Skip to content

Testing: Test suite does not verify Hades authorization enforcement #11

New issue
New issue
Open
Open
Testing: Test suite does not verify Hades authorization enforcement#11
Labels
lang:phpPHP/Laravel
@Snider

Description

@Snider
Snider
opened on Feb 1, 2026

Description

The existing tests do not verify that unauthorized users are blocked from developer tools.

Location

  • File: src/Tests/UseCase/DevToolsBasic.php

Issue

The current test file:

  1. Creates a regular user (not explicitly a Hades user)
  2. Tests that pages load with assertOk()
  3. Does not verify that non-Hades users get 403 responses

The tests should verify:

  1. Unauthenticated users get redirected
  2. Authenticated non-Hades users get 403
  3. Hades users can access all features
  4. Rate limiting works correctly

Without these tests, authorization regressions could go unnoticed.

Recommendation

Add test cases for:

  1. Guest access returns redirect/401
  2. Regular user access returns 403
  3. Hades user access returns 200
  4. API endpoint rate limiting
  5. Cross-workspace isolation (user A cannot access user B's servers)

Severity

Medium - Missing test coverage for security-critical functionality

Metadata

Metadata

Assignees

No one assigned

    Labels

    lang:phpPHP/Laravel

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions