Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
061d09e034f1f59a083e90df2fe7ee37334f40b9
unsupervised-scheduler/tests/Unit/Availability/AvailabilityRepositoryTest.php
T
thatguygriff 061d09e034
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 49s
Details
CI / Coding Standards (pull_request) Successful in 55s
Details
CI / PHPStan (pull_request) Successful in 1m7s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 1m41s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 44s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
Harden booking, offering exposure, payments, and invites 
Security fixes from a pen-test review (issues #31–#37):

- #31 Booking no longer trusts a client-supplied offering_id: a slot-tied
  offering is authoritative and any offering used must belong to the slot's
  instructor, closing a free/misrouted-payment bypass.
- #34 Availability slot creation rejects an offering the instructor does not
  own (AvailabilityEndpoint now takes OfferingRepository).
- #32 Offering/question/policy listing endpoints now require book_lesson
  instead of being public (no anonymous consumer exists); Offering::toArray
  also omits etransfer_email from listings as defense-in-depth.
- #33 Slots are claimed atomically (UPDATE ... WHERE is_booked = 0) before a
  lesson is inserted, preventing a double-booking race.
- #35 A single weekly booking is capped (MAX_WEEKLY_OCCURRENCES) and only
  creates lessons for slots it actually claimed.
- #36 Stripe secret/webhook keys are write-only in the settings UI and a blank
  submit keeps the stored value; secrets are never echoed back into HTML.
- #37 Pending invites expire after 14 days (Invite::isAcceptable), enforced at
  registration and surfaced on the admin invites list.

Adds BookingEndpointTest plus Invite/Offering/AvailabilityRepository coverage
and minimal WP_REST_Request/WP_REST_Response stubs. composer test (200),
lint, and cs all green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-09 17:08:22 -03:00

211 lines
6.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Tests\Unit\Availability;
use Brain\Monkey\Functions;
use Mockery;
use Unsupervised\Schedular\Availability\AvailabilityRepository;
use Unsupervised\Schedular\Availability\AvailabilitySlot;
use Unsupervised\Schedular\Tests\Unit\TestCase;
class AvailabilityRepositoryTest extends TestCase
{
private \wpdb $db;
private AvailabilityRepository $repo;
protected function setUp(): void
{
parent::setUp();
$this->db = Mockery::mock(\wpdb::class);
$this->db->prefix = 'wp_';
$this->repo = new AvailabilityRepository($this->db);
}
public function testInsertCallsWpdbInsertAndReturnsId(): void
{
Functions\expect('current_time')->with('mysql')->andReturn('2026-04-01 12:00:00');
$this->db->shouldReceive('insert')
->once()
->with(
'wp_us_availability',
Mockery::on(static function (array $data): bool {
return $data['instructor_id'] === 5
&& $data['start_dt'] === '2026-04-01 09:00:00'
&& $data['duration_minutes'] === 30
&& $data['offering_id'] === 8
&& $data['is_booked'] === 0;
}),
['%d', '%d', '%s', '%s', '%d', '%d', '%d', '%s']
);
$this->db->insert_id = 42;
$slot = new AvailabilitySlot(5, '2026-04-01 09:00:00', '2026-04-01 10:00:00', 30, 8);
$result = $this->repo->insert($slot);
self::assertSame(42, $result);
}
public function testCreateWeeklySeriesInsertsWeeklyAndSharesGroup(): void
{
Functions\when('current_time')->justReturn('2026-04-07 12:00:00');
$captured = [];
$ids = [10, 11, 12];
$this->db->shouldReceive('insert')
->times(3)
->andReturnUsing(function (string $table, array $data) use (&$captured, &$ids): void {
$captured[] = $data['start_dt'];
$this->db->insert_id = array_shift($ids);
});
// The first row is back-filled with its own id as the recurrence group.
$this->db->shouldReceive('update')
->once()
->with('wp_us_availability', ['recurrence_group' => 10], ['id' => 10], ['%d'], ['%d']);
$first = new AvailabilitySlot(5, '2026-04-07 09:00:00', '2026-04-07 10:00:00', 60);
$result = $this->repo->createWeeklySeries($first, 3);
self::assertSame([10, 11, 12], $result);
self::assertSame(
['2026-04-07 09:00:00', '2026-04-14 09:00:00', '2026-04-21 09:00:00'],
$captured
);
}
public function testFindByIdReturnsNullWhenNotFound(): void
{
$this->db->shouldReceive('prepare')
->once()
->andReturn('SELECT * FROM wp_us_availability WHERE id = 99');
$this->db->shouldReceive('get_row')
->once()
->andReturn(null);
$result = $this->repo->findById(99);
self::assertNull($result);
}
public function testFindByIdReturnsSlotWhenFound(): void
{
$row = (object) [
'id' => '10',
'instructor_id' => '5',
'offering_id' => null,
'start_dt' => '2026-04-01 09:00:00',
'end_dt' => '2026-04-01 10:00:00',
'duration_minutes' => '60',
'is_booked' => '0',
'recurrence_group' => null,
];
$this->db->shouldReceive('prepare')->andReturn('SELECT ...');
$this->db->shouldReceive('get_row')->andReturn($row);
$slot = $this->repo->findById(10);
self::assertInstanceOf(AvailabilitySlot::class, $slot);
self::assertSame(10, $slot->id);
self::assertSame(5, $slot->instructorId);
}
public function testClaimReturnsTrueWhenSlotWasUnbooked(): void
{
$this->db->shouldReceive('update')
->once()
->with('wp_us_availability', ['is_booked' => 1], ['id' => 7, 'is_booked' => 0], ['%d'], ['%d', '%d'])
->andReturn(1);
self::assertTrue($this->repo->claim(7));
}
public function testClaimReturnsFalseWhenSlotAlreadyBooked(): void
{
// The is_booked = 0 guard matches no row once the slot is taken.
$this->db->shouldReceive('update')
->once()
->with('wp_us_availability', ['is_booked' => 1], ['id' => 7, 'is_booked' => 0], ['%d'], ['%d', '%d'])
->andReturn(0);
self::assertFalse($this->repo->claim(7));
}
public function testDeleteReturnsFalseWhenRowNotDeleted(): void
{
$this->db->shouldReceive('delete')
->once()
->with('wp_us_availability', ['id' => 1, 'is_booked' => 0], ['%d', '%d'])
->andReturn(0);
self::assertFalse($this->repo->delete(1));
}
public function testFindAvailableWithNoFiltersUsesNoParams(): void
{
$this->db->shouldReceive('get_results')
->once()
->with(Mockery::pattern('/WHERE is_booked = 0/'))
->andReturn([]);
$result = $this->repo->findAvailable();
self::assertSame([], $result);
}
public function testFindAvailableWithInstructorFilterPreparesQuery(): void
{
$this->db->shouldReceive('prepare')
->once()
->with(Mockery::pattern('/instructor_id = %d/'), Mockery::any())
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([]);
$this->repo->findAvailable(instructorId: 3);
}
public function testFindAvailableWithOfferingAndDurationFilters(): void
{
$this->db->shouldReceive('prepare')
->once()
->with(
Mockery::pattern('/offering_id = %d AND duration_minutes = %d/'),
Mockery::on(static fn (array $p): bool => $p === [8, 30])
)
->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([]);
$this->repo->findAvailable(offeringId: 8, durationMinutes: 30);
}
public function testFindByInstructorReturnsSlots(): void
{
$row = (object) [
'id' => '5',
'instructor_id' => '3',
'offering_id' => null,
'start_dt' => '2026-04-01 09:00:00',
'end_dt' => '2026-04-01 10:00:00',
'duration_minutes' => '60',
'is_booked' => '0',
'recurrence_group' => null,
];
$this->db->shouldReceive('prepare')->andReturn('SELECT ...');
$this->db->shouldReceive('get_results')->andReturn([$row]);
$slots = $this->repo->findByInstructor(3);
self::assertCount(1, $slots);
self::assertInstanceOf(AvailabilitySlot::class, $slots[0]);
}
}
Reference in New Issue View Git Blame Copy Permalink