12-05-2026 Frontend dev

tests/Feature/Api/V1/CustomerDataApiTest.php

@@ -0,0 +1,72 @@
+<?php
+
+use App\Models\Category;
+use App\Models\Company;
+use App\Models\NewsletterSubscription;
+use App\Models\User;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+test('legacy api key requests receive gone response', function () {
+    /** @var TestCase $this */
+    $this->getJson('/api/v1/categories?api_key=legacy-key')
+        ->assertStatus(410)
+        ->assertJsonPath('message', 'Legacy API keys are no longer supported.');
+});
+
+test('api user can read only own companies', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->create();
+    $ownCompany = Company::factory()->presseecho()->create(['name' => 'Eigene Firma']);
+    $otherCompany = Company::factory()->businessportal24()->create(['name' => 'Fremde Firma']);
+    $user->companies()->attach($ownCompany->id, ['role' => 'owner']);
+
+    Sanctum::actingAs($user, ['companies:read']);
+
+    $this->getJson('/api/v1/companies')
+        ->assertOk()
+        ->assertSee('Eigene Firma')
+        ->assertDontSee('Fremde Firma');
+
+    $this->getJson("/api/v1/companies/{$otherCompany->id}")
+        ->assertForbidden();
+});
+
+test('api user can list categories with press release read ability', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->create();
+    Category::factory()->withTranslations()->create();
+
+    Sanctum::actingAs($user, ['press-releases:read']);
+
+    $this->getJson('/api/v1/categories')
+        ->assertOk()
+        ->assertJsonCount(1, 'data')
+        ->assertJsonStructure([
+            'data' => [
+                '*' => ['id', 'portal', 'translations'],
+            ],
+        ]);
+});
+
+test('api user can subscribe an email to newsletter', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->create();
+
+    Sanctum::actingAs($user, ['newsletter:subscribe']);
+
+    $this->postJson('/api/v1/newsletter/subscribe', [
+        'portal' => 'presseecho',
+        'email' => 'newsletter@example.com',
+        'first_name' => 'Max',
+        'last_name' => 'Muster',
+    ])
+        ->assertCreated()
+        ->assertJsonPath('data.email', 'newsletter@example.com')
+        ->assertJsonPath('data.is_confirmed', false);
+
+    expect(NewsletterSubscription::withoutGlobalScopes()
+        ->where('email', 'newsletter@example.com')
+        ->where('portal', 'presseecho')
+        ->exists())->toBeTrue();
+});

tests/Feature/Api/V1/PressReleaseApiTest.php

@@ -0,0 +1,81 @@
+<?php
+
+use App\Models\Category;
+use App\Models\Company;
+use App\Models\PressRelease;
+use App\Models\User;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+test('api user can create list update and delete own press releases', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->create();
+    $company = Company::factory()->presseecho()->create();
+    $category = Category::factory()->withTranslations()->create();
+    $user->companies()->attach($company->id, ['role' => 'owner']);
+
+    Sanctum::actingAs($user, ['press-releases:read', 'press-releases:write']);
+
+    $createResponse = $this->postJson('/api/v1/press-releases', [
+        'company_id' => $company->id,
+        'category_id' => $category->id,
+        'language' => 'de',
+        'title' => 'Neue API Pressemitteilung',
+        'text' => 'Inhalt der Pressemitteilung',
+        'status' => 'draft',
+    ]);
+
+    $createResponse
+        ->assertCreated()
+        ->assertJsonPath('data.title', 'Neue API Pressemitteilung')
+        ->assertJsonPath('data.portal', 'presseecho');
+
+    $pressReleaseId = PressRelease::withoutGlobalScopes()
+        ->where('title', 'Neue API Pressemitteilung')
+        ->value('id');
+
+    $this->getJson('/api/v1/press-releases')
+        ->assertOk()
+        ->assertJsonPath('data.0.id', $pressReleaseId);
+
+    $this->patchJson("/api/v1/press-releases/{$pressReleaseId}", [
+        'title' => 'Aktualisierte API Pressemitteilung',
+    ])
+        ->assertOk()
+        ->assertJsonPath('data.title', 'Aktualisierte API Pressemitteilung');
+
+    $this->deleteJson("/api/v1/press-releases/{$pressReleaseId}")
+        ->assertNoContent();
+
+    expect(PressRelease::withoutGlobalScopes()->withTrashed()->find($pressReleaseId)?->trashed())->toBeTrue();
+});
+
+test('api write ability is required to create press releases', function () {
+    /** @var TestCase $this */
+    $user = User::factory()->create();
+    $company = Company::factory()->presseecho()->create();
+    $category = Category::factory()->withTranslations()->create();
+    $user->companies()->attach($company->id, ['role' => 'owner']);
+
+    Sanctum::actingAs($user, ['press-releases:read']);
+
+    $this->postJson('/api/v1/press-releases', [
+        'company_id' => $company->id,
+        'category_id' => $category->id,
+        'language' => 'de',
+        'title' => 'Nicht erlaubt',
+        'text' => 'Inhalt',
+    ])->assertForbidden();
+});
+
+test('api user cannot access another users press release', function () {
+    /** @var TestCase $this */
+    $owner = User::factory()->create();
+    $otherUser = User::factory()->create();
+    $pressRelease = PressRelease::factory()->create(['user_id' => $owner->id]);
+
+    Sanctum::actingAs($otherUser, ['press-releases:read']);
+
+    $this->getJson("/api/v1/press-releases/{$pressRelease->id}")
+        ->assertForbidden();
+});

tests/Feature/Api/V1/PressReleaseImageApiTest.php

@@ -0,0 +1,119 @@
+<?php
+
+use App\Enums\PressReleaseStatus;
+use App\Models\PressRelease;
+use App\Models\PressReleaseImage;
+use App\Models\User;
+use Illuminate\Http\UploadedFile;
+use Illuminate\Support\Facades\Storage;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+test('api user can upload list and delete own press release images', function () {
+    /** @var TestCase $this */
+    Storage::fake('public');
+
+    $user = User::factory()->create();
+    $pressRelease = PressRelease::factory()->create([
+        'user_id' => $user->id,
+        'status' => PressReleaseStatus::Draft->value,
+    ]);
+
+    Sanctum::actingAs($user, ['press-releases:read', 'press-release-images:write']);
+
+    $uploadResponse = $this->postJson("/api/v1/press-releases/{$pressRelease->id}/images", [
+        'image' => UploadedFile::fake()->image('press-release.jpg', 1200, 800)->size(5120),
+        'title' => 'Pressefoto',
+        'is_preview' => true,
+    ]);
+
+    $uploadResponse
+        ->assertCreated()
+        ->assertJsonPath('data.title', 'Pressefoto')
+        ->assertJsonPath('data.is_preview', true)
+        ->assertJsonPath('data.width', 1200)
+        ->assertJsonPath('data.height', 800)
+        ->assertJsonStructure(['data' => ['variants', 'urls']]);
+
+    $image = PressReleaseImage::query()->firstOrFail();
+    expect(Storage::disk('public')->exists($image->path))->toBeTrue();
+    expect($image->variants)->toBeArray();
+    expect($image->variants)->toHaveKeys(['thumb', 'medium', 'large']);
+
+    foreach ($image->variants as $variantPath) {
+        expect(Storage::disk('public')->exists($variantPath))->toBeTrue();
+    }
+
+    $this->getJson("/api/v1/press-releases/{$pressRelease->id}/images")
+        ->assertOk()
+        ->assertJsonPath('data.0.id', $image->id)
+        ->assertJsonPath('data.0.url', asset('storage/'.ltrim($image->path, '/')));
+
+    $this->getJson("/api/v1/press-releases/{$pressRelease->id}")
+        ->assertOk()
+        ->assertJsonPath('data.images.0.id', $image->id);
+
+    $variantPaths = $image->variants ?? [];
+
+    $this->deleteJson("/api/v1/press-release-images/{$image->id}")
+        ->assertNoContent();
+
+    expect(Storage::disk('public')->exists($image->path))->toBeFalse();
+    foreach ($variantPaths as $variantPath) {
+        expect(Storage::disk('public')->exists($variantPath))->toBeFalse();
+    }
+    expect(PressReleaseImage::withTrashed()->find($image->id)?->trashed())->toBeTrue();
+});
+
+test('image upload is limited to eight megabytes', function () {
+    /** @var TestCase $this */
+    Storage::fake('public');
+
+    $user = User::factory()->create();
+    $pressRelease = PressRelease::factory()->create([
+        'user_id' => $user->id,
+        'status' => PressReleaseStatus::Draft->value,
+    ]);
+
+    Sanctum::actingAs($user, ['press-release-images:write']);
+
+    $this->postJson("/api/v1/press-releases/{$pressRelease->id}/images", [
+        'image' => UploadedFile::fake()->image('too-large.jpg')->size(8193),
+    ])->assertUnprocessable()
+        ->assertInvalid(['image']);
+});
+
+test('api user cannot manage another users press release images', function () {
+    /** @var TestCase $this */
+    Storage::fake('public');
+
+    $owner = User::factory()->create();
+    $otherUser = User::factory()->create();
+    $pressRelease = PressRelease::factory()->create([
+        'user_id' => $owner->id,
+        'status' => PressReleaseStatus::Draft->value,
+    ]);
+
+    Sanctum::actingAs($otherUser, ['press-releases:read', 'press-release-images:write']);
+
+    $this->postJson("/api/v1/press-releases/{$pressRelease->id}/images", [
+        'image' => UploadedFile::fake()->image('foreign.jpg'),
+    ])->assertForbidden();
+});
+
+test('published press release images cannot be changed via api', function () {
+    /** @var TestCase $this */
+    Storage::fake('public');
+
+    $user = User::factory()->create();
+    $pressRelease = PressRelease::factory()->published()->create([
+        'user_id' => $user->id,
+    ]);
+
+    Sanctum::actingAs($user, ['press-release-images:write']);
+
+    $this->postJson("/api/v1/press-releases/{$pressRelease->id}/images", [
+        'image' => UploadedFile::fake()->image('published.jpg'),
+    ])->assertConflict()
+        ->assertJsonPath('message', 'Only draft or rejected press releases may be edited.');
+});