|
|
@@ -59,6 +59,32 @@ final class TwigViewTest extends TestCase
|
|
|
self::assertStringContainsString('/assets/js/vendor/htmx.min.js', $html);
|
|
|
}
|
|
|
|
|
|
+ public function testHomeForAnonymousUserHidesRuntimePanel(): void
|
|
|
+ {
|
|
|
+ $html = $this->view->render('home', [
|
|
|
+ 'title' => 'Sprint Planner',
|
|
|
+ 'csrfToken' => 'tok',
|
|
|
+ 'currentUser' => null,
|
|
|
+ 'schemaVersion' => 3,
|
|
|
+ 'dbPath' => '/var/data/app.sqlite',
|
|
|
+ 'appEnv' => 'production',
|
|
|
+ 'oidcConfigured' => true,
|
|
|
+ 'localAdminEnabled' => true,
|
|
|
+ 'authError' => false,
|
|
|
+ 'sprintRows' => [],
|
|
|
+ ]);
|
|
|
+
|
|
|
+ self::assertStringContainsString('Sign in with Microsoft', $html);
|
|
|
+ // R01-N02: the Runtime <details> panel must not leak PHP_VERSION,
|
|
|
+ // dbPath, schema version, OIDC/local-admin flags to anonymous visitors.
|
|
|
+ self::assertStringNotContainsString('Runtime', $html);
|
|
|
+ self::assertStringNotContainsString('Schema version', $html);
|
|
|
+ self::assertStringNotContainsString('/var/data/app.sqlite', $html);
|
|
|
+ self::assertStringNotContainsString(PHP_VERSION, $html);
|
|
|
+ // R01-N31 falls out of the same gate: no /healthz hint either.
|
|
|
+ self::assertStringNotContainsString('/healthz', $html);
|
|
|
+ }
|
|
|
+
|
|
|
public function testAuditRendersWithEmptyResults(): void
|
|
|
{
|
|
|
$html = $this->view->render('audit/index', [
|
chiappa