Add security tests for sub-account access control

- Test create sub-account denied for non-organizer (redirect) - Test edit/submit/delete sub-account denied for wrong organizer (403) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-20 00:15:45 +01:00
parent 641c37699b
commit 3723762f47
1 changed files with 89 additions and 0 deletions
--- a/tests/Controller/AccountControllerTest.php
+++ b/tests/Controller/AccountControllerTest.php
@@ -254,6 +254,95 @@ class AccountControllerTest extends WebTestCase
        self::assertNull($user->getStripeAccountId());
    }

+    public function testCreateSubAccountDeniedForNonOrganizer(): void
+    {
+        $client = static::createClient();
+        $user = $this->createUser();
+
+        $client->loginUser($user);
+        $client->request('POST', '/mon-compte/sous-compte/creer', [
+            'first_name' => 'Sub',
+            'last_name' => 'Test',
+            'email' => 'sub-denied-'.uniqid().'@example.com',
+        ]);
+
+        self::assertResponseRedirects('/mon-compte');
+    }
+
+    public function testEditSubAccountDeniedForWrongOrganizer(): void
+    {
+        $client = static::createClient();
+        $em = static::getContainer()->get(EntityManagerInterface::class);
+
+        $orga1 = $this->createUser(['ROLE_ORGANIZER'], true);
+        $orga2 = $this->createUser(['ROLE_ORGANIZER'], true);
+
+        $sub = new User();
+        $sub->setEmail('sub-wrong-'.uniqid().'@example.com');
+        $sub->setFirstName('Sub');
+        $sub->setLastName('Wrong');
+        $sub->setPassword('$2y$13$hashed');
+        $sub->setParentOrganizer($orga1);
+        $em->persist($sub);
+        $em->flush();
+
+        $client->loginUser($orga2);
+        $client->request('GET', '/mon-compte/sous-compte/'.$sub->getId());
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testEditSubAccountSubmitDeniedForWrongOrganizer(): void
+    {
+        $client = static::createClient();
+        $em = static::getContainer()->get(EntityManagerInterface::class);
+
+        $orga1 = $this->createUser(['ROLE_ORGANIZER'], true);
+        $orga2 = $this->createUser(['ROLE_ORGANIZER'], true);
+
+        $sub = new User();
+        $sub->setEmail('sub-wrong2-'.uniqid().'@example.com');
+        $sub->setFirstName('Sub');
+        $sub->setLastName('Wrong2');
+        $sub->setPassword('$2y$13$hashed');
+        $sub->setParentOrganizer($orga1);
+        $em->persist($sub);
+        $em->flush();
+
+        $client->loginUser($orga2);
+        $client->request('POST', '/mon-compte/sous-compte/'.$sub->getId().'/modifier', [
+            'first_name' => 'Hack',
+            'last_name' => 'Attempt',
+            'email' => $sub->getEmail(),
+            'permissions' => ['scanner'],
+        ]);
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
+    public function testDeleteSubAccountDeniedForWrongOrganizer(): void
+    {
+        $client = static::createClient();
+        $em = static::getContainer()->get(EntityManagerInterface::class);
+
+        $orga1 = $this->createUser(['ROLE_ORGANIZER'], true);
+        $orga2 = $this->createUser(['ROLE_ORGANIZER'], true);
+
+        $sub = new User();
+        $sub->setEmail('sub-wrong3-'.uniqid().'@example.com');
+        $sub->setFirstName('Sub');
+        $sub->setLastName('Wrong3');
+        $sub->setPassword('$2y$13$hashed');
+        $sub->setParentOrganizer($orga1);
+        $em->persist($sub);
+        $em->flush();
+
+        $client->loginUser($orga2);
+        $client->request('POST', '/mon-compte/sous-compte/'.$sub->getId().'/supprimer');
+
+        self::assertResponseStatusCodeSame(403);
+    }
+
    public function testCreateSubAccount(): void
    {
        $client = static::createClient();