einundzwanzig/einundzwanzig-app
1
0
Fork 0
mirror of https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git synced 2026-06-11 02:50:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add OAuth functionality, MCP tools, and feature tests

Browse Source 
- 🔒 Added migrations for `oauth_access_tokens`, `oauth_refresh_tokens`, `oauth_auth_codes`, `oauth_clients`, and `oauth_device_codes`.
- 🤖 Created MCP tools (Meetups, Cities, Venues, Courses, Lecturers) for managing entities with authentication and validation.
- 🛠️ Implemented Passport-backed OAuth API guard configuration and validation endpoints.
-  Added comprehensive feature tests for MCP tools and OAuth functionality (access control, validation, and token-based authentication).
This commit is contained in:
HolgerHatGarKeineNode
2026-06-08 09:37:00 +02:00
parent 3cad5f5636
commit d0544bfac9
67 changed files with 3948 additions and 83 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Feature/Mcp/CityMcpToolTest.php
+73
View File
@@ -0,0 +1,73 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\City\CreateCityTool;
use App\Mcp\Tools\City\ListMyCitiesTool;
use App\Mcp\Tools\City\ShowMyCityTool;
use App\Mcp\Tools\City\UpdateCityTool;
use App\Models\City;
use App\Models\Country;
use App\Models\User;
it('lets an authenticated user create a city and stamps created_by', function () {
$user = User::factory()->create();
$country = Country::factory()->create();
$response = EinundzwanzigServer::actingAs($user)->tool(CreateCityTool::class, [
'name' => 'Ansbach',
'country_id' => $country->id,
'longitude' => 10.5806,
'latitude' => 49.3034,
]);
$response->assertOk()->assertSee('Ansbach');
$this->assertDatabaseHas('cities', [
'name' => 'Ansbach',
'created_by' => $user->id,
]);
});
it('fails validation for missing fields', function () {
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(CreateCityTool::class, [])
->assertHasErrors();
});
it('lets the owner update a city', function () {
$user = User::factory()->create();
$city = City::factory()->create(['created_by' => $user->id]);
EinundzwanzigServer::actingAs($user)
->tool(UpdateCityTool::class, ['id' => $city->id, 'name' => 'Nürnberg'])
->assertOk()
->assertSee('Nürnberg');
});
it('forbids updating someone elses city', function () {
$owner = User::factory()->create();
$city = City::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(UpdateCityTool::class, ['id' => $city->id, 'name' => 'Hijack'])
->assertHasErrors();
});
it('returns only own cities in the mine list', function () {
$user = User::factory()->create();
City::factory()->count(2)->create(['created_by' => $user->id]);
City::factory()->create(['created_by' => User::factory()->create()->id]);
EinundzwanzigServer::actingAs($user)
->tool(ListMyCitiesTool::class)
->assertOk();
});
it('forbids viewing someone elses city in mine show', function () {
$owner = User::factory()->create();
$city = City::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(ShowMyCityTool::class, ['id' => $city->id])
->assertHasErrors();
});
tests/Feature/Mcp/CourseEventMcpToolTest.php
+90
View File
@@ -0,0 +1,90 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\CourseEvent\CreateCourseEventTool;
use App\Mcp\Tools\CourseEvent\ListMyCourseEventsTool;
use App\Mcp\Tools\CourseEvent\UpdateCourseEventTool;
use App\Models\Course;
use App\Models\CourseEvent;
use App\Models\User;
use App\Models\Venue;
it('forbids a non-lecturer from creating a course event', function () {
$course = Course::factory()->create();
$venue = Venue::factory()->create();
EinundzwanzigServer::actingAs(User::factory()->create(['is_lecturer' => false]))
->tool(CreateCourseEventTool::class, [
'course_id' => $course->id,
'venue_id' => $venue->id,
'from' => '2026-07-01 18:00:00',
'to' => '2026-07-01 21:00:00',
'link' => 'https://clavastack.com/produkt/specter-shield-lite-workshop',
])
->assertHasErrors();
});
it('lets a lecturer create a course event and stamps created_by', function () {
$user = User::factory()->lecturer()->create();
$course = Course::factory()->create();
$venue = Venue::factory()->create();
EinundzwanzigServer::actingAs($user)
->tool(CreateCourseEventTool::class, [
'course_id' => $course->id,
'venue_id' => $venue->id,
'from' => '2026-07-01 18:00:00',
'to' => '2026-07-01 21:00:00',
'link' => 'https://clavastack.com/produkt/specter-shield-lite-workshop',
])
->assertOk();
$this->assertDatabaseHas('course_events', [
'course_id' => $course->id,
'venue_id' => $venue->id,
'created_by' => $user->id,
]);
});
it('fails validation for missing fields', function () {
EinundzwanzigServer::actingAs(User::factory()->lecturer()->create())
->tool(CreateCourseEventTool::class, [])
->assertHasErrors();
});
it('lets the owner update their course event', function () {
$user = User::factory()->lecturer()->create();
$event = CourseEvent::factory()->create(['created_by' => $user->id]);
EinundzwanzigServer::actingAs($user)
->tool(UpdateCourseEventTool::class, [
'id' => $event->id,
'link' => 'https://einundzwanzig.space/courses/updated',
])
->assertOk()
->assertSee('https://einundzwanzig.space/courses/updated');
});
it('forbids updating a course event owned by someone else', function () {
$owner = User::factory()->lecturer()->create();
$event = CourseEvent::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->lecturer()->create())
->tool(UpdateCourseEventTool::class, [
'id' => $event->id,
'link' => 'https://einundzwanzig.space/courses/hijacked',
])
->assertHasErrors();
});
it('returns only own course events in the mine list', function () {
$user = User::factory()->lecturer()->create();
$other = User::factory()->lecturer()->create();
CourseEvent::factory()->count(2)->create(['created_by' => $user->id]);
CourseEvent::factory()->create(['created_by' => $other->id]);
EinundzwanzigServer::actingAs($user)
->tool(ListMyCourseEventsTool::class)
->assertOk();
});
tests/Feature/Mcp/CourseMcpToolTest.php
+62
View File
@@ -0,0 +1,62 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\Course\CreateCourseTool;
use App\Mcp\Tools\Course\UpdateCourseTool;
use App\Models\Course;
use App\Models\Lecturer;
use App\Models\User;
it('lets a lecturer create a course and stamps created_by', function () {
$user = User::factory()->lecturer()->create();
$lecturer = Lecturer::factory()->create();
$response = EinundzwanzigServer::actingAs($user)->tool(CreateCourseTool::class, [
'name' => 'Bitcoin Grundlagen',
'lecturer_id' => $lecturer->id,
]);
$response->assertOk()->assertSee('Bitcoin Grundlagen');
$this->assertDatabaseHas('courses', [
'name' => 'Bitcoin Grundlagen',
'created_by' => $user->id,
]);
});
it('forbids a non-lecturer from creating a course', function () {
$user = User::factory()->create(['is_lecturer' => false]);
$lecturer = Lecturer::factory()->create();
EinundzwanzigServer::actingAs($user)
->tool(CreateCourseTool::class, [
'name' => 'Verbotener Kurs',
'lecturer_id' => $lecturer->id,
])
->assertHasErrors();
});
it('fails validation for missing fields', function () {
EinundzwanzigServer::actingAs(User::factory()->lecturer()->create())
->tool(CreateCourseTool::class, [])
->assertHasErrors();
});
it('lets the owner update a course', function () {
$user = User::factory()->lecturer()->create();
$course = Course::factory()->create(['created_by' => $user->id]);
EinundzwanzigServer::actingAs($user)
->tool(UpdateCourseTool::class, ['id' => $course->id, 'name' => 'Aktualisierter Kurs'])
->assertOk()
->assertSee('Aktualisierter Kurs');
});
it('forbids updating someone elses course', function () {
$owner = User::factory()->lecturer()->create();
$course = Course::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->lecturer()->create())
->tool(UpdateCourseTool::class, ['id' => $course->id, 'name' => 'Hijack'])
->assertHasErrors();
});
tests/Feature/Mcp/EinundzwanzigServerTest.php
+24
View File
@@ -0,0 +1,24 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\CourseEvent\UpdateCourseEventTool;
use App\Mcp\Tools\Meetup\CreateMeetupTool;
use App\Mcp\Tools\Search\SearchCitiesTool;
it('rejects unauthenticated requests to the mcp endpoint', function () {
$this->postJson('/mcp', [
'jsonrpc' => '2.0',
'id' => 1,
'method' => 'tools/list',
])->assertUnauthorized();
});
it('registers every domain tool on the server', function () {
$property = (new ReflectionClass(EinundzwanzigServer::class))->getProperty('tools');
$tools = $property->getDefaultValue();
expect($tools)->toHaveCount(30)
->and($tools)->toContain(CreateMeetupTool::class)
->and($tools)->toContain(UpdateCourseEventTool::class)
->and($tools)->toContain(SearchCitiesTool::class);
});
tests/Feature/Mcp/LecturerMcpToolTest.php
+68
View File
@@ -0,0 +1,68 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\Lecturer\CreateLecturerTool;
use App\Mcp\Tools\Lecturer\ListMyLecturersTool;
use App\Mcp\Tools\Lecturer\ShowMyLecturerTool;
use App\Mcp\Tools\Lecturer\UpdateLecturerTool;
use App\Models\Lecturer;
use App\Models\User;
it('lets an authenticated user create a lecturer and stamps created_by', function () {
$user = User::factory()->create();
$response = EinundzwanzigServer::actingAs($user)->tool(CreateLecturerTool::class, [
'name' => 'Saifedean Ammous',
]);
$response->assertOk()->assertSee('Saifedean Ammous');
$this->assertDatabaseHas('lecturers', [
'name' => 'Saifedean Ammous',
'created_by' => $user->id,
]);
});
it('fails validation for missing fields', function () {
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(CreateLecturerTool::class, [])
->assertHasErrors();
});
it('lets the owner update a lecturer', function () {
$user = User::factory()->create();
$lecturer = Lecturer::factory()->create(['created_by' => $user->id]);
EinundzwanzigServer::actingAs($user)
->tool(UpdateLecturerTool::class, ['id' => $lecturer->id, 'name' => 'Knut Svanholm'])
->assertOk()
->assertSee('Knut Svanholm');
});
it('forbids updating someone elses lecturer', function () {
$owner = User::factory()->create();
$lecturer = Lecturer::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(UpdateLecturerTool::class, ['id' => $lecturer->id, 'name' => 'Hijack'])
->assertHasErrors();
});
it('returns only own lecturers in the mine list', function () {
$user = User::factory()->create();
Lecturer::factory()->count(2)->create(['created_by' => $user->id]);
Lecturer::factory()->create(['created_by' => User::factory()->create()->id]);
EinundzwanzigServer::actingAs($user)
->tool(ListMyLecturersTool::class)
->assertOk();
});
it('forbids viewing someone elses lecturer in mine show', function () {
$owner = User::factory()->create();
$lecturer = Lecturer::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(ShowMyLecturerTool::class, ['id' => $lecturer->id])
->assertHasErrors();
});
tests/Feature/Mcp/MeetupEventMcpToolTest.php
+72
View File
@@ -0,0 +1,72 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\MeetupEvent\CreateMeetupEventTool;
use App\Mcp\Tools\MeetupEvent\ListMyMeetupEventsTool;
use App\Mcp\Tools\MeetupEvent\ShowMyMeetupEventTool;
use App\Mcp\Tools\MeetupEvent\UpdateMeetupEventTool;
use App\Models\Meetup;
use App\Models\MeetupEvent;
use App\Models\User;
it('lets an authenticated user create a meetup event and stamps created_by', function () {
$user = User::factory()->create();
$meetup = Meetup::factory()->create();
$response = EinundzwanzigServer::actingAs($user)->tool(CreateMeetupEventTool::class, [
'meetup_id' => $meetup->id,
'start' => '2026-08-01 18:00:00',
'location' => 'Marktplatz',
]);
$response->assertOk()->assertSee('Marktplatz');
$this->assertDatabaseHas('meetup_events', [
'location' => 'Marktplatz',
'created_by' => $user->id,
]);
});
it('fails validation for missing fields', function () {
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(CreateMeetupEventTool::class, [])
->assertHasErrors();
});
it('lets the owner update a meetup event', function () {
$user = User::factory()->create();
$meetupEvent = MeetupEvent::factory()->create(['created_by' => $user->id]);
EinundzwanzigServer::actingAs($user)
->tool(UpdateMeetupEventTool::class, ['id' => $meetupEvent->id, 'location' => 'Rathaus'])
->assertOk()
->assertSee('Rathaus');
});
it('forbids updating someone elses meetup event', function () {
$owner = User::factory()->create();
$meetupEvent = MeetupEvent::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(UpdateMeetupEventTool::class, ['id' => $meetupEvent->id, 'location' => 'Hijack'])
->assertHasErrors();
});
it('returns only own meetup events in the mine list', function () {
$user = User::factory()->create();
MeetupEvent::factory()->count(2)->create(['created_by' => $user->id]);
MeetupEvent::factory()->create(['created_by' => User::factory()->create()->id]);
EinundzwanzigServer::actingAs($user)
->tool(ListMyMeetupEventsTool::class)
->assertOk();
});
it('forbids viewing someone elses meetup event in mine show', function () {
$owner = User::factory()->create();
$meetupEvent = MeetupEvent::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(ShowMyMeetupEventTool::class, ['id' => $meetupEvent->id])
->assertHasErrors();
});
tests/Feature/Mcp/MeetupMcpToolTest.php
+71
View File
@@ -0,0 +1,71 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\Meetup\CreateMeetupTool;
use App\Mcp\Tools\Meetup\ListMyMeetupsTool;
use App\Mcp\Tools\Meetup\ShowMyMeetupTool;
use App\Mcp\Tools\Meetup\UpdateMeetupTool;
use App\Models\City;
use App\Models\Meetup;
use App\Models\User;
it('lets an authenticated user create a meetup and stamps created_by', function () {
$user = User::factory()->create();
$city = City::factory()->create();
$response = EinundzwanzigServer::actingAs($user)->tool(CreateMeetupTool::class, [
'name' => 'Einundzwanzig Ansbach',
'city_id' => $city->id,
]);
$response->assertOk()->assertSee('Einundzwanzig Ansbach');
$this->assertDatabaseHas('meetups', [
'name' => 'Einundzwanzig Ansbach',
'created_by' => $user->id,
]);
});
it('fails validation for missing fields', function () {
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(CreateMeetupTool::class, [])
->assertHasErrors();
});
it('lets the owner update a meetup', function () {
$user = User::factory()->create();
$meetup = Meetup::factory()->create(['created_by' => $user->id]);
EinundzwanzigServer::actingAs($user)
->tool(UpdateMeetupTool::class, ['id' => $meetup->id, 'name' => 'Plan B Lugano'])
->assertOk()
->assertSee('Plan B Lugano');
});
it('forbids updating someone elses meetup', function () {
$owner = User::factory()->create();
$meetup = Meetup::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(UpdateMeetupTool::class, ['id' => $meetup->id, 'name' => 'Hijack'])
->assertHasErrors();
});
it('returns only own meetups in the mine list', function () {
$user = User::factory()->create();
Meetup::factory()->count(2)->create(['created_by' => $user->id]);
Meetup::factory()->create(['created_by' => User::factory()->create()->id]);
EinundzwanzigServer::actingAs($user)
->tool(ListMyMeetupsTool::class)
->assertOk();
});
it('forbids viewing someone elses meetup in mine show', function () {
$owner = User::factory()->create();
$meetup = Meetup::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(ShowMyMeetupTool::class, ['id' => $meetup->id])
->assertHasErrors();
});
tests/Feature/Mcp/OAuthMcpTest.php
+99
View File
@@ -0,0 +1,99 @@
<?php
use App\Models\User;
use Laravel\Passport\Passport;
it('configures the passport-backed api guard', function () {
expect(config('auth.guards.api.driver'))->toBe('passport');
});
it('exposes protected-resource discovery metadata', function () {
$this->getJson('/.well-known/oauth-protected-resource')
->assertOk()
->assertJsonStructure(['resource', 'authorization_servers', 'scopes_supported'])
->assertJsonPath('scopes_supported', ['mcp:use']);
});
it('exposes authorization-server discovery metadata pointing at passport', function () {
$this->getJson('/.well-known/oauth-authorization-server')
->assertOk()
->assertJsonPath('authorization_endpoint', route('passport.authorizations.authorize'))
->assertJsonPath('token_endpoint', route('passport.token'))
->assertJsonPath('scopes_supported', ['mcp:use'])
->assertJsonPath('code_challenge_methods_supported', ['S256'])
->assertJsonPath('grant_types_supported', ['authorization_code', 'refresh_token']);
});
it('returns 401 with an OAuth discovery WWW-Authenticate header for guests', function () {
$response = $this->postJson('/mcp', [
'jsonrpc' => '2.0',
'id' => 1,
'method' => 'tools/list',
]);
$response->assertUnauthorized();
expect($response->headers->get('WWW-Authenticate'))
->toContain('resource_metadata=')
->toContain('oauth-protected-resource');
});
it('lets a permitted client register dynamically', function () {
$this->postJson('/oauth/register', [
'client_name' => 'Claude',
'redirect_uris' => ['https://claude.ai/api/mcp/auth_callback'],
])
->assertOk()
->assertJsonStructure(['client_id', 'redirect_uris', 'scope'])
->assertJsonPath('scope', 'mcp:use');
});
it('rejects dynamic registration from a disallowed redirect domain', function () {
$this->postJson('/oauth/register', [
'client_name' => 'Evil',
'redirect_uris' => ['https://evil.example/callback'],
])
->assertStatus(400)
->assertJsonPath('error', 'invalid_redirect_uri');
});
it('authenticates the mcp endpoint via a passport oauth token', function () {
Passport::actingAs(User::factory()->create(), ['mcp:use']);
$response = $this->postJson('/mcp', [
'jsonrpc' => '2.0',
'id' => 1,
'method' => 'ping',
]);
$response->assertSuccessful();
expect($response->headers->get('WWW-Authenticate'))->toBeNull();
});
it('still authenticates the mcp endpoint via a static sanctum token', function () {
$token = User::factory()->create()->createToken('claude-code')->plainTextToken;
$response = $this->withToken($token)->postJson('/mcp', [
'jsonrpc' => '2.0',
'id' => 1,
'method' => 'ping',
]);
$response->assertSuccessful();
});
it('rejects a passport token that lacks the mcp:use scope', function () {
Passport::actingAs(User::factory()->create(), []);
$this->postJson('/mcp', [
'jsonrpc' => '2.0',
'id' => 1,
'method' => 'ping',
])->assertForbidden();
});
it('rejects an authorize request that uses plain PKCE instead of S256', function () {
$this->actingAs(User::factory()->create());
$this->get('/oauth/authorize?response_type=code&client_id=1&redirect_uri=https%3A%2F%2Fclaude.ai%2Fcb&code_challenge=abc123&code_challenge_method=plain')
->assertStatus(400);
});
tests/Feature/Mcp/SearchMcpToolTest.php
+73
View File
@@ -0,0 +1,73 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\Search\ListCountriesTool;
use App\Mcp\Tools\Search\SearchCitiesTool;
use App\Mcp\Tools\Search\SearchCoursesTool;
use App\Mcp\Tools\Search\SearchLecturersTool;
use App\Mcp\Tools\Search\SearchVenuesTool;
use App\Models\City;
use App\Models\Country;
use App\Models\Course;
use App\Models\Lecturer;
use App\Models\User;
use App\Models\Venue;
/**
* NOTE: The search closures use Postgres `ilike`, which the SQLite test database
* does not support. We therefore call the tools without a `search` argument and
* rely on the limit(10) branch to return the single seeded record.
*/
it('returns cities', function () {
City::factory()->create(['name' => 'Ansbach']);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(SearchCitiesTool::class, [])
->assertOk()
->assertSee('Ansbach');
});
it('returns venues', function () {
Venue::factory()->create(['name' => 'Plan B Lugano']);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(SearchVenuesTool::class, [])
->assertOk()
->assertSee('Plan B Lugano');
});
it('returns lecturers', function () {
Lecturer::factory()->create(['name' => 'Saifedean Ammous']);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(SearchLecturersTool::class, [])
->assertOk()
->assertSee('Saifedean Ammous');
});
it('returns courses', function () {
Course::factory()->create(['name' => 'Bitcoin Masterclass']);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(SearchCoursesTool::class, [])
->assertOk()
->assertSee('Bitcoin Masterclass');
});
it('filters courses by user_id', function () {
$user = User::factory()->create();
Course::factory()->create(['name' => 'Owned Course', 'created_by' => $user->id]);
EinundzwanzigServer::actingAs($user)
->tool(SearchCoursesTool::class, ['user_id' => $user->id])
->assertOk()
->assertSee('Owned Course');
});
it('lists countries', function () {
Country::factory()->create(['name' => 'Deutschland', 'code' => 'DE']);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(ListCountriesTool::class, [])
->assertOk();
});
tests/Feature/Mcp/VenueMcpToolTest.php
+72
View File
@@ -0,0 +1,72 @@
<?php
use App\Mcp\Servers\EinundzwanzigServer;
use App\Mcp\Tools\Venue\CreateVenueTool;
use App\Mcp\Tools\Venue\ListMyVenuesTool;
use App\Mcp\Tools\Venue\ShowMyVenueTool;
use App\Mcp\Tools\Venue\UpdateVenueTool;
use App\Models\City;
use App\Models\User;
use App\Models\Venue;
it('lets an authenticated user create a venue and stamps created_by', function () {
$user = User::factory()->create();
$city = City::factory()->create();
$response = EinundzwanzigServer::actingAs($user)->tool(CreateVenueTool::class, [
'name' => 'Bitcoin Hub',
'city_id' => $city->id,
'street' => 'Satoshi Street 21',
]);
$response->assertOk()->assertSee('Bitcoin Hub');
$this->assertDatabaseHas('venues', [
'name' => 'Bitcoin Hub',
'created_by' => $user->id,
]);
});
it('fails validation for missing fields', function () {
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(CreateVenueTool::class, [])
->assertHasErrors();
});
it('lets the owner update a venue', function () {
$user = User::factory()->create();
$venue = Venue::factory()->create(['created_by' => $user->id]);
EinundzwanzigServer::actingAs($user)
->tool(UpdateVenueTool::class, ['id' => $venue->id, 'name' => 'Orange Hub'])
->assertOk()
->assertSee('Orange Hub');
});
it('forbids updating someone elses venue', function () {
$owner = User::factory()->create();
$venue = Venue::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(UpdateVenueTool::class, ['id' => $venue->id, 'name' => 'Hijack'])
->assertHasErrors();
});
it('returns only own venues in the mine list', function () {
$user = User::factory()->create();
Venue::factory()->count(2)->create(['created_by' => $user->id]);
Venue::factory()->create(['created_by' => User::factory()->create()->id]);
EinundzwanzigServer::actingAs($user)
->tool(ListMyVenuesTool::class)
->assertOk();
});
it('forbids viewing someone elses venue in mine show', function () {
$owner = User::factory()->create();
$venue = Venue::factory()->create(['created_by' => $owner->id]);
EinundzwanzigServer::actingAs(User::factory()->create())
->tool(ShowMyVenueTool::class, ['id' => $venue->id])
->assertHasErrors();
});