4a7b232f68
- Added GitHub spec-kit for development workflow - Standardized file signatures to Descomplicar® format - Updated development configuration 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
409 lines
18 KiB
PHP
409 lines
18 KiB
PHP
/**
|
|
* Descomplicar® Crescimento Digital
|
|
* https://descomplicar.pt
|
|
*/
|
|
|
|
<?php
|
|
/**
|
|
* Integration tests for Role-Based Access Control (User Story 5).
|
|
*
|
|
* These tests validate complete user stories and MUST FAIL initially (TDD RED phase).
|
|
*
|
|
* @package KiviCare_API\Tests\Integration
|
|
*/
|
|
|
|
/**
|
|
* Role-based permissions integration tests.
|
|
*
|
|
* User Story: Role-based access control across all API endpoints
|
|
*/
|
|
class Test_Role_Permissions extends KiviCare_API_Test_Case {
|
|
|
|
/**
|
|
* Test complete role-based access control workflow.
|
|
*
|
|
* @test
|
|
*/
|
|
public function test_role_based_access_control_workflow() {
|
|
// This test will fail initially as role-based permissions aren't implemented
|
|
$this->markTestIncomplete( 'Role-based access control not implemented yet - TDD RED phase' );
|
|
|
|
// ARRANGE: Setup complete scenario with all roles
|
|
$clinic_id = $this->create_test_clinic();
|
|
|
|
global $wpdb;
|
|
|
|
// Map users to clinic
|
|
$wpdb->insert( $wpdb->prefix . 'kc_doctor_clinic_mappings', array( 'doctor_id' => $this->doctor_user, 'clinic_id' => $clinic_id ) );
|
|
$wpdb->insert( $wpdb->prefix . 'kc_patient_clinic_mappings', array( 'patient_id' => $this->patient_user, 'clinic_id' => $clinic_id ) );
|
|
|
|
// Create test data
|
|
$appointment_id = $this->create_test_appointment( $clinic_id, $this->doctor_user, $this->patient_user );
|
|
|
|
$encounter_response = $this->make_request( '/wp-json/kivicare/v1/encounters', 'POST', array(
|
|
'appointment_id' => $appointment_id,
|
|
'description' => 'Test encounter for permission testing',
|
|
), $this->doctor_user );
|
|
$encounter_id = $encounter_response->get_data()['id'];
|
|
|
|
// Define permission matrix for all roles and endpoints
|
|
$permission_matrix = array(
|
|
// ADMINISTRATOR - Full access to everything
|
|
'administrator' => array(
|
|
'user_id' => $this->admin_user,
|
|
'permissions' => array(
|
|
// Clinics
|
|
array( 'GET', '/wp-json/kivicare/v1/clinics', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/clinics', 201 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/clinics/{$clinic_id}", 200 ),
|
|
array( 'DELETE', "/wp-json/kivicare/v1/clinics/{$clinic_id}", 200 ),
|
|
|
|
// Patients
|
|
array( 'GET', '/wp-json/kivicare/v1/patients', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/patients', 201 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/patients/{$this->patient_user}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/patients/{$this->patient_user}", 200 ),
|
|
|
|
// Appointments
|
|
array( 'GET', '/wp-json/kivicare/v1/appointments', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/appointments', 201 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
array( 'DELETE', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
|
|
// Encounters
|
|
array( 'GET', '/wp-json/kivicare/v1/encounters', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/encounters', 201 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/encounters/{$encounter_id}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/encounters/{$encounter_id}", 200 ),
|
|
|
|
// Bills
|
|
array( 'GET', '/wp-json/kivicare/v1/bills', 200 ),
|
|
array( 'POST', "/wp-json/kivicare/v1/bills/1/payment", 200 ),
|
|
),
|
|
),
|
|
|
|
// DOCTOR - Medical access, read patients, create encounters
|
|
'doctor' => array(
|
|
'user_id' => $this->doctor_user,
|
|
'permissions' => array(
|
|
// Clinics - Read only
|
|
array( 'GET', '/wp-json/kivicare/v1/clinics', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/clinics', 403 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/clinics/{$clinic_id}", 403 ),
|
|
array( 'DELETE', "/wp-json/kivicare/v1/clinics/{$clinic_id}", 403 ),
|
|
|
|
// Patients - Full access to clinic patients
|
|
array( 'GET', '/wp-json/kivicare/v1/patients', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/patients', 201 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/patients/{$this->patient_user}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/patients/{$this->patient_user}", 200 ),
|
|
|
|
// Appointments - Read and update own appointments
|
|
array( 'GET', '/wp-json/kivicare/v1/appointments', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/appointments', 403 ), // Cannot create
|
|
array( 'GET', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
array( 'DELETE', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 403 ),
|
|
|
|
// Encounters - Full access
|
|
array( 'GET', '/wp-json/kivicare/v1/encounters', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/encounters', 201 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/encounters/{$encounter_id}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/encounters/{$encounter_id}", 200 ),
|
|
|
|
// Prescriptions - Full access
|
|
array( 'POST', "/wp-json/kivicare/v1/encounters/{$encounter_id}/prescriptions", 201 ),
|
|
|
|
// Bills - Read only
|
|
array( 'GET', '/wp-json/kivicare/v1/bills', 200 ),
|
|
array( 'POST', "/wp-json/kivicare/v1/bills/1/payment", 403 ),
|
|
),
|
|
),
|
|
|
|
// PATIENT - Own data only, read-only access
|
|
'patient' => array(
|
|
'user_id' => $this->patient_user,
|
|
'permissions' => array(
|
|
// Clinics - No access
|
|
array( 'GET', '/wp-json/kivicare/v1/clinics', 403 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/clinics', 403 ),
|
|
|
|
// Patients - Own data only
|
|
array( 'GET', '/wp-json/kivicare/v1/patients', 403 ), // Cannot list all patients
|
|
array( 'POST', '/wp-json/kivicare/v1/patients', 403 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/patients/{$this->patient_user}", 200 ), // Own data
|
|
array( 'PUT', "/wp-json/kivicare/v1/patients/{$this->patient_user}", 200 ), // Update own data
|
|
|
|
// Appointments - Own appointments only
|
|
array( 'GET', '/wp-json/kivicare/v1/appointments', 200 ), // Filtered to own
|
|
array( 'POST', '/wp-json/kivicare/v1/appointments', 201 ), // Can book appointments
|
|
array( 'GET', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 403 ), // Cannot modify
|
|
array( 'DELETE', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ), // Can cancel own
|
|
|
|
// Encounters - Own encounters, read-only
|
|
array( 'GET', '/wp-json/kivicare/v1/encounters', 200 ), // Filtered to own
|
|
array( 'POST', '/wp-json/kivicare/v1/encounters', 403 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/encounters/{$encounter_id}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/encounters/{$encounter_id}", 403 ),
|
|
|
|
// Prescriptions - Read own prescriptions
|
|
array( 'GET', "/wp-json/kivicare/v1/patients/{$this->patient_user}/prescriptions", 200 ),
|
|
array( 'POST', "/wp-json/kivicare/v1/encounters/{$encounter_id}/prescriptions", 403 ),
|
|
|
|
// Bills - Own bills only
|
|
array( 'GET', '/wp-json/kivicare/v1/bills', 200 ), // Filtered to own
|
|
array( 'POST', "/wp-json/kivicare/v1/bills/1/payment", 403 ),
|
|
),
|
|
),
|
|
|
|
// RECEPTIONIST - Appointments and basic patient data
|
|
'receptionist' => array(
|
|
'user_id' => $this->receptionist_user,
|
|
'permissions' => array(
|
|
// Clinics - Read only
|
|
array( 'GET', '/wp-json/kivicare/v1/clinics', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/clinics', 403 ),
|
|
|
|
// Patients - Basic access
|
|
array( 'GET', '/wp-json/kivicare/v1/patients', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/patients', 201 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/patients/{$this->patient_user}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/patients/{$this->patient_user}", 200 ), // Basic info only
|
|
|
|
// Appointments - Full access
|
|
array( 'GET', '/wp-json/kivicare/v1/appointments', 200 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/appointments', 201 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
array( 'PUT', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
array( 'DELETE', "/wp-json/kivicare/v1/appointments/{$appointment_id}", 200 ),
|
|
|
|
// Encounters - No access to medical data
|
|
array( 'GET', '/wp-json/kivicare/v1/encounters', 403 ),
|
|
array( 'POST', '/wp-json/kivicare/v1/encounters', 403 ),
|
|
array( 'GET', "/wp-json/kivicare/v1/encounters/{$encounter_id}", 403 ),
|
|
|
|
// Bills - Full access
|
|
array( 'GET', '/wp-json/kivicare/v1/bills', 200 ),
|
|
array( 'POST', "/wp-json/kivicare/v1/bills/1/payment", 200 ),
|
|
),
|
|
),
|
|
);
|
|
|
|
// Execute permission tests for each role
|
|
foreach ( $permission_matrix as $role => $role_data ) {
|
|
foreach ( $role_data['permissions'] as $permission ) {
|
|
list( $method, $endpoint, $expected_status ) = $permission;
|
|
|
|
// Prepare test data based on method
|
|
$test_data = array();
|
|
if ( $method === 'POST' ) {
|
|
if ( strpos( $endpoint, 'clinics' ) !== false ) {
|
|
$test_data = array( 'name' => 'Test Clinic', 'email' => 'test@clinic.com' );
|
|
} elseif ( strpos( $endpoint, 'patients' ) !== false ) {
|
|
$test_data = array( 'display_name' => 'Test Patient', 'user_email' => 'test@patient.com', 'clinic_id' => $clinic_id );
|
|
} elseif ( strpos( $endpoint, 'appointments' ) !== false ) {
|
|
$test_data = array(
|
|
'appointment_start_date' => gmdate( 'Y-m-d', strtotime( '+2 days' ) ),
|
|
'appointment_start_time' => '10:00:00',
|
|
'appointment_end_time' => '10:30:00',
|
|
'doctor_id' => $this->doctor_user,
|
|
'patient_id' => $this->patient_user,
|
|
'clinic_id' => $clinic_id,
|
|
);
|
|
} elseif ( strpos( $endpoint, 'encounters' ) !== false ) {
|
|
$test_data = array( 'appointment_id' => $appointment_id, 'description' => 'Test encounter' );
|
|
} elseif ( strpos( $endpoint, 'prescriptions' ) !== false ) {
|
|
$test_data = array( 'name' => 'Test Medicine', 'frequency' => 'Daily', 'duration' => '7 days' );
|
|
} elseif ( strpos( $endpoint, 'payment' ) !== false ) {
|
|
$test_data = array( 'amount' => '50.00', 'payment_method' => 'cash' );
|
|
}
|
|
} elseif ( $method === 'PUT' ) {
|
|
if ( strpos( $endpoint, 'clinics' ) !== false ) {
|
|
$test_data = array( 'name' => 'Updated Clinic Name' );
|
|
} elseif ( strpos( $endpoint, 'patients' ) !== false ) {
|
|
$test_data = array( 'phone' => '+351999888777' );
|
|
} elseif ( strpos( $endpoint, 'appointments' ) !== false ) {
|
|
$test_data = array( 'description' => 'Updated appointment notes' );
|
|
} elseif ( strpos( $endpoint, 'encounters' ) !== false ) {
|
|
$test_data = array( 'description' => 'Updated encounter notes' );
|
|
}
|
|
}
|
|
|
|
// Make request and assert
|
|
$response = $this->make_request( $endpoint, $method, $test_data, $role_data['user_id'] );
|
|
$this->assertRestResponse(
|
|
$response,
|
|
$expected_status,
|
|
"Failed permission test for role {$role}: {$method} {$endpoint} (expected {$expected_status}, got {$response->get_status()})"
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Test data filtering based on user role and clinic access.
|
|
*
|
|
* @test
|
|
*/
|
|
public function test_role_based_data_filtering() {
|
|
// This test will fail initially as data filtering isn't implemented
|
|
$this->markTestIncomplete( 'Role-based data filtering not implemented yet - TDD RED phase' );
|
|
|
|
// ARRANGE: Setup multi-clinic scenario
|
|
$clinic1_id = $this->create_test_clinic();
|
|
$clinic2_id = $this->create_test_clinic();
|
|
|
|
$doctor2_id = $this->factory->user->create( array( 'role' => 'doctor' ) );
|
|
$patient2_id = $this->factory->user->create( array( 'role' => 'patient' ) );
|
|
|
|
global $wpdb;
|
|
|
|
// Map users to different clinics
|
|
$wpdb->insert( $wpdb->prefix . 'kc_doctor_clinic_mappings', array( 'doctor_id' => $this->doctor_user, 'clinic_id' => $clinic1_id ) );
|
|
$wpdb->insert( $wpdb->prefix . 'kc_doctor_clinic_mappings', array( 'doctor_id' => $doctor2_id, 'clinic_id' => $clinic2_id ) );
|
|
$wpdb->insert( $wpdb->prefix . 'kc_patient_clinic_mappings', array( 'patient_id' => $this->patient_user, 'clinic_id' => $clinic1_id ) );
|
|
$wpdb->insert( $wpdb->prefix . 'kc_patient_clinic_mappings', array( 'patient_id' => $patient2_id, 'clinic_id' => $clinic2_id ) );
|
|
|
|
// Create appointments in both clinics
|
|
$appointment1_id = $this->create_test_appointment( $clinic1_id, $this->doctor_user, $this->patient_user );
|
|
$appointment2_id = $this->create_test_appointment( $clinic2_id, $doctor2_id, $patient2_id );
|
|
|
|
// TEST: Doctor 1 should only see clinic 1 data
|
|
$doctor1_patients = $this->make_request( '/wp-json/kivicare/v1/patients', 'GET', array(), $this->doctor_user );
|
|
$patients_data = $doctor1_patients->get_data()['data'];
|
|
|
|
foreach ( $patients_data as $patient ) {
|
|
$this->assertEquals( $clinic1_id, $patient['clinic_id'], 'Doctor should only see patients from their clinic' );
|
|
}
|
|
|
|
$doctor1_appointments = $this->make_request( '/wp-json/kivicare/v1/appointments', 'GET', array(), $this->doctor_user );
|
|
$appointments_data = $doctor1_appointments->get_data()['data'];
|
|
|
|
foreach ( $appointments_data as $appointment ) {
|
|
$this->assertEquals( $clinic1_id, $appointment['clinic_id'], 'Doctor should only see appointments from their clinic' );
|
|
}
|
|
|
|
// TEST: Patient should only see own data
|
|
$patient_appointments = $this->make_request( '/wp-json/kivicare/v1/appointments', 'GET', array(), $this->patient_user );
|
|
$patient_appointments_data = $patient_appointments->get_data()['data'];
|
|
|
|
foreach ( $patient_appointments_data as $appointment ) {
|
|
$this->assertEquals( $this->patient_user, $appointment['patient_id'], 'Patient should only see their own appointments' );
|
|
}
|
|
|
|
// TEST: Administrator should see all data
|
|
$admin_patients = $this->make_request( '/wp-json/kivicare/v1/patients', 'GET', array(), $this->admin_user );
|
|
$all_patients_data = $admin_patients->get_data()['data'];
|
|
|
|
$clinic_ids = wp_list_pluck( $all_patients_data, 'clinic_id' );
|
|
$this->assertContains( $clinic1_id, $clinic_ids );
|
|
$this->assertContains( $clinic2_id, $clinic_ids );
|
|
}
|
|
|
|
/**
|
|
* Test API key authentication and permissions.
|
|
*
|
|
* @test
|
|
*/
|
|
public function test_api_key_authentication_permissions() {
|
|
// This test will fail initially as API key authentication isn't implemented
|
|
$this->markTestIncomplete( 'API key authentication not implemented yet - TDD RED phase' );
|
|
|
|
// ARRANGE: Generate API keys for different purposes
|
|
$api_keys = array(
|
|
'read_only' => $this->generate_api_key( 'read_only', array( 'read_patients', 'read_appointments' ) ),
|
|
'full_admin' => $this->generate_api_key( 'full_admin', array( 'all' ) ),
|
|
'billing' => $this->generate_api_key( 'billing', array( 'read_bills', 'process_payments' ) ),
|
|
);
|
|
|
|
$clinic_id = $this->create_test_clinic();
|
|
$appointment_id = $this->create_test_appointment( $clinic_id, $this->doctor_user, $this->patient_user );
|
|
|
|
// Test API key permissions
|
|
$api_key_tests = array(
|
|
array( 'key' => 'read_only', 'method' => 'GET', 'endpoint' => '/wp-json/kivicare/v1/patients', 'expected' => 200 ),
|
|
array( 'key' => 'read_only', 'method' => 'POST', 'endpoint' => '/wp-json/kivicare/v1/patients', 'expected' => 403 ),
|
|
array( 'key' => 'full_admin', 'method' => 'POST', 'endpoint' => '/wp-json/kivicare/v1/patients', 'expected' => 201 ),
|
|
array( 'key' => 'billing', 'method' => 'GET', 'endpoint' => '/wp-json/kivicare/v1/bills', 'expected' => 200 ),
|
|
array( 'key' => 'billing', 'method' => 'GET', 'endpoint' => '/wp-json/kivicare/v1/patients', 'expected' => 403 ),
|
|
);
|
|
|
|
foreach ( $api_key_tests as $test ) {
|
|
// Set API key in header
|
|
$_SERVER['HTTP_X_API_KEY'] = $api_keys[ $test['key'] ];
|
|
|
|
$test_data = array();
|
|
if ( $test['method'] === 'POST' && strpos( $test['endpoint'], 'patients' ) !== false ) {
|
|
$test_data = array( 'display_name' => 'API Test Patient', 'user_email' => 'api@test.com', 'clinic_id' => $clinic_id );
|
|
}
|
|
|
|
$response = $this->make_request( $test['endpoint'], $test['method'], $test_data );
|
|
$this->assertRestResponse( $response, $test['expected'] );
|
|
}
|
|
|
|
// Cleanup
|
|
unset( $_SERVER['HTTP_X_API_KEY'] );
|
|
}
|
|
|
|
/**
|
|
* Test permission inheritance and role hierarchy.
|
|
*
|
|
* @test
|
|
*/
|
|
public function test_permission_inheritance_hierarchy() {
|
|
// This test will fail initially as role hierarchy isn't implemented
|
|
$this->markTestIncomplete( 'Permission inheritance not implemented yet - TDD RED phase' );
|
|
|
|
// Create custom role with specific capabilities
|
|
add_role( 'clinic_manager', 'Clinic Manager', array(
|
|
'read' => true,
|
|
'manage_kivicare_api' => true,
|
|
'kivicare_api_clinic_admin' => true,
|
|
'kivicare_api_manage_doctors' => true,
|
|
'kivicare_api_manage_patients' => true,
|
|
'kivicare_api_view_reports' => true,
|
|
));
|
|
|
|
$clinic_manager_id = $this->factory->user->create( array( 'role' => 'clinic_manager' ) );
|
|
$clinic_id = $this->create_test_clinic();
|
|
|
|
// Test role hierarchy permissions
|
|
$hierarchy_tests = array(
|
|
// Clinic manager should have patient and doctor management access
|
|
array( 'user' => $clinic_manager_id, 'endpoint' => '/wp-json/kivicare/v1/patients', 'method' => 'GET', 'expected' => 200 ),
|
|
array( 'user' => $clinic_manager_id, 'endpoint' => '/wp-json/kivicare/v1/patients', 'method' => 'POST', 'expected' => 201 ),
|
|
array( 'user' => $clinic_manager_id, 'endpoint' => '/wp-json/kivicare/v1/reports/clinic', 'method' => 'GET', 'expected' => 200 ),
|
|
|
|
// But should NOT have medical data access
|
|
array( 'user' => $clinic_manager_id, 'endpoint' => '/wp-json/kivicare/v1/encounters', 'method' => 'GET', 'expected' => 403 ),
|
|
array( 'user' => $clinic_manager_id, 'endpoint' => '/wp-json/kivicare/v1/encounters/1/prescriptions', 'method' => 'POST', 'expected' => 403 ),
|
|
);
|
|
|
|
foreach ( $hierarchy_tests as $test ) {
|
|
$test_data = array();
|
|
if ( $test['method'] === 'POST' && strpos( $test['endpoint'], 'patients' ) !== false ) {
|
|
$test_data = array( 'display_name' => 'Manager Test', 'user_email' => 'manager@test.com', 'clinic_id' => $clinic_id );
|
|
}
|
|
|
|
$response = $this->make_request( $test['endpoint'], $test['method'], $test_data, $test['user'] );
|
|
$this->assertRestResponse( $response, $test['expected'] );
|
|
}
|
|
|
|
// Cleanup custom role
|
|
remove_role( 'clinic_manager' );
|
|
}
|
|
|
|
/**
|
|
* Helper method to generate API key (will be implemented).
|
|
*
|
|
* @param string $name Key name.
|
|
* @param array $permissions Key permissions.
|
|
* @return string API key.
|
|
*/
|
|
private function generate_api_key( $name, $permissions ) {
|
|
// This would be implemented with actual API key generation
|
|
return 'api_key_' . $name . '_' . wp_generate_password( 32, false );
|
|
}
|
|
} |