Merge pull request #16432 from marcusmoore/bug/sc-24475

snipe · web-flow · commit 64f49afce1e3 · 2025-03-05T20:16:30.000Z
Added validation around user store endpoint
diff --git a/app/Http/Requests/SaveUserRequest.php b/app/Http/Requests/SaveUserRequest.php
@@ -33,9 +33,9 @@ public function response(array $errors)
     public function rules()
     {
         $rules = [
-            'department_id' => 'nullable|exists:departments,id',
+            'department_id' => 'nullable|integer|exists:departments,id',
             'manager_id' => 'nullable|exists:users,id',
-            'company_id' => ['nullable','exists:companies,id']
+            'company_id' => ['nullable', 'integer', 'exists:companies,id']
         ];
 
         switch ($this->method()) {
diff --git a/tests/Feature/Users/Api/StoreUsersTest.php b/tests/Feature/Users/Api/StoreUsersTest.php
@@ -0,0 +1,78 @@
+<?php
+
+namespace Tests\Feature\Users\Api;
+
+use App\Models\Company;
+use App\Models\Department;
+use App\Models\User;
+use Illuminate\Testing\Fluent\AssertableJson;
+use Tests\TestCase;
+
+class StoreUsersTest extends TestCase
+{
+    public function testRequiresPermission()
+    {
+        $this->actingAsForApi(User::factory()->create())
+            ->postJson(route('api.users.store'), [
+                'first_name' => 'Joe',
+                'username' => 'joe',
+                'password' => 'joe_password',
+                'password_confirmation' => 'joe_password',
+            ])
+            ->assertForbidden();
+    }
+
+    public function testCompanyIdNeedsToBeInteger()
+    {
+        $company = Company::factory()->create();
+
+        $this->actingAsForApi(User::factory()->createUsers()->create())
+            ->postJson(route('api.users.store'), [
+                'company_id' => [$company->id],
+                'first_name' => 'Joe',
+                'username' => 'joe',
+                'password' => 'joe_password',
+                'password_confirmation' => 'joe_password',
+            ])
+            ->assertStatusMessageIs('error')
+            ->assertJson(function (AssertableJson $json) {
+                $json->has('messages.company_id')->etc();
+            });
+    }
+
+    public function testDepartmentIdNeedsToBeInteger()
+    {
+        $department = Department::factory()->create();
+
+        $this->actingAsForApi(User::factory()->createUsers()->create())
+            ->postJson(route('api.users.store'), [
+                'department_id' => [$department->id],
+                'first_name' => 'Joe',
+                'username' => 'joe',
+                'password' => 'joe_password',
+                'password_confirmation' => 'joe_password',
+            ])
+            ->assertStatusMessageIs('error')
+            ->assertJson(function (AssertableJson $json) {
+                $json->has('messages.department_id')->etc();
+            });
+    }
+
+    public function testCanStoreUser()
+    {
+        $this->actingAsForApi(User::factory()->createUsers()->create())
+            ->postJson(route('api.users.store'), [
+                'first_name' => 'Darth',
+                'username' => 'darthvader',
+                'password' => 'darth_password',
+                'password_confirmation' => 'darth_password',
+            ])
+            ->assertStatusMessageIs('success')
+            ->assertOk();
+
+        $this->assertDatabaseHas('users', [
+            'first_name' => 'Darth',
+            'username' => 'darthvader',
+        ]);
+    }
+}
