Unsupervised/unsupervised-scheduler
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f3f5c7801fb188b87745e50b90d8d3769a313752
unsupervised-scheduler/tests/Unit/Availability/AvailabilitySlotTest.php
T
thatguygriff f3f5c7801f
CI / No Debug Code (pull_request) Successful in 3s
Details
CI / Tests (PHP 8.1) (pull_request) Successful in 43s
Details
CI / Tests (PHP 8.3) (pull_request) Successful in 49s
Details
CI / Tests (PHP 8.2) (pull_request) Successful in 59s
Details
CI / Coding Standards (pull_request) Successful in 1m11s
Details
CI / PHPStan (pull_request) Successful in 1m20s
Details
CI / Build Plugin Zip (pull_request) Has been skipped
Details
Security fixes: CSV injection, policy body output, invite hashing, slot datetimes 
Four fixes from a security review pass:

- Neutralise CSV formula injection in the payments export: fields with a
  leading =, +, -, @, tab, or CR (e.g. a hostile student display name) are
  apostrophe-prefixed in PaymentReport::csvLine() so they open as text in
  Excel/Google Sheets. Fixes #39.
- Sanitise policy bodies with wp_kses_post at output in
  PolicyEndpoint::index() (the booking JS renders that HTML raw), so a
  future write path that forgets kses can never become stored XSS.
  Fixes #40.
- Store invite tokens hashed (SHA-256) at rest: a database leak can no
  longer redeem pending invites. The registration link is shown once, at
  creation; the pending list shows email/invited date; lookups hash the
  submitted token. Existing plaintext pending invites must be re-issued.
  Fixes #41.
- Validate availability slot datetimes on both creation paths (REST and
  admin form) via AvailabilitySlot::normalizeDateTime(): canonical and
  datetime-local forms normalise to Y-m-d H:i:s, garbage and end <= start
  are rejected (REST 400) instead of reaching the DATETIME column or
  throwing inside the weekly-series date arithmetic. Fixes #42.

composer test (204 tests, 594 assertions), PHPStan L6, and PHPCS all green.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 16:36:26 -03:00

97 lines
3.8 KiB
PHP
Raw Blame History

<?php
declare(strict_types=1);
namespace Unsupervised\Schedular\Tests\Unit\Availability;
use Unsupervised\Schedular\Availability\AvailabilitySlot;
use Unsupervised\Schedular\Tests\Unit\TestCase;
class AvailabilitySlotTest extends TestCase
{
public function testConstructorAndProperties(): void
{
$slot = new AvailabilitySlot(
instructorId: 5,
startDt: '2026-04-01 09:00:00',
endDt: '2026-04-01 10:00:00',
durationMinutes: 30,
offeringId: 8,
isBooked: false,
recurrenceGroup: 100,
id: 42,
);
self::assertSame(5, $slot->instructorId);
self::assertSame('2026-04-01 09:00:00', $slot->startDt);
self::assertSame(30, $slot->durationMinutes);
self::assertSame(8, $slot->offeringId);
self::assertSame(100, $slot->recurrenceGroup);
self::assertFalse($slot->isBooked);
self::assertSame(42, $slot->id);
}
public function testDefaults(): void
{
$slot = new AvailabilitySlot(1, '2026-04-01 09:00:00', '2026-04-01 10:00:00');
self::assertSame(60, $slot->durationMinutes);
self::assertNull($slot->offeringId);
self::assertFalse($slot->isBooked);
self::assertNull($slot->recurrenceGroup);
self::assertNull($slot->id);
}
public function testFromRowMapsCorrectlyAndCastsNullables(): void
{
$row = (object) [
'id' => '7',
'instructor_id' => '3',
'offering_id' => null,
'start_dt' => '2026-05-10 14:00:00',
'end_dt' => '2026-05-10 15:00:00',
'duration_minutes' => '60',
'is_booked' => '1',
'recurrence_group' => '7',
];
$slot = AvailabilitySlot::fromRow($row);
self::assertSame(7, $slot->id);
self::assertSame(3, $slot->instructorId);
self::assertNull($slot->offeringId);
self::assertSame(60, $slot->durationMinutes);
self::assertSame(7, $slot->recurrenceGroup);
self::assertTrue($slot->isBooked);
}
public function testNormalizeDateTimeAcceptsCanonicalAndDatetimeLocalForms(): void
{
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01 09:00:00'));
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01 09:00'));
self::assertSame('2026-04-01 09:00:00', AvailabilitySlot::normalizeDateTime('2026-04-01T09:00'));
self::assertSame('2026-04-01 09:00:30', AvailabilitySlot::normalizeDateTime('2026-04-01T09:00:30'));
}
public function testNormalizeDateTimeRejectsGarbageAndImpossibleDates(): void
{
self::assertNull(AvailabilitySlot::normalizeDateTime(''));
self::assertNull(AvailabilitySlot::normalizeDateTime('not a date'));
self::assertNull(AvailabilitySlot::normalizeDateTime('next tuesday'));
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-04-01'));
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-13-01 09:00:00'));
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-02-30 09:00:00'));
self::assertNull(AvailabilitySlot::normalizeDateTime('2026-04-01 25:00:00'));
self::assertNull(AvailabilitySlot::normalizeDateTime("2026-04-01 09:00:00'); DROP TABLE x;--"));
}
public function testToArrayContainsExpectedKeys(): void
{
$slot = new AvailabilitySlot(1, '2026-04-01 09:00:00', '2026-04-01 10:00:00', 30, 8, false, null, 10);
$arr = $slot->toArray();
foreach (['id', 'instructor_id', 'offering_id', 'start_dt', 'end_dt', 'duration_minutes', 'is_booked', 'recurrence_group'] as $key) {
self::assertArrayHasKey($key, $arr);
}
}
}
Reference in New Issue View Git Blame Copy Permalink