route('api.users.destroy', $manager))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
}
public function test_users_cannot_delete_themselves()
{
$user = User::factory()->deleteUsers()->create();
$this->actingAsForApi($user)
->deleteJson(route('api.users.destroy', $user))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
}
public function test_adheres_to_full_multiple_companies_support_scoping()
{
$this->settings->enableMultipleFullCompanySupport();
[$companyA, $companyB] = Company::factory()->count(2)->create();
$superuser = User::factory()->superuser()->create();
$userFromA = User::factory()->deleteUsers()->for($companyA)->create();
$userFromB = User::factory()->deleteUsers()->for($companyB)->create();
$this->actingAsForApi($userFromA)
->deleteJson(route('api.users.destroy', $userFromB))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
$userFromB->refresh();
$this->assertNull($userFromB->deleted_at);
$this->actingAsForApi($userFromB)
->deleteJson(route('api.users.destroy', $userFromA))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('error')
->json();
$userFromA->refresh();
$this->assertNull($userFromA->deleted_at);
$this->actingAsForApi($superuser)
->deleteJson(route('api.users.destroy', $userFromA))
->assertOk()
->assertStatus(200)
->assertStatusMessageIs('success')
->json();
$userFromA->refresh();
$this->assertNotNull($userFromA->deleted_at);
}
public function test_can_delete_user()
{
$user = User::factory()->create();
$this->actingAsForApi(User::factory()->deleteUsers()->create())
->deleteJson(route('api.users.destroy', $user))
->assertOk()
->assertStatusMessageIs('success');
$this->assertSoftDeleted($user);
}
public function test_deleting_user_revokes_associated_passport_tokens()
{
$user = User::factory()->create();
$clientId = DB::table('oauth_clients')->insertGetId([
'user_id' => null,
'name' => 'Test Personal Client',
'secret' => 'secret',
'redirect' => 'http://localhost/callback',
'personal_access_client' => 1,
'password_client' => 0,
'revoked' => 0,
'created_at' => now(),
'updated_at' => now(),
]);
DB::table('oauth_access_tokens')->insert([
'id' => 'soft-delete-token-'.$user->id,
'user_id' => $user->id,
'client_id' => $clientId,
'name' => 'Soft Delete Token',
'scopes' => '[]',
'revoked' => 0,
'created_at' => now(),
'updated_at' => now(),
'expires_at' => now()->addDay(),
]);
DB::table('oauth_refresh_tokens')->insert([
'id' => 'soft-delete-refresh-'.$user->id,
'access_token_id' => 'soft-delete-token-'.$user->id,
'revoked' => 0,
'expires_at' => now()->addDays(7),
]);
$this->actingAsForApi(User::factory()->deleteUsers()->create())
->deleteJson(route('api.users.destroy', $user))
->assertOk()
->assertStatusMessageIs('success');
$this->assertSoftDeleted($user);
$this->assertDatabaseHas('oauth_access_tokens', [
'id' => 'soft-delete-token-'.$user->id,
'revoked' => 1,
]);
$this->assertDatabaseHas('oauth_refresh_tokens', [
'id' => 'soft-delete-refresh-'.$user->id,
'revoked' => 1,
]);
}
public function test_force_deleting_user_hard_deletes_associated_passport_tokens()
{
$user = User::factory()->create();
$clientId = DB::table('oauth_clients')->insertGetId([
'user_id' => null,
'name' => 'Test Personal Client',
'secret' => 'secret',
'redirect' => 'http://localhost/callback',
'personal_access_client' => 1,
'password_client' => 0,
'revoked' => 0,
'created_at' => now(),
'updated_at' => now(),
]);
DB::table('oauth_access_tokens')->insert([
'id' => 'force-delete-token-'.$user->id,
'user_id' => $user->id,
'client_id' => $clientId,
'name' => 'Force Delete Token',
'scopes' => '[]',
'revoked' => 0,
'created_at' => now(),
'updated_at' => now(),
'expires_at' => now()->addDay(),
]);
DB::table('oauth_refresh_tokens')->insert([
'id' => 'force-delete-refresh-'.$user->id,
'access_token_id' => 'force-delete-token-'.$user->id,
'revoked' => 0,
'expires_at' => now()->addDays(7),
]);
$user->forceDelete();
$this->assertDatabaseMissing('oauth_access_tokens', [
'id' => 'force-delete-token-'.$user->id,
]);
$this->assertDatabaseMissing('oauth_refresh_tokens', [
'id' => 'force-delete-refresh-'.$user->id,
]);
}
public function test_admin_cannot_delete_super_user()
{
$superuser = User::factory()->superuser()->create();
$admin = User::factory()->admin()->create();
$this->actingAsForApi($admin)
->deleteJson(route('api.users.destroy', $superuser))
->assertOk()
->assertStatusMessageIs('error');
}
public function test_user_cannot_delete_admin_user()
{
$user = User::factory()->deleteUsers()->create();
$admin = User::factory()->admin()->create();
$this->actingAsForApi($user)
->deleteJson(route('api.users.destroy', $admin))
->assertOk()
->assertStatusMessageIs('error');
}
public function test_user_cannot_delete_super_user()
{
$user = User::factory()->deleteUsers()->create();
$superuser = User::factory()->superuser()->create();
$this->actingAsForApi($user)
->deleteJson(route('api.users.destroy', $superuser))
->assertOk()
->assertStatusMessageIs('error');
}
}
Reference in New Issue View Git Blame Copy Permalink