update permission middleware
This commit is contained in:
@@ -260,4 +260,95 @@ class PermissionMiddlewareTest extends TestCase
|
||||
$response->assertStatus(200);
|
||||
$response->assertJsonPath('code', 0);
|
||||
}
|
||||
|
||||
// ========== 安全修复测试 ==========
|
||||
|
||||
public function test_unregistered_route_denied_for_non_admin(): void
|
||||
{
|
||||
$user = $this->createTestUser('developer');
|
||||
|
||||
// 从 routes 表删除 GET /api/v1/users 记录,模拟未注册场景
|
||||
$route = Route::query()->where('method', 'GET')->where('path', '/api/v1/users')->first();
|
||||
if (!$route) {
|
||||
$this->markTestSkipped('routes 表中无 GET /api/v1/users 路由');
|
||||
}
|
||||
|
||||
$route_data = $route->toArray();
|
||||
$route->delete();
|
||||
|
||||
try {
|
||||
// 白名单模式:routes 表中无记录 → 403
|
||||
$response = $this->get('/api/v1/users', [], $this->authHeaders($user));
|
||||
$response->assertStatus(403);
|
||||
} finally {
|
||||
// 恢复路由记录
|
||||
Route::query()->create($route_data);
|
||||
}
|
||||
}
|
||||
|
||||
public function test_admin_allowed_on_unregistered_route(): void
|
||||
{
|
||||
$user = $this->createTestUser('administrator');
|
||||
|
||||
// 从 routes 表删除 GET /api/v1/users 记录
|
||||
$route = Route::query()->where('method', 'GET')->where('path', '/api/v1/users')->first();
|
||||
if (!$route) {
|
||||
$this->markTestSkipped('routes 表中无 GET /api/v1/users 路由');
|
||||
}
|
||||
|
||||
$route_data = $route->toArray();
|
||||
$route->delete();
|
||||
|
||||
try {
|
||||
// administrator 跳过路由检查,即使路由未在 routes 表中也应正常访问
|
||||
$response = $this->get('/api/v1/users', [], $this->authHeaders($user));
|
||||
$response->assertStatus(200);
|
||||
} finally {
|
||||
// 恢复路由记录
|
||||
Route::query()->create($route_data);
|
||||
}
|
||||
}
|
||||
|
||||
public function test_parametric_route_matches_template_path(): void
|
||||
{
|
||||
$user = $this->createTestUser('developer');
|
||||
|
||||
$route = Route::query()
|
||||
->where('method', 'GET')
|
||||
->where('path', '/api/v1/users/{id}')
|
||||
->first();
|
||||
|
||||
if (!$route) {
|
||||
$this->markTestSkipped('routes 表中无 GET /api/v1/users/{id} 路由');
|
||||
}
|
||||
|
||||
// 创建路由组并授权
|
||||
$group = RouteGroup::query()->create([
|
||||
'name' => 'test_param_route_' . uniqid(),
|
||||
'label' => '参数化路由测试',
|
||||
]);
|
||||
|
||||
$old_group_id = $route->group_id;
|
||||
$route->group_id = $group->id;
|
||||
$route->save();
|
||||
|
||||
Db::table('role_route_groups')->insert([
|
||||
'role_id' => $user->role_id,
|
||||
'group_id' => $group->id,
|
||||
]);
|
||||
|
||||
// 访问参数化路由 /api/v1/users/1(应匹配模板路径 /api/v1/users/{id})
|
||||
$response = $this->get('/api/v1/users/1', [], $this->authHeaders($user));
|
||||
// 路由检查应通过(200 或 404 取决于用户是否存在,但不应是 403)
|
||||
$this->assertNotEquals(403, $response->getStatusCode());
|
||||
|
||||
// 清理
|
||||
Db::table('role_route_groups')
|
||||
->where('role_id', $user->role_id)
|
||||
->where('group_id', $group->id)
|
||||
->delete();
|
||||
$route->group_id = $old_group_id;
|
||||
$route->save();
|
||||
$group->delete();
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user