Level 1
Does your Client model use Soft Deletes? If so, then it could be because of that - because the database record still exists, but the deleted_at column will now be set, rather than null.
Dec 31, 2024
9
Level 7
PHPUnit test fails when it should pass
Hi all. I am running this test, where in fact I am testing my polices, that a user cannot do what he is not supposed to:
<?php
declare(strict_types=1);
namespace Tests\Feature\Client;
use App\Models\Client;
use App\Models\User;
use PHPUnit\Framework\Attributes\Test;
use Tests\TestCase;
class OthersRecordsTest extends TestCase
{
#[Test]
public function list_have_only_own_records()
{
$response = $this->get(route('clients.list'));
$response->assertDontSee($this->foreignClient->name);
$response->assertSee($this->ownClient->name);
}
#[Test]
public function cannot_view_foreign_record()
{
$response = $this->get(route('client.show', ['id' => $this->foreignClient->id]));
$response->assertStatus(403);
}
#[Test]
public function cannot_view_edit_form_for_foreign_record()
{
$response = $this->get(route('client.edit', ['id' => $this->foreignClient->id]));
$response->assertStatus(403);
}
#[Test]
public function cannot_edit_foreign_record()
{
$this->foreignClient->save(['name' => 'Some test Name']);
$this->assertDatabaseMissing('clients', ['name' => 'Some test Name']);
}
#[Test]
public function cannot_delete_foreign_record()
{
$this->foreignClient->delete();
$this->assertDatabaseHas('clients', ['name' => $this->foreignClient->name]);
}
#[Test]
protected function setUp(): void
{
parent::setUp();
$user = User::factory()->create();
$user->assignRole('ProjectOwner');
$this->actingAs($user);
$this->ownClient = Client::factory()->create(['user_id' => $user->id]);
$users = User::all()->where('id', '!=', $user->id);
$this->foreignClient = Client::factory()->create([
'user_id' => $users->random(1)->first()->id,
]);
}
}
For some reason, the test cannot_delete_foreign_record fails i.e. the client is deleted, when it should not, because in my Client model policy I have this:
/**
* Determine whether the user can delete the client.
*/
public function delete(User $user, Client $client): bool
{
return $user->can('delete_client') || $client->user_id === $user->id;
}
The test result:
FAILED Tests\Feature\Client\OthersRecordsTest > cannot delete foreign record
Failed asserting that a row in the table [clients] matches the attributes {
"name": "Runolfsson-Durgan"
}.
Found: [
{
"name": "Aufderhar, Schiller and Marvin"
},
{
"name": "Barrows, Glover and Murray"
},
{
"name": "Bergnaum, Dibbert and Ferry"
}
] and 23 others.
at tests\Feature\Client\OthersRecordsTest.php:52
48▕ public function cannot_delete_foreign_record()
49▕ {
50▕ $this->foreignClient->delete();
51▕
➜ 52▕ $this->assertDatabaseHas('clients', ['name' => $this->foreignClient->name]);
53▕ }
54▕
55▕ #[Test]
56▕ protected function setUp(): void
Tests: 1 failed, 4 passed (6 assertions)
Duration: 7.59s
The assigned role 'ProjectOwner' doesn't have permission to delete_client.
What am I doing wrong on my test? Because all the other tests pass.
Level 7
@mhdev No, no soft-deletes. But even with soft deletes, it will remain in the database.
In the test, the record MUST remain in the database, while actually it got deleted, which is wrong.
According to the policy, a user should not be able to delete a client that belongs to another user.
Level 74
Does it pass if you run only that test?
Level 7
@Tray2 No, fails again. Even did dd() of $this->foreignClient and `$user->id`` just to be sure they are different.
In fact, I am currently running only this class and tried even only this method: fails every time.
Also tried to create a completely new client inside the method: failed again.
It makes no sense to me: cannot_edit_foreign_record and cannot_delete_foreign_record are basically same, but the edit pass and the delete fails.
Level 74
@Merklin Hmm, I guess the project owner has the right to delete whatever in that project, so maybe that is the issue?
Level 7
Level 50
Umm.. you are directly calling $this->foreignClient->delete(); so it of course deletes from the database. You know like Client::find(1)->delete()?
Shouldn't you be testing the route? like:
// $this->actingAs($this->user);
$response = $this->delete('/clients/1');
$response->assertStatus(403);
Or, you can also simply test policies:
$clientPolicy = new ClientPolicy();
$result = $clientPolicy->delete($user, $client);
$this->assertFalse($result); // i.e. cannot delete
Level 7
@Niush There is no delete route, it's a filament table. But even in this case, the policy should work.
Level 50
@Merklin The policy won't get triggered when calling Model's delete function. It is triggered from middleware, Gate, etc.
I have edited above, but you could instead test the policy itself. Like this:
$clientPolicy = new ClientPolicy();
$result = $clientPolicy->delete($user, $client);
$this->assertFalse($result); // i.e. cannot delete
Please or to participate in this conversation.