gitmedia/presseportale
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
presseportale/tests/Feature/LegalRequestTest.php
Kevin Adametz 95007da826 WS-3: Recht & Compliance – Rechts-Kern (DSGVO/Persönlichkeitsrecht/Melden + Queue) 
Launch-pflichtiger Compliance-Slice: öffentliche Anfrage zu einer PM speist eine
manuelle Admin-Queue (keine KI).

- Migration legal_requests + Model + Enums (Type: dsgvo/personal_rights/report,
  Status: open/in_progress/resolved/rejected) + Factory.
- Öffentliches Formular /release/{slug}/rechtliches (LegalRequestController +
  web/legal-request.blade.php): typ-abhängiger Hinweistext (Alpine), E-Mail bei
  DSGVO/Persönlichkeitsrecht erforderlich, zwei versteckte Honeypot-Felder,
  Rate-Limit + Bremse "1 offene Anfrage pro PM/Typ". Regeltexte als Entwurf mit
  TODO für rechtliche Finalisierung markiert.
- Routen bewusst in eigener routes/legal.php (entkoppelt vom laufenden Web-Umbau),
  host-agnostisch via domains.php eingebunden.
- Admin-Bereich "Recht & Compliance": Sidebar-Nav mit Offen-Zähler, Volt-Queue
  index/show (in Bearbeitung/erledigt/abgelehnt/wieder öffnen + interne Notiz).
- Tests: je Typ, Honeypots (Dataset), Bremse, Admin-Queue + Status-Übergänge.
- Doku: Detailplan WS-3-Status + Deployment-Migrationsreihenfolge ergänzt.

Hinweis: Der "Melden"-/E&F-Button auf der PM-Detailseite (release-detail.blade.php)
wird mit dem separaten Web-Frontend-Commit verdrahtet; Ziel ist legal-request.create.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-16 14:20:05 +00:00

194 lines
7 KiB
PHP
Raw Blame History

<?php
use App\Enums\LegalRequestStatus;
use App\Enums\LegalRequestType;
use App\Enums\Portal;
use App\Models\LegalRequest;
use App\Models\PressRelease;
use App\Models\User;
use Database\Seeders\RolesAndPermissionsSeeder;
use Livewire\Volt\Volt;
use Tests\TestCase;
beforeEach(function () {
$this->seed(RolesAndPermissionsSeeder::class);
});
/**
* Default-Testhost ist „localhost" → der Controller löst auf Businessportal24
* auf. Daher die PM bewusst für dieses Portal veröffentlichen.
*/
function publishedRelease(): PressRelease
{
return PressRelease::factory()
->published()
->forPortal(Portal::Businessportal24)
->create();
}
test('the legal request form renders with per-type hints and hidden honeypots', function () {
/** @var TestCase $this */
$release = publishedRelease();
$this->get(route('legal-request.create', ['slug' => $release->slug, 'type' => 'report']))
->assertOk()
->assertSee($release->title)
// Hinweistexte je Typ sind serverseitig vorhanden (Umschaltung via Alpine).
->assertSee('Art. 17 DSGVO')
->assertSee('Persönlichkeitsrecht')
// Versteckte Honeypot-Felder im DOM.
->assertSee('name="website"', false)
->assertSee('name="homepage"', false);
});
test('the form 404s for a non-published release', function () {
/** @var TestCase $this */
$draft = PressRelease::factory()->forPortal(Portal::Businessportal24)->create();
$this->get(route('legal-request.create', ['slug' => $draft->slug]))
->assertNotFound();
});
test('a dsgvo request is stored in the queue', function () {
/** @var TestCase $this */
$release = publishedRelease();
$this->post(route('legal-request.store', ['slug' => $release->slug]), [
'type' => LegalRequestType::Dsgvo->value,
'requester_email' => 'betroffen@example.test',
'message' => 'Bitte meine personenbezogenen Daten anonymisieren.',
])->assertRedirect(route('release.detail', ['slug' => $release->slug]));
$request = LegalRequest::query()->firstOrFail();
expect($request->type)->toBe(LegalRequestType::Dsgvo);
expect($request->status)->toBe(LegalRequestStatus::Open);
expect($request->press_release_id)->toBe($release->id);
expect($request->requester_email)->toBe('betroffen@example.test');
expect($request->portal)->toBe(Portal::Businessportal24->value);
});
test('a personal rights request requires an email', function () {
/** @var TestCase $this */
$release = publishedRelease();
$this->post(route('legal-request.store', ['slug' => $release->slug]), [
'type' => LegalRequestType::PersonalRights->value,
'message' => 'Diese Meldung verletzt meine Persönlichkeitsrechte.',
])->assertSessionHasErrors('requester_email');
expect(LegalRequest::query()->count())->toBe(0);
});
test('a report can be submitted without an email and feeds the same queue', function () {
/** @var TestCase $this */
$release = publishedRelease();
$this->post(route('legal-request.store', ['slug' => $release->slug]), [
'type' => LegalRequestType::Report->value,
'message' => 'Diese Pressemitteilung wirkt wie Spam.',
])->assertRedirect(route('release.detail', ['slug' => $release->slug]));
$request = LegalRequest::query()->firstOrFail();
expect($request->type)->toBe(LegalRequestType::Report);
expect($request->requester_email)->toBeNull();
});
test('a filled honeypot field blocks bots without creating a request', function (string $field) {
/** @var TestCase $this */
$release = publishedRelease();
$this->post(route('legal-request.store', ['slug' => $release->slug]), [
'type' => LegalRequestType::Report->value,
'message' => 'Spam spam spam spam.',
$field => 'http://spam.example',
]);
expect(LegalRequest::query()->count())->toBe(0);
})->with(['website', 'homepage']);
test('only one open request per release and type, other types still allowed', function () {
/** @var TestCase $this */
$release = publishedRelease();
LegalRequest::factory()
->type(LegalRequestType::Dsgvo)
->create(['press_release_id' => $release->id, 'status' => LegalRequestStatus::Open]);
// Zweite offene DSGVO-Anfrage → keine Dublette.
$this->post(route('legal-request.store', ['slug' => $release->slug]), [
'type' => LegalRequestType::Dsgvo->value,
'requester_email' => 'noch@example.test',
'message' => 'Nochmal dieselbe Anfrage bitte bearbeiten.',
]);
expect(LegalRequest::query()->where('type', LegalRequestType::Dsgvo->value)->count())->toBe(1);
// Anderer Typ bleibt möglich.
$this->post(route('legal-request.store', ['slug' => $release->slug]), [
'type' => LegalRequestType::Report->value,
'message' => 'Andere Art von Anliegen zu dieser PM.',
]);
expect(LegalRequest::query()->where('type', LegalRequestType::Report->value)->count())->toBe(1);
});
test('the admin queue lists open requests', function () {
/** @var TestCase $this */
$admin = User::factory()->create(['is_active' => true]);
$admin->assignRole('admin');
// Kurzer, fixer Titel: die Queue kürzt Titel via Str::limit(…, 60).
$release = PressRelease::factory()
->published()
->forPortal(Portal::Businessportal24)
->create(['title' => 'Compliance-Test PM']);
LegalRequest::factory()
->type(LegalRequestType::PersonalRights)
->create(['press_release_id' => $release->id, 'status' => LegalRequestStatus::Open]);
Volt::actingAs($admin)
->test('admin.legal-requests.index')
->assertOk()
->assertSee('Compliance-Test PM')
->assertSee(LegalRequestType::PersonalRights->label());
});
test('an admin can resolve a request with a note', function () {
/** @var TestCase $this */
$admin = User::factory()->create(['is_active' => true]);
$admin->assignRole('admin');
$legalRequest = LegalRequest::factory()
->type(LegalRequestType::Dsgvo)
->create(['status' => LegalRequestStatus::Open]);
Volt::actingAs($admin)
->test('admin.legal-requests.show', ['id' => $legalRequest->id])
->set('adminNote', 'Daten anonymisiert.')
->call('resolve');
$legalRequest->refresh();
expect($legalRequest->status)->toBe(LegalRequestStatus::Resolved);
expect($legalRequest->resolved_by_user_id)->toBe($admin->id);
expect($legalRequest->resolved_at)->not->toBeNull();
expect($legalRequest->admin_note)->toBe('Daten anonymisiert.');
});
test('an admin can reject a request', function () {
/** @var TestCase $this */
$admin = User::factory()->create(['is_active' => true]);
$admin->assignRole('admin');
$legalRequest = LegalRequest::factory()
->type(LegalRequestType::Report)
->create(['status' => LegalRequestStatus::Open]);
Volt::actingAs($admin)
->test('admin.legal-requests.show', ['id' => $legalRequest->id])
->call('reject');
expect($legalRequest->fresh()->status)->toBe(LegalRequestStatus::Rejected);
});
Reference in a new issue View git blame Copy permalink