admin/e-ticket
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
04927ec988aae6db73f74358ca26d5366a81d9c4
e-ticket/tests/EventSubscriber/SuspendedUserSubscriberTest.php
Serreau Jovann 04927ec988 Complete TASK_CHECKUP: security, UX, tests, coverage, accessibility, config externalization 
Billetterie:
- Partial refund support (STATUS_PARTIALLY_REFUNDED, refundedAmount field, migration)
- Race condition fix: PESSIMISTIC_WRITE lock on stock decrement in transaction
- Idempotency key on PaymentIntent::create, reuse existing PI if stripeSessionId set
- Disable checkout when event ended (server 400 + template hide)
- Webhook deduplication via cache (24h TTL on stripe event.id)
- Email validation (filter_var) in OrderController guest flow
- JSON cart validation (structure check before processing)
- Invitation expiration after 7 days (isExpired method + landing page message)
- Stripe Checkout fallback when JS fails to load (noscript + redirect)

Config externalization:
- Move Stripe fees (STRIPE_FEE_RATE, STRIPE_FEE_FIXED) and admin email (ADMIN_EMAIL) to .env/services.yaml
- Replace all hardcoded contact@e-cosplay.fr across 13 files
- MailerService: getAdminEmail()/getAdminFrom(), default $from=null resolves to admin

UX & Accessibility:
- ARIA tabs: role=tablist/tab/tabpanel, aria-selected, keyboard nav (arrows, Home, End)
- aria-label on cart +/- buttons and editor toolbar buttons
- tabindex=0 on editor toolbar buttons for keyboard access
- data-confirm handler in app.js (was only in admin.js)
- Cart error feedback on checkout failure
- Billet designer save feedback (loading/success/error states)
- Stock polling every 30s with rupture/low stock badges
- Back to event link on payment page

Security:
- HTML sanitizer: BLOCKED_TAGS list (script, style, iframe, svg, etc.) - content fully removed
- Stripe polling timeout (15s max) with fallback redirect
- Rate limiting on public order access (20/5min)
- .catch() on all fetch() calls (sortable, billet-designer)

Tests (92% PHP, 100% JS lines):
- PCOV added to dev Dockerfile
- Test DB setup: .env.test with DATABASE_URL, Redis auth, Meilisearch key
- Rate limiter disabled in test env
- Makefile: test_db_setup, test_db_reset, run_test_php, run_test_coverage_php/js
- New tests: InvitationFlowTest (21), AuditServiceTest (4), ExportServiceTest (9), InvoiceServiceTest (4)
- New tests: SuspendedUserSubscriberTest, RateLimiterSubscriberTest, MeilisearchServiceTest
- New tests: Stripe webhook payment_failed (6) + charge.refunded (6)
- New tests: BilletBuyer refund, User suspended, OrganizerInvitation expiration
- JS tests: stock polling (6), data-confirm (2), copy-url restore (1), editor ARIA (2), XSS (9), tabs keyboard (9)
- ESLint + PHP CS Fixer: 0 errors
- SonarQube exclusions aligned with vitest coverage config

Infra:
- Meilisearch consistency command (app:meilisearch:check-consistency --fix) + cron daily 3am
- MeilisearchService: getAllDocumentIds(), listIndexes()

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-23 11:14:06 +01:00

156 lines
5.1 KiB
PHP
Raw Blame History

<?php
namespace App\Tests\EventSubscriber;
use App\Entity\User;
use App\EventSubscriber\SuspendedUserSubscriber;
use PHPUnit\Framework\TestCase;
use Symfony\Bundle\SecurityBundle\Security;
use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Session\Flash\FlashBagInterface;
use Symfony\Component\HttpFoundation\Session\Session;
use Symfony\Component\HttpKernel\Event\RequestEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
class SuspendedUserSubscriberTest extends TestCase
{
private Security $security;
private UrlGeneratorInterface $urlGenerator;
private SuspendedUserSubscriber $subscriber;
protected function setUp(): void
{
$this->security = $this->createMock(Security::class);
$this->urlGenerator = $this->createMock(UrlGeneratorInterface::class);
$this->subscriber = new SuspendedUserSubscriber(
$this->security,
$this->urlGenerator,
'admin@example.com',
);
}
private function createEvent(string $route, int $requestType = HttpKernelInterface::MAIN_REQUEST): RequestEvent
{
$flashBag = $this->createMock(FlashBagInterface::class);
$session = $this->createMock(Session::class);
$session->method('getFlashBag')->willReturn($flashBag);
$request = new Request();
$request->attributes->set('_route', $route);
$request->setSession($session);
$kernel = $this->createMock(HttpKernelInterface::class);
return new RequestEvent($kernel, $request, $requestType);
}
public function testSubscribedEvents(): void
{
$events = SuspendedUserSubscriber::getSubscribedEvents();
self::assertArrayHasKey(KernelEvents::REQUEST, $events);
self::assertSame(['onKernelRequest', 8], $events[KernelEvents::REQUEST]);
}
public function testSkipsSubRequest(): void
{
$this->security->expects(self::never())->method('getUser');
$event = $this->createEvent('app_dashboard', HttpKernelInterface::SUB_REQUEST);
$this->subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
public function testSkipsWhenNoUser(): void
{
$this->security->method('getUser')->willReturn(null);
$event = $this->createEvent('app_dashboard');
$this->subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
public function testSkipsWhenUserNotSuspended(): void
{
$user = new User();
$user->setIsSuspended(false);
$this->security->method('getUser')->willReturn($user);
$event = $this->createEvent('app_dashboard');
$this->subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
public function testSkipsWhenUserSuspendedNull(): void
{
$user = new User();
$this->security->method('getUser')->willReturn($user);
$event = $this->createEvent('app_dashboard');
$this->subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
#[\PHPUnit\Framework\Attributes\DataProvider('allowedRoutesProvider')]
public function testSkipsAllowedRoutesForSuspendedUser(string $route): void
{
$user = new User();
$user->setIsSuspended(true);
$this->security->method('getUser')->willReturn($user);
$event = $this->createEvent($route);
$this->subscriber->onKernelRequest($event);
self::assertNull($event->getResponse());
}
/**
* @return iterable<string, array{string}>
*/
public static function allowedRoutesProvider(): iterable
{
yield 'logout' => ['app_logout'];
yield 'home' => ['app_home'];
yield 'login' => ['app_login'];
}
public function testRedirectsSuspendedUserOnProtectedRoute(): void
{
$user = new User();
$user->setIsSuspended(true);
$this->security->method('getUser')->willReturn($user);
$this->urlGenerator->method('generate')
->with('app_home')
->willReturn('/');
$flashBag = $this->createMock(FlashBagInterface::class);
$flashBag->expects(self::once())
->method('add')
->with('error', 'Votre compte a ete suspendu. Contactez admin@example.com.');
$session = $this->createMock(Session::class);
$session->method('getFlashBag')->willReturn($flashBag);
$request = new Request();
$request->attributes->set('_route', 'app_dashboard');
$request->setSession($session);
$kernel = $this->createMock(HttpKernelInterface::class);
$event = new RequestEvent($kernel, $request, HttpKernelInterface::MAIN_REQUEST);
$this->subscriber->onKernelRequest($event);
$response = $event->getResponse();
self::assertInstanceOf(RedirectResponse::class, $response);
self::assertSame('/', $response->getTargetUrl());
}
}
Reference in New Issue View Git Blame Copy Permalink