107 lines
3.8 KiB
PHP
107 lines
3.8 KiB
PHP
<?php
|
|
|
|
use App\Models\Permission;
|
|
use App\Models\User;
|
|
|
|
function makeSessionManager(): User
|
|
{
|
|
$user = User::factory()->create(['is_active' => true]);
|
|
foreach (['view active sessions', 'manage active sessions'] as $name) {
|
|
$perm = Permission::firstOrCreate(['name' => $name, 'guard_name' => 'web']);
|
|
$user->givePermissionTo($perm);
|
|
}
|
|
|
|
return $user;
|
|
}
|
|
|
|
function makeSessionViewer(): User
|
|
{
|
|
$user = User::factory()->create(['is_active' => true]);
|
|
$perm = Permission::firstOrCreate(['name' => 'view active sessions', 'guard_name' => 'web']);
|
|
$user->givePermissionTo($perm);
|
|
|
|
return $user;
|
|
}
|
|
|
|
// ── Access control ────────────────────────────────────────────────────────────
|
|
|
|
test('guest cannot access session manager', function () {
|
|
$this->get('/session-manager')->assertRedirect('/login');
|
|
});
|
|
|
|
test('user without permission is forbidden from session manager', function () {
|
|
$user = User::factory()->create();
|
|
|
|
$this->actingAs($user)->get('/session-manager')->assertForbidden();
|
|
});
|
|
|
|
test('user with view permission can access session manager', function () {
|
|
$user = makeSessionViewer();
|
|
|
|
$this->actingAs($user)->get('/session-manager')->assertOk();
|
|
});
|
|
|
|
test('guest cannot access session stats endpoint', function () {
|
|
// JSON requests return 401 Unauthorized (not a redirect) for unauthenticated requests
|
|
$this->getJson('/session-manager/stats')->assertUnauthorized();
|
|
});
|
|
|
|
test('user with view permission can access session stats', function () {
|
|
$user = makeSessionViewer();
|
|
|
|
$this->actingAs($user)->getJson('/session-manager/stats')
|
|
->assertOk()
|
|
->assertJsonStructure(['total', 'active']);
|
|
});
|
|
|
|
// ── Stats structure ────────────────────────────────────────────────────────────
|
|
|
|
test('stats endpoint returns valid json with total key', function () {
|
|
$user = makeSessionViewer();
|
|
|
|
$this->actingAs($user)
|
|
->getJson('/session-manager/stats')
|
|
->assertOk()
|
|
->assertJsonStructure(['total', 'active']);
|
|
});
|
|
|
|
// ── Terminate session ─────────────────────────────────────────────────────────
|
|
|
|
test('user without manage permission cannot terminate a session', function () {
|
|
$viewer = makeSessionViewer();
|
|
|
|
$this->actingAs($viewer)
|
|
->deleteJson('/session-manager/some-session-id')
|
|
->assertForbidden();
|
|
});
|
|
|
|
test('manager cannot terminate their own current session', function () {
|
|
// The controller's destroy() checks: if ($id === session()->getId()) → 403.
|
|
// We invoke it directly, bypassing HTTP, so the session ID is stable.
|
|
$manager = makeSessionManager();
|
|
$this->actingAs($manager);
|
|
|
|
$controller = app(\App\Http\Controllers\SystemSettings\SessionManagerController::class);
|
|
$currentId = session()->getId();
|
|
|
|
$response = $controller->destroy(request(), $currentId);
|
|
|
|
expect($response->getStatusCode())->toBe(403);
|
|
expect(json_decode($response->getContent(), true)['success'])->toBeFalse();
|
|
});
|
|
|
|
test('manager can terminate a different session id', function () {
|
|
// With array/redis driver the controller returns success when no row is found to delete.
|
|
$manager = makeSessionManager();
|
|
|
|
$this->actingAs($manager)
|
|
->deleteJson('/session-manager/some-other-session-id')
|
|
->assertOk()
|
|
->assertJsonPath('success', true);
|
|
});
|
|
|
|
test('guest cannot terminate sessions', function () {
|
|
// JSON requests return 401 (not a redirect) for unauthenticated requests
|
|
$this->deleteJson('/session-manager/any-id')->assertUnauthorized();
|
|
});
|