mirror/opensourcepos
1
0
Fork 0
mirror of https://github.com/opensourcepos/opensourcepos.git synced 2026-05-25 08:44:42 -04:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: mirror:fix/bola-remaining-controllers
Branches Tags
mirror:master mirror:fix-tax-input-locale mirror:fix/4554-encryption-docker-issue mirror:fix/4559-migration-type-error mirror:fix/shared-version-tag-logic mirror:WebShells-Secondary-Display mirror:plugin-system-fresh mirror:WebShells-Second-Display mirror:ubl-invoice-generation mirror:feature/ubuntu-install-clean mirror:fix/attribute-search-refactor mirror:pr-4522 mirror:bootstrap-5 mirror:feature/person-attributes mirror:person_attributes mirror:refactor-4489-model-getters mirror:issue-4459 mirror:issue-4474 mirror:refactor-4491-js-modernization mirror:refactor-4490-remove-duplication mirror:feat-4488-enable-csp mirror:review-pr-4394 mirror:feature/payment-provider-system mirror:feature/travis-to-github-actions mirror:feature/payment-plugins mirror:fix/pr-4361-camelcase mirror:fix/pr-4305-bugs mirror:feature/integration-tests mirror:feature/rest-api-implementation mirror:feature/api-openapi-spec mirror:feature/ubuntu-install-script mirror:fix/bola-remaining-controllers mirror:feature-add-transactions-to-migrations mirror:apply-ci4-coding-standards mirror:4283-bug-suspended-sales-not-displaying mirror:fix-sales-completion mirror:validation-fixes mirror:ui-improvements mirror:gh-pages mirror:fix-requisitions mirror:revert-input-filtering mirror:migration-success-message mirror:no-negative-stock mirror:customer-due-tracking
mirror:unstable mirror:3.4.1 mirror:3.4.0 mirror:3.3.9 mirror:3.3.8 mirror:3.3.7 mirror:3.3.6 mirror:master.3.3.6 mirror:3.3.5 mirror:master.3.3.5 mirror:CodeIgniter_4_upgrade.3.4.0-dev mirror:eventsauce.3.4.0-dev mirror:formatting_corrections.3.4.0-dev mirror:fix-employee-update.3.4.0-dev mirror:person_attributes.3.4.0-dev mirror:login-improvements.3.4.0-dev mirror:upgrade-grunt-and-npm mirror:master.3.4.0-dev mirror:3.3.4 mirror:3.3.3 mirror:3.3.2 mirror:3.3.1 mirror:3.3.0 mirror:3.2.3 mirror:3.2.2 mirror:3.2.1 mirror:3.2.0 mirror:3.1.1 mirror:3.1.0 mirror:3.0.2 mirror:3.0.1 mirror:3.0.0 mirror:2.4.0 mirror:2.3.4 mirror:2.3.3 mirror:2.3.2 mirror:2.3.1 mirror:2.3 mirror:2.2.2
..
compare: mirror:feature/integration-tests
Branches Tags
mirror:fix-tax-input-locale mirror:fix/4554-encryption-docker-issue mirror:master mirror:fix/4559-migration-type-error mirror:fix/shared-version-tag-logic mirror:WebShells-Secondary-Display mirror:plugin-system-fresh mirror:WebShells-Second-Display mirror:ubl-invoice-generation mirror:feature/ubuntu-install-clean mirror:fix/attribute-search-refactor mirror:pr-4522 mirror:bootstrap-5 mirror:feature/person-attributes mirror:person_attributes mirror:refactor-4489-model-getters mirror:issue-4459 mirror:issue-4474 mirror:refactor-4491-js-modernization mirror:refactor-4490-remove-duplication mirror:feat-4488-enable-csp mirror:review-pr-4394 mirror:feature/payment-provider-system mirror:feature/travis-to-github-actions mirror:feature/payment-plugins mirror:fix/pr-4361-camelcase mirror:fix/pr-4305-bugs mirror:feature/integration-tests mirror:feature/rest-api-implementation mirror:feature/api-openapi-spec mirror:feature/ubuntu-install-script mirror:fix/bola-remaining-controllers mirror:feature-add-transactions-to-migrations mirror:apply-ci4-coding-standards mirror:4283-bug-suspended-sales-not-displaying mirror:fix-sales-completion mirror:validation-fixes mirror:ui-improvements mirror:gh-pages mirror:fix-requisitions mirror:revert-input-filtering mirror:migration-success-message mirror:no-negative-stock mirror:customer-due-tracking
mirror:unstable mirror:3.4.1 mirror:3.4.0 mirror:3.3.9 mirror:3.3.8 mirror:3.3.7 mirror:3.3.6 mirror:master.3.3.6 mirror:3.3.5 mirror:master.3.3.5 mirror:CodeIgniter_4_upgrade.3.4.0-dev mirror:eventsauce.3.4.0-dev mirror:formatting_corrections.3.4.0-dev mirror:fix-employee-update.3.4.0-dev mirror:person_attributes.3.4.0-dev mirror:login-improvements.3.4.0-dev mirror:upgrade-grunt-and-npm mirror:master.3.4.0-dev mirror:3.3.4 mirror:3.3.3 mirror:3.3.2 mirror:3.3.1 mirror:3.3.0 mirror:3.2.3 mirror:3.2.2 mirror:3.2.1 mirror:3.2.0 mirror:3.1.1 mirror:3.1.0 mirror:3.0.2 mirror:3.0.1 mirror:3.0.0 mirror:2.4.0 mirror:2.3.4 mirror:2.3.3 mirror:2.3.2 mirror:2.3.1 mirror:2.3 mirror:2.2.2

17 Commits
fix/bola-r ... feature/in

Author SHA1 Message Date
objecttothis
302a76b84a Merge branch 'master' into feature/integration-tests 2026-03-08 13:15:43 -07:00
Ollama
a229bf6031 Fix stored XSS vulnerabilities in employee permissions and customer data 
1. Stock Location XSS (GHSA-7hg5-68rx-xpmg):
   - Stock location names were rendered unescaped in employee form
   - Malicious stock locations could contain XSS payloads that execute
     when viewing employee permissions
   - Fixed by adding esc() to permission display in employees/form.php

2. Customer Name XSS (GHSA-hcfr-9hfv-mcwp):
   - Bootstrap-table columns had escape disabled for customer_name,
     email, phone_number, and note fields
   - Malicious customer names could execute XSS in Daily Sales view
   - Fixed by removing user-controlled fields from escape exception list
   - Only 'edit', 'messages', and 'item_pic' remain in exception list
     (these contain safe server-generated HTML)

Both vulnerabilities allow authenticated attackers with basic permissions
to inject JavaScript that executes in admin/other user sessions.
 2026-03-08 18:42:30 +01:00
Ollama
977fa5647b Fix stored XSS vulnerability in item descriptions 
GHSA-q58g-gg7v-f9rf: Stored XSS via Item Description

Security Impact:
- Authenticated users with item management permission can inject XSS payloads
- Payloads execute in POS register view (sales and receivings)
- Can steal session cookies, perform CSRF attacks, or compromise POS operations

Root Cause:
1. Input: Items.php:614 accepts description without sanitization
2. Output: register.php:255 and receiving.php:220 echo description without escaping

Fix Applied:
- Input sanitization: Added FILTER_SANITIZE_FULL_SPECIAL_CHARS to description POST
- Output escaping: Added esc() wrapper when echoing item descriptions
- Defense-in-depth approach: sanitize on input, escape on output

Files Changed:
- app/Controllers/Items.php - Sanitize description on save
- app/Views/sales/register.php - Escape description on display
- app/Views/receivings/receiving.php - Escape description on display

Testing:
- XSS payloads like '<script>alert(1)</script>' are now sanitized on input
- Any existing malicious descriptions are escaped on output
- Does not break legitimate descriptions with special characters
 2026-03-07 20:51:48 +01:00
Ollama
2725c6e872 Fix integration tests: run playwright on failure, fix test path and syntax error 
- Add 'needs: integration' and 'if: always()' so playwright job runs
  even when integration job fails, ensuring screenshots get uploaded
- Fix npm run test command (remove incorrect cd into integration-tests)
- Fix JavaScript error: navigationOption used before declaration
- Add explicit outputDir and outputFolder in playwright config
 2026-03-07 18:27:08 +00:00
Ollama
52b0a83190 Fix SQL injection in custom attribute search 
Parameterize LIKE queries in HAVING clause to prevent SQL injection
when search_custom filter is enabled. Also sanitize search parameter
input at controller level for defense-in-depth.

Fixes vulnerability where user input was directly interpolated into
SQL queries without sanitization.
 2026-03-07 19:10:42 +01:00
Ollama
7cd2d3e61f Fix CI: Remove --wait flag from docker compose up 
The --wait flag causes CI to fail when init containers (like sqlscript)
exit successfully with code 0. The workflow already has a dedicated
'Wait for Application' step that polls the application endpoint.

Also remove redundant webServer config from playwright.config.ts since
the workflow handles container startup separately.
 2026-03-06 21:39:50 +00:00
jekkos
f25a0f5b09 Refactor: Move ADMIN_MODULES to constants, rename methods to camelCase 
- Move admin modules list from is_admin method to ADMIN_MODULES constant
- Rename is_admin() to isAdmin() following CodeIgniter naming conventions
- Rename can_modify_employee() to canModifyEmployee() following conventions
- Update all callers in Employees controller and tests
 2026-03-06 17:25:25 +01:00
jekkos
f0f288797a Add migration to fix existing image filenames with spaces (#4372) 
This migration will:
- Scan all items for filenames containing spaces
- Rename both original and thumbnail files on the filesystem
- Update database records with sanitized filenames
- Only process files that actually exist on the filesystem
 2026-03-06 17:09:52 +01:00
jekkos
63083a0946 Fix: Sanitize image filenames to prevent thumbnail display issues (#4372) 
When uploading item images with filenames containing spaces, the thumbnails fail to load due to Apache mod_rewrite rejecting URLs with spaces.

Changes:
- Modified upload_image() method to sanitize filenames by replacing spaces and special characters with underscores
- Uses regex to keep only alphanumeric, underscores, hyphens, and periods
- Preserves original filename in 'orig_name' field for reference
- Fixes issue where thumbnail URLs would fail with 'AH10411: Rewritten query string contains control characters or spaces'

Example: 'banana marsmellow.jpg' becomes 'banana_marsmellow.jpg'

Fixes: #4372
 2026-03-06 17:09:52 +01:00
jekkos
3a33098776 Fix: Handle image filenames with spaces in thumbnails 
- URL-encode filenames when constructing image/thumbnail URLs
- Decode filename parameter in getPicThumb() controller
- Prevents Apache AH10411 error with spaces in rewritten URLs

Fixes #4372
 2026-03-06 17:09:52 +01:00
jekkos
ca6a1b35af Add row-level authorization to password change endpoints (#4401) 
* fix(security): add row-level authorization to password change endpoints

- Prevents non-admin users from viewing other users' password forms
- Prevents non-admin users from changing other users' passwords
- Uses can_modify_employee() check consistent with Employees controller fix
- Addresses BOLA vulnerability in Home controller (GHSA-q58g-gg7v-f9rf)

* test(security): add BOLA authorization tests for Home controller

- Test non-admin cannot view/change admin password
- Test user can view/change own password
- Test admin can view/change any password
- Test default employee_id uses current user
- Add JUnit test result upload to CI workflow

* refactor: apply PSR-12 naming and add DEFAULT_EMPLOYEE_ID constant

- Add DEFAULT_EMPLOYEE_ID constant to Constants.php
- Rename variables to follow PSR-12 camelCase convention
- Use ternary for default employee ID assignment

* refactor: use NEW_ENTRY constant instead of adding DEFAULT_EMPLOYEE_ID

Reuse existing NEW_ENTRY constant for default employee ID parameter.
Avoids adding redundant constants to Constants.php with same value (-1).

---------

Co-authored-by: jekkos <jeroen@steganos.dev>
 2026-03-06 17:08:36 +01:00
jekkos
418580a52d Fix second-order SQL injection in currency_symbol config (#4390) 
* Fix second-order SQL injection in currency_symbol config

The currency_symbol value was concatenated directly into SQL queries
without proper escaping, allowing SQL injection attacks via the
Summary Discounts report.

Changes:
- Use $this->db->escape() in Summary_discounts::getData() to properly
  escape the currency symbol value before concatenation
- Add htmlspecialchars() validation in Config::postSaveLocale() to
  sanitize the input at storage time
- Add unit tests to verify escaping of malicious inputs

Fixes SQL injection vulnerability described in bug report where
attackers with config permissions could inject arbitrary SQL through
the currency_symbol field.

* Update test to use CIUnitTestCase for consistency

Per code review feedback, updated test to extend CIUnitTestCase
instead of PHPUnit TestCase to maintain consistency with other
tests in the codebase.

---------

Co-authored-by: Ollama <ollama@steganos.dev>
 2026-03-06 17:01:38 +01:00
jekkos
31d25e06dc fix(security): whitelist and validate invoice template types (#4393) 
- Add whitelist validation for invoice_type to prevent path traversal and LFI
- Validate invoice_type against allowed values in Sale_lib
- Sanitize invoice_type input in Config controller before saving
- Default to 'invoice' template for invalid types

Security: Prevents arbitrary file inclusion via user-controlled invoice_type config
 2026-03-06 13:18:47 +01:00
jekkos
b1819b3b36 dd validation for invalid stock locations in CSV import (#4399) 
- Add validateCSVStockLocations() method to check CSV columns against allowed locations
- Log error when invalid stock location columns are detected
- Tests for valid, invalid, and mixed stock location columns
- Tests for location name case sensitivity
- Tests for CSV parsing and detecting location columns
- Add error message language string for invalid locations

Co-authored-by: objecttothis <17935339+objecttothis@users.noreply.github.com>
 2026-03-06 13:17:52 +01:00
jekkos
6705420373 Fix incorrect argument types in migration round_number() methods (#4403) 
The round_number() method signature declares $amount as string, but the
HALF_FIVE case and other rounding operations pass string values to round()
and other arithmetic operations which expect numeric types. This causes
type errors when strict type checking is enabled.

Fix by casting $amount to float before arithmetic operations in both
migration files:
- 20170502221506_sales_tax_data.php (line 268)
- 20200202000000_taxamount.php (line 244)

Also cast sale_tax_amount to float in round_sales_taxes() method before
passing to round() operations (lines 381 in sales_tax_data.php and 358 in
taxamount.php).

Fixes #4324
 2026-03-06 13:07:24 +01:00
dependabot[bot]
d6b767c80a Bump dompurify from 3.3.1 to 3.3.2 (#4402) 
Bumps [dompurify](https://github.com/cure53/DOMPurify) from 3.3.1 to 3.3.2.
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](https://github.com/cure53/DOMPurify/compare/3.3.1...3.3.2)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.3.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-03-05 21:54:49 +01:00
jekkos
3c5f4c1465 Add integration test harness with Playwright E2E tests 
- Add basic Docker integration tests (run-integration-tests.sh)
  - Validates Docker stack startup
  - Checks login page accessibility and HTTP status
  - Verifies login form presence

- Add Playwright E2E test suite
  - Login tests: valid/invalid credentials, protected pages
  - Items tests: create, update, verify in inventory table
  - Customers tests: create with details, search, table verification
  - Sales tests: full sale flow with items, customers, payment, and receipt validation

- Configure Playwright with multi-browser support (Chrome, Firefox)
- Add GitHub Actions workflow for CI/CD
  - Runs on push/PR to master
  - Includes both basic and Playwright tests
  - Uploads screenshots, traces, and logs on failure

- Organize tests in integration-tests/ directory
- Update package.json with test scripts
- Include comprehensive documentation

This provides automated testing for core POS workflows including
item management, customer management, and complete sales transactions
with receipt generation verification.
 2026-03-04 21:37:07 +00:00
34 changed files with 2826 additions and 91 deletions
Expand all files Collapse all files

144
.github/workflows/integration-tests.yml vendored Normal file
View File

@@ -0,0 +1,144 @@
name: Integration Tests
on:
push:
branches: [ master, main ]
paths:
- 'app/**'
- 'public/**'
- 'docker/**'
- 'docker-compose*.yml'
- 'tests/**'
- 'integration-tests/**'
- '.github/workflows/integration-tests.yml'
pull_request:
branches: [ master, main ]
paths:
- 'app/**'
- 'public/**'
- 'docker/**'
- 'docker-compose*.yml'
- 'tests/**'
- 'integration-tests/**'
- '.github/workflows/integration-tests.yml'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
permissions:
contents: read
jobs:
integration:
name: Docker Integration Tests
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run Basic Integration Tests
run: chmod +x integration-tests/run-integration-tests.sh && cd integration-tests && ./run-integration-tests.sh
- name: View Logs on Failure
if: failure()
run: |
echo "=== Application Logs ==="
docker logs opensourcepos-integration-tests-ospos-1
echo ""
echo "=== Database Logs ==="
docker logs mysql || docker logs opensourcepos-mysql || echo "No database logs found"
- name: Stop Docker Stack
if: always()
run: docker compose down -v || true
playwright:
name: Playwright E2E Tests
runs-on: ubuntu-22.04
needs: integration
if: always()
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20'
- name: Cache node modules
uses: actions/cache@v4
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies
run: npm ci
- name: Install Playwright Browsers
run: npx playwright install --with-deps chromium firefox
- name: Start Docker Stack
run: docker compose up -d
- name: Wait for Application
run: |
echo "Waiting for application to be ready..."
timeout 90 bash -c 'until curl -s -f http://localhost/ > /dev/null; do sleep 2; done'
echo "Application is ready!"
- name: Run Playwright Tests
run: npm run test
env:
BASE_URL: http://localhost
- name: Upload Playwright Report
if: always()
uses: actions/upload-artifact@v4
with:
name: playwright-report
path: integration-tests/playwright-report/
retention-days: 7
- name: Upload Test Results
if: always()
uses: actions/upload-artifact@v4
with:
name: playwright-results
path: integration-tests/test-results/
retention-days: 7
- name: Upload Screenshots on Failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: playwright-screenshots
path: integration-tests/test-results/**/*.png
retention-days: 7
- name: Upload Trace Files on Failure
if: failure()
uses: actions/upload-artifact@v4
with:
name: playwright-traces
path: integration-tests/test-results/**/*.zip
retention-days: 7
- name: View Logs on Failure
if: failure()
run: |
echo "=== Application Logs ==="
docker logs opensourcepos-integration-tests-ospos-1
echo ""
echo "=== Database Logs ==="
docker logs mysql || docker logs opensourcepos-mysql || echo "No database logs found"
- name: Stop Docker Stack
if: always()
run: docker compose down -v || true

10
.github/workflows/phpunit.yml vendored
View File

@@ -111,7 +111,15 @@ jobs:
env:
CI_ENVIRONMENT: testing
MYSQL_HOST_NAME: 127.0.0.1
run: composer test
run: composer test -- --log-junit test-results/junit.xml
- name: Upload test results
uses: actions/upload-artifact@v4
if: always()
with:
name: test-results-php-${{ matrix.php-version }}
path: test-results/
retention-days: 30
- name: Stop MariaDB
if: always()

5
app/Config/Constants.php
View File

@@ -169,3 +169,8 @@ const MAX_PRECISION = 1e14;
const DEFAULT_PRECISION = 2;
const DEFAULT_LANGUAGE = 'english';
const DEFAULT_LANGUAGE_CODE = 'en';
/**
* Admin modules - list of modules required for admin privileges
*/
const ADMIN_MODULES = ['customers', 'employees', 'giftcards', 'items', 'item_kits', 'messages', 'receivings', 'reports', 'sales', 'config', 'suppliers'];

7
app/Controllers/Config.php
View File

@@ -461,8 +461,9 @@ class Config extends Secure_Controller
public function postSaveLocale(): ResponseInterface
{
$exploded = explode(":", $this->request->getPost('language'));
$currency_symbol = $this->request->getPost('currency_symbol');
$batch_save_data = [
'currency_symbol' => $this->request->getPost('currency_symbol'),
'currency_symbol' => htmlspecialchars($currency_symbol ?? ''),
'currency_code' => $this->request->getPost('currency_code'),
'language_code' => $exploded[0],
'language' => $exploded[1],
@@ -942,7 +943,9 @@ class Config extends Secure_Controller
'work_order_enable' => $this->request->getPost('work_order_enable') != null,
'work_order_format' => $this->request->getPost('work_order_format'),
'last_used_work_order_number' => $this->request->getPost('last_used_work_order_number', FILTER_SANITIZE_NUMBER_INT),
'invoice_type' => $this->request->getPost('invoice_type')
'invoice_type' => Sale_lib::isValidInvoiceType($this->request->getPost('invoice_type'))
? $this->request->getPost('invoice_type')
: 'invoice'
];
$success = $this->appconfig->batch_save($batch_save_data);

12
app/Controllers/Employees.php
View File

@@ -78,7 +78,7 @@ class Employees extends Persons
$person_info = $this->employee->get_info($employee_id);
$current_user = $this->employee->get_logged_in_employee_info();
if ($employee_id != NEW_ENTRY && !$this->employee->can_modify_employee($person_info->person_id, $current_user->person_id)) {
if ($employee_id != NEW_ENTRY && !$this->employee->canModifyEmployee($person_info->person_id, $current_user->person_id)) {
header('Location: ' . base_url('no_access/employees/employees'));
exit();
}
@@ -120,7 +120,7 @@ class Employees extends Persons
if ($employee_id != NEW_ENTRY) {
$target_employee = $this->employee->get_info($employee_id);
if (!$this->employee->can_modify_employee($target_employee->person_id, $current_user->person_id)) {
if (!$this->employee->canModifyEmployee($target_employee->person_id, $current_user->person_id)) {
return $this->response->setJSON([
'success' => false,
'message' => lang('Employees.error_updating_admin'),
@@ -153,14 +153,14 @@ class Employees extends Persons
];
$grants_array = [];
$is_admin = $this->employee->is_admin($current_user->person_id);
$isAdmin = $this->employee->isAdmin($current_user->person_id);
foreach ($this->module->get_all_permissions()->getResult() as $permission) {
$grants = [];
$grant = $this->request->getPost('grant_' . $permission->permission_id) != null ? $this->request->getPost('grant_' . $permission->permission_id, FILTER_SANITIZE_FULL_SPECIAL_CHARS) : '';
if ($grant == $permission->permission_id) {
if (!$is_admin && !$this->employee->has_grant($permission->permission_id, $current_user->person_id)) {
if (!$isAdmin && !$this->employee->has_grant($permission->permission_id, $current_user->person_id)) {
continue;
}
$grants['permission_id'] = $permission->permission_id;
@@ -226,9 +226,9 @@ class Employees extends Persons
$employees_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$current_user = $this->employee->get_logged_in_employee_info();
if (!$this->employee->is_admin($current_user->person_id)) {
if (!$this->employee->isAdmin($current_user->person_id)) {
foreach ($employees_to_delete as $emp_id) {
if ($this->employee->is_admin((int)$emp_id)) {
if ($this->employee->isAdmin((int)$emp_id)) {
return $this->response->setJSON(['success' => false, 'message' => lang('Employees.error_deleting_admin')]);
}
}

6
app/Controllers/Giftcards.php
View File

@@ -174,12 +174,6 @@ class Giftcards extends Secure_Controller
*/
public function postDelete(): ResponseInterface
{
$current_user = $this->employee->get_logged_in_employee_info();
if (!$this->employee->is_admin($current_user->person_id)) {
return $this->response->setJSON(['success' => false, 'message' => lang('Giftcards.error_deleting_non_admin')]);
}
$giftcards_to_delete = $this->request->getPost('ids', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
if ($this->giftcard->delete_list($giftcards_to_delete)) {

49
app/Controllers/Home.php
View File

@@ -39,9 +39,19 @@ class Home extends Secure_Controller
* @return string
* @noinspection PhpUnused
*/
public function getChangePassword(int $employee_id = -1): string // TODO: Replace -1 with a constant
public function getChangePassword(int $employeeId = NEW_ENTRY): string
{
$person_info = $this->employee->get_info($employee_id);
$loggedInEmployee = $this->employee->get_logged_in_employee_info();
$currentPersonId = $loggedInEmployee->person_id;
$employeeId = $employeeId === NEW_ENTRY ? $currentPersonId : $employeeId;
if (!$this->employee->can_modify_employee($employeeId, $currentPersonId)) {
header('Location: ' . base_url('no_access/home/home'));
exit();
}
$person_info = $this->employee->get_info($employeeId);
foreach (get_object_vars($person_info) as $property => $value) {
$person_info->$property = $value;
}
@@ -55,9 +65,20 @@ class Home extends Secure_Controller
*
* @return ResponseInterface
*/
public function postSave(int $employee_id = -1): ResponseInterface // TODO: Replace -1 with a constant
public function postSave(int $employeeId = NEW_ENTRY): ResponseInterface
{
if (!empty($this->request->getPost('current_password')) && $employee_id != -1) {
$currentUser = $this->employee->get_logged_in_employee_info();
$employeeId = $employeeId === NEW_ENTRY ? $currentUser->person_id : $employeeId;
if (!$this->employee->can_modify_employee($employeeId, $currentUser->person_id)) {
return $this->response->setStatusCode(403)->setJSON([
'success' => false,
'message' => lang('Employees.unauthorized_modify')
]);
}
if (!empty($this->request->getPost('current_password')) && $employeeId != NEW_ENTRY) {
if ($this->employee->check_password($this->request->getPost('username', FILTER_SANITIZE_FULL_SPECIAL_CHARS), $this->request->getPost('current_password'))) {
// Validate password length BEFORE hashing
$new_password = $this->request->getPost('password');
@@ -66,7 +87,7 @@ class Home extends Secure_Controller
return $this->response->setJSON([
'success' => false,
'message' => lang('Employees.password_minlength'),
'id' => -1
'id' => NEW_ENTRY
]);
}
@@ -76,32 +97,32 @@ class Home extends Secure_Controller
'hash_version' => 2
];
if ($this->employee->change_password($employee_data, $employee_id)) {
if ($this->employee->change_password($employee_data, $employeeId)) {
return $this->response->setJSON([
'success' => true,
'message' => lang('Employees.successful_change_password'),
'id' => $employee_id
'id' => $employeeId
]);
} else { // Failure // TODO: Replace -1 with constant
} else {
return $this->response->setJSON([
'success' => false,
'message' => lang('Employees.unsuccessful_change_password'),
'id' => -1
'id' => NEW_ENTRY
]);
}
} else { // TODO: Replace -1 with constant
} else {
return $this->response->setJSON([
'success' => false,
'message' => lang('Employees.current_password_invalid'),
'id' => -1
'id' => NEW_ENTRY
]);
}
} else { // TODO: Replace -1 with constant
} else {
return $this->response->setJSON([
'success' => false,
'message' => lang('Employees.current_password_invalid'),
'id' => -1
'id' => NEW_ENTRY
]);
}
}
}
}

42
app/Controllers/Items.php
View File

@@ -96,7 +96,7 @@ class Items extends Secure_Controller
**/
public function getSearch(): ResponseInterface
{
$search = $this->request->getGet('search');
$search = $this->request->getGet('search', FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$limit = $this->request->getGet('limit', FILTER_SANITIZE_NUMBER_INT);
$offset = $this->request->getGet('offset', FILTER_SANITIZE_NUMBER_INT);
$sort = $this->sanitizeSortColumn(item_headers(), $this->request->getGet('sort', FILTER_SANITIZE_FULL_SPECIAL_CHARS), 'item_id');
@@ -148,6 +148,7 @@ class Items extends Secure_Controller
{
helper('file');
$pic_filename = rawurldecode($pic_filename);
$file_extension = pathinfo($pic_filename, PATHINFO_EXTENSION);
$images = glob("./uploads/item_pics/$pic_filename");
$base_path = './uploads/item_pics/' . pathinfo($pic_filename, PATHINFO_FILENAME);
@@ -377,7 +378,7 @@ class Items extends Secure_Controller
} else {
$images = glob("./uploads/item_pics/$item_info->pic_filename");
}
$data['image_path'] = sizeof($images) > 0 ? base_url($images[0]) : '';
$data['image_path'] = sizeof($images) > 0 ? base_url(implode('/', array_map('rawurlencode', explode('/', ltrim($images[0], './'))))) : '';
} else {
$data['image_path'] = '';
}
@@ -617,7 +618,7 @@ class Items extends Secure_Controller
// Save item data
$item_data = [
'name' => $this->request->getPost('name'),
'description' => $this->request->getPost('description'),
'description' => $this->request->getPost('description', FILTER_SANITIZE_FULL_SPECIAL_CHARS),
'category' => $this->request->getPost('category'),
'item_type' => $item_type,
'stock_type' => $this->request->getPost('stock_type') === null ? HAS_STOCK : intval($this->request->getPost('stock_type')),
@@ -768,10 +769,13 @@ class Items extends Secure_Controller
$filename = $file->getClientName();
$info = pathinfo($filename);
// Sanitize filename to remove problematic characters like spaces
$sanitized_name = preg_replace('/[^a-zA-Z0-9_\-\.]/', '_', $info['filename']);
$file_info = [
'orig_name' => $filename,
'raw_name' => $info['filename'],
'raw_name' => $sanitized_name,
'file_ext' => $file->guessExtension()
];
@@ -1017,7 +1021,11 @@ class Items extends Secure_Controller
}
if (!$is_failed_row) {
$is_failed_row = $this->data_error_check($row, $item_data, $allowed_stock_locations, $attribute_definition_names, $attribute_data);
$invalidLocations = $this->validateCSVStockLocations($row, $allowedStockLocations);
if (!empty($invalidLocations)) {
$isFailedRow = true;
log_message('error', 'CSV import: Invalid stock location(s) found: ' . implode(', ', $invalidLocations));
}
}
// Remove false, null, '' and empty strings but keep 0
@@ -1063,6 +1071,30 @@ class Items extends Secure_Controller
}
/**
* Validates that stock location columns in CSV row are valid locations
*
* @param array $row
* @param array $allowedLocations
* @return array Returns array of invalid location names, empty if all valid
*/
private function validateCSVStockLocations(array $row, array $allowedLocations): array
{
$invalidLocations = [];
$allowedLocationNames = array_values($allowedLocations);
foreach (array_keys($row) as $key) {
if (str_starts_with($key, 'location_')) {
$locationName = substr($key, 9);
if (!in_array($locationName, $allowedLocationNames)) {
$invalidLocations[] = $locationName;
}
}
}
return $invalidLocations;
}
/**
* Checks the entire line of data in an import file for errors
*

10
app/Controllers/Sales.php
View File

@@ -755,8 +755,11 @@ class Sales extends Secure_Controller
$data['sale_status'] = COMPLETED;
$sale_type = SALE_TYPE_INVOICE;
// The PHP file name is the same as the invoice_type key
$invoice_view = $this->config['invoice_type'];
$invoice_type = $this->config['invoice_type'];
if (!Sale_lib::isValidInvoiceType($invoice_type)) {
$invoice_type = 'invoice';
}
$invoice_view = $invoice_type;
// Save the data to the sales table
$data['sale_id_num'] = $this->sale->save_value($sale_id, $data['sale_status'], $data['cart'], $customer_id, $employee_id, $data['comments'], $invoice_number, $work_order_number, $quote_number, $sale_type, $data['payments'], $data['dinner_table'], $tax_details);
@@ -1107,6 +1110,9 @@ class Sales extends Secure_Controller
}
$invoice_type = $this->config['invoice_type'];
if (!Sale_lib::isValidInvoiceType($invoice_type)) {
$invoice_type = 'invoice';
}
$data['invoice_view'] = $invoice_type;
return $data;

4
app/Database/Migrations/20170502221506_sales_tax_data.php
View File

@@ -267,6 +267,8 @@ class Migration_Sales_Tax_Data extends Migration
*/
public function round_number(int $rounding_mode, string $amount, int $decimals): float
{
$amount = (float)$amount;
if ($rounding_mode == Migration_Sales_Tax_Data::ROUND_UP) {
$fig = pow(10, $decimals);
$rounded_total = (ceil($fig * $amount) + ceil($fig * $amount - ceil($fig * $amount))) / $fig;
@@ -376,7 +378,7 @@ class Migration_Sales_Tax_Data extends Migration
$decimals = totals_decimals();
foreach ($sales_taxes as $row_number => $sales_tax) {
$sale_tax_amount = $sales_tax['sale_tax_amount'];
$sale_tax_amount = (float)$sales_tax['sale_tax_amount'];
$rounding_code = $sales_tax['rounding_code'];
$rounded_sale_tax_amount = $sale_tax_amount;

4
app/Database/Migrations/20200202000000_taxamount.php
View File

@@ -243,6 +243,8 @@ class Migration_TaxAmount extends Migration
*/
public function round_number(int $rounding_mode, string $amount, int $decimals): float // TODO: is this currency safe?
{ // TODO: This needs to be converted to a switch
$amount = (float)$amount;
if ($rounding_mode == Migration_TaxAmount::ROUND_UP) { // TODO: === ?
$fig = pow(10, $decimals);
$rounded_total = (ceil($fig * $amount) + ceil($fig * $amount - ceil($fig * $amount))) / $fig;
@@ -354,7 +356,7 @@ class Migration_TaxAmount extends Migration
$decimals = totals_decimals();
foreach ($sales_taxes as $row_number => $sales_tax) {
$sale_tax_amount = $sales_tax['sale_tax_amount'];
$sale_tax_amount = (float)$sales_tax['sale_tax_amount'];
$rounding_code = $sales_tax['rounding_code'];
$rounded_sale_tax_amount = $sale_tax_amount;

65
app/Database/Migrations/20250521000000_FixImageFilenameSpaces.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
namespace App\Database\Migrations;
use CodeIgniter\Database\Migration;
/**
* Migration to sanitize existing image filenames by replacing spaces with underscores
* This fixes issue #4372 where thumbnails failed to load for images with spaces in filenames
*/
class FixImageFilenameSpaces extends Migration
{
/**
* Perform a migration.
*/
public function up(): void
{
$db = \Config\Database::connect();
$builder = $db->table('ospos_items');
// Get all items with pic_filename containing spaces
$query = $builder->like('pic_filename', ' ', 'both')->get();
$items = $query->getResult();
foreach ($items as $item) {
$old_filename = $item->pic_filename;
$ext = pathinfo($old_filename, PATHINFO_EXTENSION);
$base_name = pathinfo($old_filename, PATHINFO_FILENAME);
// Sanitize the filename by replacing spaces and special characters
$sanitized_name = preg_replace('/[^a-zA-Z0-9_\-\.]/', '_', $base_name);
$new_filename = $sanitized_name . '.' . $ext;
// Rename the file on the filesystem
$old_path = FCPATH . 'uploads/item_pics/' . $old_filename;
$new_path = FCPATH . 'uploads/item_pics/' . $new_filename;
if (file_exists($old_path)) {
// Rename the original file
if (rename($old_path, $new_path)) {
// Check if thumbnail exists and rename it too
$old_thumb = FCPATH . 'uploads/item_pics/' . $base_name . '_thumb.' . $ext;
$new_thumb = FCPATH . 'uploads/item_pics/' . $sanitized_name . '_thumb.' . $ext;
if (file_exists($old_thumb)) {
rename($old_thumb, $new_thumb);
}
// Update database record
$builder->where('item_id', $item->item_id)
->update(['pic_filename' => $new_filename]);
}
}
}
}
/**
* Revert a migration.
* Note: This migration does not support rollback as the original filenames are lost
*/
public function down(): void
{
// This migration cannot be safely reversed as the original filenames are lost
// after sanitization.
}
}

5
app/Helpers/tabular_helper.php
View File

@@ -48,7 +48,7 @@ function transform_headers(array $headers, bool $readonly = false, bool $editabl
'field' => key($element),
'title' => current($element),
'switchable' => $element['switchable'] ?? !preg_match('(^$|&nbsp)', current($element)),
'escape' => !preg_match("/(edit|email|messages|item_pic|customer_name|note)/", key($element)) && !(isset($element['escape']) && !$element['escape']),
'escape' => !preg_match("/(edit|email|messages|item_pic)/", key($element)) && !(isset($element['escape']) && !$element['escape']),
'sortable' => $element['sortable'] ?? current($element) != '',
'checkbox' => $element['checkbox'] ?? false,
'class' => isset($element['checkbox']) || preg_match('(^$|&nbsp)', current($element)) ? 'print_hide' : '',
@@ -470,7 +470,8 @@ function get_item_data_row(object $item): array
: glob("./uploads/item_pics/$item->pic_filename");
if (sizeof($images) > 0) {
$image .= '<a class="rollover" href="' . base_url($images[0]) . '"><img alt="Image thumbnail" src="' . site_url('items/PicThumb/' . pathinfo($images[0], PATHINFO_BASENAME)) . '"></a>';
$image_path = ltrim($images[0], './');
$image .= '<a class="rollover" href="' . base_url(implode('/', array_map('rawurlencode', explode('/', $image_path)))) . '"><img alt="Image thumbnail" src="' . site_url('items/PicThumb/' . rawurlencode(pathinfo($images[0], PATHINFO_BASENAME))) . '"></a>';
}
}

1
app/Language/en/Giftcards.php
View File

@@ -5,7 +5,6 @@ return [
"allow_alt_description" => "Allow Alternate Description",
"bulk_edit" => "Bulk Edit",
"cannot_be_deleted" => "Could not delete selected Gift Card(s), one or more of the selected Gift Cards has sales.",
"error_deleting_non_admin" => "Only admin users can delete gift cards.",
"cannot_find_giftcard" => "Gift Card not found.",
"cannot_use" => "Gift Card {0} cannot be used for this sale: invalid Customer.",
"card_value" => "Value",

1
app/Language/en/Items.php
View File

@@ -26,6 +26,7 @@ return [
"cost_price_required" => "Wholesale Price is a required field.",
"count" => "Update Inventory",
"csv_import_failed" => "CSV import failed",
"csv_import_invalid_location" => "Invalid stock location(s) found: {0}. Only valid stock locations are allowed.",
"csv_import_nodata_wrongformat" => "The uploaded CSV file has no data or is formatted incorrectly.",
"csv_import_partially_failed" => "There were {0} item import failure(s) on line(s): {1}. No rows were imported.",
"csv_import_success" => "Item CSV import successful.",

15
app/Libraries/Sale_lib.php
View File

@@ -88,9 +88,13 @@ class Sale_lib
return $register_modes;
}
/**
* @return array
*/
private const ALLOWED_INVOICE_TYPES = [
'invoice',
'tax_invoice',
'custom_invoice',
'custom_tax_invoice'
];
public function get_invoice_type_options(): array
{
$invoice_types = [];
@@ -101,6 +105,11 @@ class Sale_lib
return $invoice_types;
}
public static function isValidInvoiceType(string $invoice_type): bool
{
return in_array($invoice_type, self::ALLOWED_INVOICE_TYPES, true);
}
/**
* @return array
*/

12
app/Models/Employee.php
View File

@@ -539,15 +539,13 @@ class Employee extends Person
* Checks if the employee has admin privileges (all module permissions).
* The first employee (person_id = 1) is considered admin by default.
*/
public function is_admin(int $person_id): bool
public function isAdmin(int $person_id): bool
{
if ($person_id === 1) {
return true;
}
$modules = ['customers', 'employees', 'giftcards', 'items', 'item_kits', 'messages', 'receivings', 'reports', 'sales', 'config', 'suppliers'];
foreach ($modules as $module) {
foreach (ADMIN_MODULES as $module) {
if (!$this->has_grant($module, $person_id)) {
return false;
}
@@ -561,13 +559,13 @@ class Employee extends Person
* Only admins can modify other admin accounts.
* Users cannot modify their own grants unless they are admin.
*/
public function can_modify_employee(int $target_person_id, int $current_person_id): bool
public function canModifyEmployee(int $target_person_id, int $current_person_id): bool
{
if ($target_person_id === $current_person_id) {
return !$this->is_admin($target_person_id) || $this->is_admin($current_person_id);
return !$this->isAdmin($target_person_id) || $this->isAdmin($current_person_id);
}
if ($this->is_admin($target_person_id) && !$this->is_admin($current_person_id)) {
if ($this->isAdmin($target_person_id) && !$this->isAdmin($current_person_id)) {
return false;
}

6
app/Models/Item.php
View File

@@ -199,9 +199,9 @@ class Item extends Model
if (!empty($search)) {
if ($attributes_enabled && $filters['search_custom']) {
$builder->having("attribute_values LIKE '%$search%'");
$builder->orHaving("attribute_dtvalues LIKE '%$search%'");
$builder->orHaving("attribute_dvalues LIKE '%$search%'");
$builder->having("attribute_values LIKE :search:", ['search' => "%$search%"]);
$builder->orHaving("attribute_dtvalues LIKE :search_dt:", ['search_dt' => "%$search%"]);
$builder->orHaving("attribute_dvalues LIKE :search_d:", ['search_d' => "%$search%"]);
} else {
$builder->groupStart();
$builder->like('name', $search);

5
app/Models/Reports/Summary_discounts.php
View File

@@ -28,9 +28,10 @@ class Summary_discounts extends Summary_report
$builder = $this->db->table('sales_items AS sales_items');
if ($inputs['discount_type'] == FIXED) {
$builder->select('SUM(sales_items.discount) AS total, MAX(CONCAT("' . $config['currency_symbol'] . '",sales_items.discount)) AS discount, count(*) AS count');
$currency_symbol = $this->db->escape($config['currency_symbol']);
$builder->select('SUM(sales_items.discount) AS total, MAX(CONCAT(' . $currency_symbol . ', sales_items.discount)) AS discount, count(*) AS count');
$builder->where('discount_type', FIXED);
} elseif ($inputs['discount_type'] == PERCENT) { // TODO: === ?
} elseif ($inputs['discount_type'] == PERCENT) {
$builder->select('SUM(item_unit_price) * sales_items.discount / 100.0 AS total, MAX(CONCAT(sales_items.discount, "%")) AS discount, count(*) AS count');
$builder->where('discount_type', PERCENT);
}

2
app/Views/employees/form.php
View File

@@ -142,7 +142,7 @@
<li>
<?= form_checkbox("grant_$permission->permission_id", $permission->permission_id, $permission->grant == 1) ?>
<?= form_hidden("menu_group_$permission->permission_id", "--") ?>
<span class="medium"><?= $lang_line ?></span>
<span class="medium"><?= esc($lang_line) ?></span>
</li>
</ul>
<?php

14
app/Views/receivings/receiving.php
View File

@@ -215,15 +215,15 @@ if (isset($success)) {
'class' => 'form-control input-sm',
'value' => $item['description']
]);
} else {
if ($item['description'] != '') { // TODO: !==?
echo $item['description'];
echo form_hidden('description', $item['description']);
} else {
echo '<i>' . lang('Sales.no_description') . '</i>';
echo form_hidden('description', '');
if ($item['description'] != '') { // TODO: !==?
echo esc($item['description']);
echo form_hidden('description', $item['description']);
} else {
echo '<i>' . lang('Sales.no_description') . '</i>';
echo form_hidden('description', '');
}
}
}
?>
</td>
<td colspan="7"></td>

137
integration-tests/README.md Normal file
View File

@@ -0,0 +1,137 @@
# Integration Tests for Open Source POS
This directory contains integration tests for Open Source POS using Docker Compose and Playwright.
## Test Suites
### 1. Basic Integration Tests (`run-integration-tests.sh`)
Simple HTTP-based tests that verify the application is running and accessible.
**Tests:**
- Application startup
- Login page accessibility
- HTTP status code validation
- Login form presence
- Database connectivity (indirect)
### 2. Playwright E2E Tests (`tests/`)
Full browser automation tests using Playwright.
#### Login Tests (`tests/login.spec.ts`)
- Display login page
- Login with valid credentials
- Reject invalid credentials
- Redirect protected pages to login
- Console error detection
#### Item/Inventory Tests (`tests/items.spec.ts`)
- Create new item with basic details
- Create item with category selection
- Update existing item
- Verify items appear in inventory table
#### Customer Tests (`tests/customers.spec.ts`)
- Create new customer with basic details
- Create customer with complete address information
- Search for existing customers
- Verify customer details in table format
#### Sales Tests (`tests/sales.spec.ts`)
- Create sale with item and customer
- Add payment to sale
- Complete sale transaction
- Verify receipt generation
- Multi-item sale scenarios
- Different payment methods (cash)
- Receipt validation and display
#### Combined Operations
- Create item and customer sequentially
- Verify both entities appear in their respective tables
## Prerequisites
- Docker and Docker Compose
- Node.js 18+
- npm
## Local Setup
1. Install Node.js dependencies:
```bash
npm install
```
2. Install Playwright browsers:
```bash
npx playwright install --with-deps chromium firefox
```
## Running Tests
### Basic Integration Tests
```bash
chmod +x run-integration-tests.sh
./run-integration-tests.sh
```
### Playwright Tests
```bash
npm test
```
Run with UI:
```bash
npm run test:ui
```
Run with headed browser:
```bash
npm run test:headed
```
Debug mode:
```bash
npm run test:debug
```
## GitHub Actions
The CI pipeline runs both test suites on push/PR to master:
1. **Integration Job**: Basic Docker stack tests
2. **Playwright Job**: Full browser automation tests
Artifacts uploaded on failure:
- Playwright HTML report
- Test screenshots
- Trace files
- Docker container logs
## Test Results
- Playwright HTML reports: `playwright-report/`
- Test results: `test-results/`
- Screenshots (on failure): `test-results/**/*.png`
- Traces (on failure): `test-results/**/*.zip`
## Environment Variables
- `BASE_URL`: Application base URL (default: http://localhost)
## Clean Up
Stop and clean Docker resources:
```bash
docker compose down -v
```
## Note on Local Playwright Setup
Playwright requires system dependencies to be installed. If you don't have sudo access, you can:
1. Use CI environment (GitHub Actions)
2. Run Playwright tests in Docker container with proper permissions
3. Use the basic integration tests instead

32
integration-tests/playwright.config.ts Normal file
View File

@@ -0,0 +1,32 @@
import { defineConfig, devices } from '@playwright/test';
export default defineConfig({
testDir: './tests',
outputDir: './test-results',
fullyParallel: false,
forbidOnly: !!process.env.CI,
retries: process.env.CI ? 2 : 0,
workers: 1,
reporter: [
['html', { outputFolder: './playwright-report' }],
['junit', { outputFile: './test-results/junit.xml' }],
['list']
],
use: {
baseURL: 'http://localhost',
trace: 'on-first-retry',
screenshot: 'only-on-failure',
video: 'retain-on-failure',
},
projects: [
{
name: 'chromium',
use: { ...devices['Desktop Chrome'] },
},
{
name: 'firefox',
use: { ...devices['Desktop Firefox'] },
},
],
});

96
integration-tests/run-integration-tests.sh Executable file
View File

@@ -0,0 +1,96 @@
#!/bin/bash
set -e
echo "=== Open Source POS Integration Tests ==="
echo ""
# Start Docker Stack
echo "1. Starting Docker Stack..."
docker compose up -d
echo "2. Waiting for application to be ready..."
timeout=60
elapsed=0
while [ $elapsed -lt $timeout ]; do
if curl -s -f http://localhost/ > /dev/null 2>&1; then
echo " ✓ Application is ready!"
break
fi
sleep 2
elapsed=$((elapsed + 2))
if [ $elapsed -eq $timeout ]; then
echo " ✗ Application not ready after ${timeout}s"
echo " === Logs ==="
docker logs opensourcepos-integration-tests-ospos-1
docker logs mysql
exit 1
fi
echo " Waiting... (${elapsed}s)"
done
# Check Login Page
echo ""
echo "3. Checking Login Page..."
response=$(curl -s http://localhost/)
if echo "$response" | grep -q "Open Source Point of Sale"; then
echo " ✓ Login page accessible"
else
echo " ✗ Login page not accessible"
exit 1
fi
if echo "$response" | grep -q "Login"; then
echo " ✓ Login form found"
else
echo " ✗ Login form not found"
exit 1
fi
if echo "$response" | grep -q "username"; then
echo " ✓ Username field found"
else
echo " ✗ Username field not found"
exit 1
fi
if echo "$response" | grep -q "password"; then
echo " ✓ Password field found"
else
echo " ✗ Password field not found"
exit 1
fi
# Check HTTP Status
echo ""
echo "4. Checking HTTP Status..."
status=$(curl -s -o /dev/null -w "%{http_code}" http://localhost/)
if [ "$status" -eq 200 ]; then
echo " ✓ HTTP status: $status"
else
echo " ✗ HTTP status: $status"
exit 1
fi
# Database Check
echo ""
echo "5. Checking Database Connection..."
db_logs=$(docker logs opensourcepos-integration-tests-ospos-1 2>&1)
if echo "$db_logs" | grep -qi "database.*connected\|mysql.*connected\|mysqli.*connected"; then
echo " ✓ Database connected"
else
echo " ⚠ Database connection status unclear (checking if app is responding)"
if curl -s -f http://localhost/ > /dev/null; then
echo " ✓ Application responding to requests"
fi
fi
echo ""
echo "=== All Tests Passed! ✓ ==="
# Cleanup
echo ""
echo "6. Stopping Docker Stack..."
docker compose down -v
exit 0

273
integration-tests/tests/customers.spec.ts Normal file
View File

@@ -0,0 +1,273 @@
import { test, expect } from '@playwright/test';
test.describe('Open Source POS - Customers', () => {
test.beforeEach(async ({ page }) => {
// Navigate to login page
await page.goto('/');
// Login with admin credentials
await page.fill('input[name="username"]', 'admin');
await page.fill('input[name="password"]', 'pointofsale');
await page.click('button[type="submit"], input[type="submit"]');
// Wait for navigation to complete
await page.waitForLoadState('networkidle');
// Check for login errors
const errorMessage = page.locator('.alert-danger, .error, .alert[role="alert"]');
const errorCount = await errorMessage.count();
if (errorCount > 0) {
const errorText = await errorMessage.first().textContent();
console.log('Login error:', errorText);
throw new Error(`Login failed: ${errorText}`);
}
test.setTimeout(60000);
});
test('should create a customer and verify it appears in table', async ({ page }) => {
// Navigate to customers page
const customersLink = page.locator('a[href*="customers"], a:has-text("Customer")');
await customersLink.first().click();
await page.waitForLoadState('networkidle');
// Look for "Add Customer" or "New Customer" button
const addCustomerButton = page.locator('button:has-text("Add"), button:has-text("New"), a:has-text("Add")');
await addCustomerButton.first().click();
await page.waitForLoadState('networkidle');
// Fill in customer details
const firstName = 'John';
const lastName = `Test ${Date.now()}`;
const email = `test.${Date.now()}@example.com`;
const phone = `+1-555-${Math.floor(Math.random() * 9000) + 1000}`;
await page.fill('input[name="first_name"], input[name="first"], #first_name', firstName);
await page.fill('input[name="last_name"], input[name="last"], #last_name', lastName);
await page.fill('input[name="email"], #email', email);
await page.fill('input[name="phone_number"], input[name="phone"], #phone_number, #phone', phone);
// Fill address if fields exist
const addressField = page.locator('input[name*="address"]').first();
const addressCount = await addressField.count();
if (addressCount > 0) {
await addressField.fill('123 Test Street');
}
const cityField = page.locator('input[name="city"], #city');
const cityCount = await cityField.count();
if (cityCount > 0) {
await cityField.fill('Test City');
}
// Save the customer
const saveButton = page.locator('button[type="submit"], button:has-text("Save"), button:has-text("Submit")');
await saveButton.first().click();
await page.waitForLoadState('networkidle');
// Navigate back to customers list
await page.goto('/customers');
await page.waitForLoadState('networkidle');
// Search for the created customer
const searchInput = page.locator('input[name="search"], input[placeholder*="Search"], #search').first();
await searchInput.fill(lastName);
await page.keyboard.press('Enter');
await page.waitForLoadState('networkidle');
// Verify the customer appears in the table
const customerName = `${firstName} ${lastName}`;
const customerRow = page.locator('table, tbody').locator(`text=${lastName}`).first();
await expect(customerRow).toBeVisible({ timeout: 10000 });
// Also verify email appears if shown in table
const emailVisible = await page.locator(`text=${email}`).count();
if (emailVisible > 0) {
console.log('✓ Customer email also visible in table');
}
console.log('✓ Customer created and verified in table');
});
test('should create a customer with complete details', async ({ page }) => {
// Navigate to customers page
await page.goto('/customers');
await page.waitForLoadState('networkidle');
// Add new customer
await page.getByRole('button', { name: /add|new/i }).first().click();
await page.waitForLoadState('networkidle');
// Fill customer details
const customerData = {
firstName: 'Jane',
lastName: `Complete ${Date.now()}`,
email: `complete.${Date.now()}@example.com`,
phone: `+1-555-${Math.floor(Math.random() * 9000) + 1000}`,
address: '456 Complete Ave',
city: 'Complete City',
state: 'Test State',
zip: '12345',
country: 'Test Country'
};
await page.fill('input[name="first_name"], input[name="first"]', customerData.firstName);
await page.fill('input[name="last_name"], input[name="last"]', customerData.lastName);
await page.fill('input[name="email"], #email', customerData.email);
await page.fill('input[name="phone_number"], input[name="phone"]', customerData.phone);
// Fill address fields if they exist
await page.fill('input[name^="address"], input[name*="address"]', customerData.address).catch(() => {});
await page.fill('input[name="city"], #city', customerData.city).catch(() => {});
await page.fill('input[name="state"], #state', customerData.state).catch(() => {});
await page.fill('input[name="zip"], input[name="zip_code"], #zip', customerData.zip).catch(() => {});
await page.fill('input[name="country"], #country', customerData.country).catch(() => {});
// Add comments
const commentsField = page.locator('textarea[name="comments"], #comments');
const commentsCount = await commentsField.count();
if (commentsCount > 0) {
await commentsField.fill('Test customer for automation');
}
// Save customer
await page.getByRole('button', { name: /save|submit/i }).first().click();
await page.waitForLoadState('networkidle');
// Verify customer appears in list
await page.goto('/customers');
await page.waitForLoadState('networkidle');
const customerName = `${customerData.firstName} ${customerData.lastName}`;
const customerVisible = await page.locator(`text=${lastName}`).count();
expect(customerVisible).toBeGreaterThan(0);
console.log('✓ Customer with complete details created and verified');
});
test('should search for existing customer', async ({ page }) => {
// Navigate to customers page
await page.goto('/customers');
await page.waitForLoadState('networkidle');
// Search for a customer (John Doe from default database)
const searchInput = page.locator('input[name="search"], input[placeholder*="Search"], #search').first();
await searchInput.fill('Doe');
await page.keyboard.press('Enter');
await page.waitForLoadState('networkidle');
// Verify customer appears
const customerVisible = await page.locator('text=Doe').count();
expect(customerVisible).toBeGreaterThan(0);
console.log('✓ Customer search successful');
});
test('should verify customer details in table', async ({ page }) => {
// Create a customer first
await page.goto('/customers');
await page.waitForLoadState('networkidle');
await page.getByRole('button', { name: /add|new/i }).first().click();
await page.waitForLoadState('networkidle');
const customerData = {
firstName: 'Table',
lastName: `Test ${Date.now()}`,
email: `table.${Date.now()}@example.com`,
phone: '555-1234'
};
await page.fill('input[name="first_name"], input[name="first"]', customerData.firstName);
await page.fill('input[name="last_name"], input[name="last"]', customerData.lastName);
await page.fill('input[name="email"], #email', customerData.email);
await page.fill('input[name="phone_number"], input[name="phone"]', customerData.phone);
await page.getByRole('button', { name: /save|submit/i }).first().click();
await page.waitForLoadState('networkidle');
// Navigate to customer list
await page.goto('/customers');
await page.waitForLoadState('networkidle');
// Check table structure
const table = page.locator('table').first();
await expect(table).toBeVisible();
// Verify customer data appears
const tableContents = await table.textContent();
expect(tableContents).toContain(customerData.lastName);
if (tableContents.includes(customerData.email)) {
console.log('✓ Customer email visible in table');
}
if (tableContents.includes(customerData.phone)) {
console.log('✓ Customer phone visible in table');
}
console.log('✓ Customer details verified in table format');
});
});
test.describe('Open Source POS - Combined Operations', () => {
test.beforeEach(async ({ page }) => {
await page.goto('/');
await page.fill('input[name="username"]', 'admin');
await page.fill('input[name="password"]', 'pointofsale');
await page.click('button[type="submit"], input[type="submit"]');
await page.waitForLoadState('networkidle');
test.setTimeout(60000);
});
test('should create item and customer and verify both in their tables', async ({ page }) => {
// Create customer first
await page.goto('/customers');
await page.waitForLoadState('networkidle');
await page.getByRole('button', { name: /add|new/i }).first().click();
await page.waitForLoadState('networkidle');
const customerName = `Combined ${Date.now()}`;
await page.fill('input[name="first_name"], input[name="first"]', 'Combined');
await page.fill('input[name="last_name"], input[name="last"]', customerName);
await page.fill('input[name="email"], #email', `combined.${Date.now()}@example.com`);
await page.fill('input[name="phone_number"], input[name="phone"]', '555-9999');
await page.getByRole('button', { name: /save|submit/i }).first().click();
await page.waitForLoadState('networkidle');
// Create item
await page.goto('/items');
await page.waitForLoadState('networkidle');
await page.getByRole('button', { name: /add|new/i }).first().click();
await page.waitForLoadState('networkidle');
const itemName = `Combined Item ${Date.now()}`;
await page.fill('input[name="name"], input[name="item_name"]', itemName);
await page.fill('input[name="item_number"], input[name="number"]', `COMB-${Date.now()}`);
await page.fill('input[name="unit_price"], input[name="cost_price"]', '25.00');
await page.fill('input[name="quantity"]', '10');
await page.getByRole('button', { name: /save|submit/i }).first().click();
await page.waitForLoadState('networkidle');
// Verify both exist
await page.goto('/customers');
await page.waitForLoadState('networkidle');
const customerVisible = await page.locator(`text=${customerName}`).count();
expect(customerVisible).toBeGreaterThan(0);
await page.goto('/items');
await page.waitForLoadState('networkidle');
const itemVisible = await page.locator(`text=${itemName}`).count();
expect(itemVisible).toBeGreaterThan(0);
console.log('✓ Both item and customer created and verified');
});
});

151
integration-tests/tests/items.spec.ts Normal file
View File

@@ -0,0 +1,151 @@
import { test, expect } from '@playwright/test';
test.describe('Open Source POS - Items', () => {
test.beforeEach(async ({ page }) => {
// Navigate to login page
await page.goto('/');
// Login with admin credentials
await page.fill('input[name="username"]', 'admin');
await page.fill('input[name="password"]', 'pointofsale');
await page.click('button[type="submit"], input[type="submit"]');
// Wait for navigation to complete
await page.waitForLoadState('networkidle');
// Check if we're logged in (look for navigation elements)
const nav = page.locator('nav, .navbar-nav, .sidebar');
// If we see error message, login failed
const errorMessage = page.locator('.alert-danger, .error, .alert[role="alert"]');
const errorCount = await errorMessage.count();
if (errorCount > 0) {
const errorText = await errorMessage.first().textContent();
console.log('Login error:', errorText);
throw new Error(`Login failed: ${errorText}`);
}
test.setTimeout(60000);
});
test('should create an item and verify it appears in table', async ({ page }) => {
// Navigate to items page
const navigationOption = page.locator('a[href*="items"], a:has-text("Item"), a:has-text("Inventory")');
await navigationOption.first().click();
await page.waitForLoadState('networkidle');
// Look for "Add Item" or "New Item" button
const addItemButton = page.locator('button:has-text("Add"), button:has-text("New"), a:has-text("Add")');
await addItemButton.first().click();
await page.waitForLoadState('networkidle');
// Fill in item details
const itemName = `Test Item ${Date.now()}`;
const itemNumber = `12345-${Date.now()}`;
await page.fill('input[name="name"], input[name="item_name"], #name, #item_name', itemName);
await page.fill('input[name="item_number"], input[name="number"], #item_number', itemNumber);
// Set price and cost
await page.fill('input[name="unit_price"], input[name="cost_price"], #unit_price, #cost_price', '10.00');
await page.fill('input[name="cost_price"], #cost_price', '5.00');
// Set quantity
await page.fill('input[name="quantity"], #quantity', '100');
// Save the item
const saveButton = page.locator('button[type="submit"], button:has-text("Save"), button:has-text("Submit")');
await saveButton.first().click();
await page.waitForLoadState('networkidle');
// Navigate back to items list
await page.goto('/items');
await page.waitForLoadState('networkidle');
// Search for the created item
const searchInput = page.locator('input[name="search"], input[placeholder*="Search"], #search').first();
await searchInput.fill(itemName);
await page.keyboard.press('Enter');
await page.waitForLoadState('networkidle');
// Verify the item appears in the table
const itemRow = page.locator('table, tbody').locator(`text=${itemName}`).first();
await expect(itemRow).toBeVisible({ timeout: 10000 });
console.log('✓ Item created and verified in table');
});
test('should create an item with category and verify', async ({ page }) => {
// Navigate to items page
const itemsLink = page.locator('a[href*="items"]');
await itemsLink.first().click();
await page.waitForLoadState('networkidle');
// Add new item
await page.getByRole('button', { name: /add|new/i }).first().click();
await page.waitForLoadState('networkidle');
// Fill item details
const itemName = `Category Test Item ${Date.now()}`;
await page.fill('input[name="name"], input[name="item_name"]', itemName);
await page.fill('input[name="item_number"], input[name="number"]', `CAT-${Date.now()}`);
// Set price and cost
await page.fill('input[name="unit_price"]', '15.99');
await page.fill('input[name="cost_price"]', '8.50');
// Set quantity
await page.fill('input[name="quantity"]', '50');
// Select category (if dropdown exists)
const categorySelect = page.locator('select[name*="category"], select[name*="category_id"]');
const categoryCount = await categorySelect.count();
if (categoryCount > 0) {
await categorySelect.first().selectOption({ index: 1 }); // Select first available category
}
// Save item
await page.getByRole('button', { name: /save|submit/i }).first().click();
await page.waitForLoadState('networkidle');
// Verify item appears in list
await page.goto('/items');
await page.waitForLoadState('networkidle');
const itemVisible = await page.locator(`text=${itemName}`).count();
expect(itemVisible).toBeGreaterThan(0);
console.log('✓ Item with category created and verified');
});
test('should update an existing item', async ({ page }) => {
// Navigate to items page
await page.goto('/items');
await page.waitForLoadState('networkidle');
// Find and click edit button for an item
const editButton = page.locator('button:has-text("Edit"), a:has-text("Edit"), .edit').first();
await editButton.click();
await page.waitForLoadState('networkidle');
// Update item name
const updatedName = `Updated Item ${Date.now()}`;
const nameInput = page.locator('input[name="name"], input[name="item_name"]');
await nameInput.fill(updatedName);
// Save changes
await page.getByRole('button', { name: /save|submit|update/i }).first().click();
await page.waitForLoadState('networkidle');
// Navigate back and verify update
await page.goto('/items');
await page.waitForLoadState('networkidle');
const updatedItemVisible = await page.locator(`text=${updatedName}`).count();
expect(updatedItemVisible).toBeGreaterThan(0);
console.log('✓ Item updated successfully');
});
});

98
integration-tests/tests/login.spec.ts Normal file
View File

@@ -0,0 +1,98 @@
import { test, expect } from '@playwright/test';
test.describe('Open Source POS - Login', () => {
let baseUrl: string;
test.beforeEach(async ({ page }) => {
baseUrl = process.env.BASE_URL || 'http://localhost';
test.setTimeout(60000);
});
test('should display login page', async ({ page }) => {
await page.goto('/');
// Check page title
await expect(page).toHaveTitle(/Open Source Point of Sale/);
// Check for login form
await expect(page.locator('input[name="username"]')).toBeVisible();
await expect(page.locator('input[name="password"]')).toBeVisible();
// Check for login button
const submitButton = page.locator('button[type="submit"], input[type="submit"]');
await expect(submitButton).toBeVisible();
});
test('should login with valid credentials', async ({ page }) => {
await page.goto('/');
// Enter credentials
await page.fill('input[name="username"]', 'admin');
await page.fill('input[name="password"]', 'pointofsale');
// Submit login form
await page.click('button[type="submit"], input[type="submit"]');
// Wait for navigation
await page.waitForLoadState('networkidle');
// Check if redirected to dashboard (login successful if no error message)
const errorMessage = page.locator('.alert-danger, .error, .alert[role="alert"]');
const errorCount = await errorMessage.count();
if (errorCount === 0) {
// Login successful - check for dashboard elements
const dashboardElements = page.locator('nav, .navbar, [role="navigation"]');
await expect(dashboardElements.first()).toBeVisible({ timeout: 10000 });
} else {
// Failed login - check error message
const errorText = await errorMessage.first().textContent();
console.log('Login error:', errorText);
throw new Error(`Login failed: ${errorText}`);
}
});
test('should reject invalid credentials', async ({ page }) => {
await page.goto('/');
// Enter wrong credentials
await page.fill('input[name="username"]', 'invalid');
await page.fill('input[name="password"]', 'wrongpassword');
// Submit login form
await page.click('button[type="submit"], input[type="submit"]');
// Wait for response
await page.waitForLoadState('networkidle');
// Check for error message
const errorMessage = page.locator('.alert-danger, .error, .alert[role="alert"]');
await expect(errorMessage.first()).toBeVisible({ timeout: 10000 });
});
test('should redirect to login when accessing protected page', async ({ page }) => {
// Try to access a protected route directly
await page.goto('/home');
// Should redirect to login
await expect(page.locator('input[name="username"]')).toBeVisible({ timeout: 10000 });
});
test('should have no console errors', async ({ page }) => {
const errors: string[] = [];
page.on('console', msg => {
if (msg.type() === 'error') {
errors.push(msg.text());
}
});
await page.goto('/');
await page.waitForLoadState('networkidle');
if (errors.length > 0) {
console.error('Console errors found:', errors);
throw new Error(`Found ${errors.length} console errors`);
}
});
});

355
integration-tests/tests/sales.spec.ts Normal file
View File

@@ -0,0 +1,355 @@
import { test, expect } from '@playwright/test';
test.describe('Open Source POS - Sales', () => {
let itemName: string;
let customerName: string;
let itemNumber: string;
test.beforeEach(async ({ page }) => {
// Navigate to login page
await page.goto('/');
// Login with admin credentials
await page.fill('input[name="username"]', 'admin');
await page.fill('input[name="password"]', 'pointofsale');
await page.click('button[type="submit"], input[type="submit"]');
// Wait for navigation to complete
await page.waitForLoadState('networkidle');
// Check for login errors
const errorMessage = page.locator('.alert-danger, .error, .alert[role="alert"]');
const errorCount = await errorMessage.count();
if (errorCount > 0) {
const errorText = await errorMessage.first().textContent();
console.log('Login error:', errorText);
throw new Error(`Login failed: ${errorText}`);
}
test.setTimeout(120000);
});
test('should create sale with item and customer, add payment and complete', async ({ page }) => {
console.log('Step 1: Creating test item...');
// Create a test item first
await page.goto('/items');
await page.waitForLoadState('networkidle');
const addButton = page.locator('button:has-text("Add"), button:has-text("New"), a:has-text("Add")').first();
await addButton.click();
await page.waitForLoadState('networkidle');
itemName = `Sale Test Item ${Date.now()}`;
itemNumber = `SALE-${Date.now()}`;
await page.fill('input[name="name"], input[name="item_name"], #name, #item_name', itemName);
await page.fill('input[name="item_number"], input[name="number"], #item_number', itemNumber);
await page.fill('input[name="unit_price"], input[name="cost_price"], #unit_price, #cost_price', '25.00');
await page.fill('input[name="cost_price"], #cost_price', '10.00');
await page.fill('input[name="quantity"], #quantity', '100');
const saveButton = page.locator('button[type="submit"], button:has-text("Save"), button:has-text("Submit")').first();
await saveButton.click();
await page.waitForLoadState('networkidle');
console.log('✓ Test item created');
console.log('Step 2: Creating test customer...');
// Create a test customer
await page.goto('/customers');
await page.waitForLoadState('networkidle');
const addCustomerButton = page.locator('button:has-text("Add"), button:has-text("New"), a:has-text("Add")').first();
await addCustomerButton.click();
await page.waitForLoadState('networkidle');
const firstName = 'Sale';
const lastName = `Test ${Date.now()}`;
customerName = `${firstName} ${lastName}`;
await page.fill('input[name="first_name"], input[name="first"], #first_name', firstName);
await page.fill('input[name="last_name"], input[name="last"], #last_name', lastName);
await page.fill('input[name="email"], #email', `sale.test.${Date.now()}@example.com`);
await page.fill('input[name="phone_number"], input[name="phone"], #phone_number, #phone', '555-7777');
const saveCustomerButton = page.locator('button[type="submit"], button:has-text("Save"), button:has-text("Submit")').first();
await saveCustomerButton.click();
await page.waitForLoadState('networkidle');
console.log('✓ Test customer created');
console.log('Step 3: Starting new sale...');
// Navigate to sales page
const salesLink = page.locator('a[href*="sales"], a:has-text("Sale"), a:has-text("POS")').first();
await salesLink.click();
await page.waitForLoadState('networkidle');
// Start new sale (if needed)
const newSaleButton = page.locator('button:has-text("New"), button:has-text("New Sale"), a:has-text("New")').first();
const newSaleCount = await newSaleButton.count();
if (newSaleCount > 0) {
await newSaleButton.click();
await page.waitForLoadState('networkidle', { timeout: 5000 });
}
console.log('✓ New sale started');
console.log('Step 4: Adding item to cart...');
// Add item to cart
// Look for item search or add field
const itemSearchInput = page.locator('input[name="item"], input[placeholder*="Item"], input[placeholder*="Search"], #item_search, .item-search').first();
await itemSearchInput.fill(itemName);
// Press Enter or click add button
await page.keyboard.press('Enter');
await page.waitForTimeout(1000);
// Alternative: look for add button next to item field
const addToCartButton = page.locator('button:has-text("Add"), button:has-text("Add Item"), .add-item').first();
const addToCartCount = await addToCartButton.count();
if (addToCartCount > 0) {
await addToCartButton.click();
await page.waitForLoadState('networkidle');
}
console.log('✓ Item added to cart');
console.log('Step 5: Adding customer to sale...');
// Add customer to sale
const customerSelect = page.locator('select[name*="customer"], select[name*="customer_id"], input[name*="customer"], .customer-select').first();
const customerSelectCount = await customerSelect.count();
if (customerSelectCount > 0) {
const tagName = await customerSelect.first().evaluate(el => el.tagName.toLowerCase());
if (tagName === 'select') {
await customerSelect.selectOption({ label: new RegExp(lastName) }).catch(() => {
// If select by label doesn't work, try by value
return customerSelect.selectOption({ index: 1 });
});
} else {
await customerSelect.fill(lastName);
await page.keyboard.press('Enter');
}
}
await page.waitForTimeout(1000);
console.log('✓ Customer added to sale');
console.log('Step 6: Verifying cart contents...');
// Verify item is in cart
const cartTable = page.locator('table.cart, table tbody, .cart-items, .sales-table');
const cartVisible = await cartTable.count();
if (cartVisible > 0) {
const cartContents = await cartTable.first().textContent();
expect(cartContents).toContain(itemName || itemNumber);
console.log('✓ Item verified in cart');
}
console.log('Step 7: Adding payment...');
// Add payment
const paymentButton = page.locator('button:has-text("Payment"), button:has-text("Pay"), button:has-text("Checkout")').first();
await paymentButton.click();
await page.waitForLoadState('networkidle');
// Select payment method
const paymentMethodSelect = page.locator('select[name*="payment_method"], select[name*="payment"]').first();
const paymentMethodCount = await paymentMethodSelect.count();
if (paymentMethodCount > 0) {
await paymentMethodSelect.selectOption('Cash').catch(() => {
return paymentMethodSelect.selectOption({ index: 0 });
});
}
// Enter payment amount (should auto-fill with total)
const paymentAmountInput = page.locator('input[name*="payment_amount"], input[name*="amount"], .payment-amount').first();
const paymentAmountCount = await paymentAmountInput.count();
if (paymentAmountCount > 0) {
const currentValue = await paymentAmountInput.inputValue();
if (!currentValue || parseFloat(currentValue) === 0) {
await paymentAmountInput.fill('25.00');
}
}
console.log('✓ Payment added');
console.log('Step 8: Completing sale...');
// Complete/Confirm sale
const confirmButton = page.locator('button:has-text("Complete"), button:has-text("Confirm"), button:has-text("Submit"), button:has-text("Finish")').first();
await confirmButton.click();
await page.waitForLoadState('networkidle', { timeout: 15000 });
console.log('✓ Sale completed');
console.log('Step 9: Checking for receipt...');
// Check if receipt is generated
// Look for receipt modal, popup, or new page
const receiptModal = page.locator('.receipt, .modal, dialog, #receipt, [class*="receipt"]').first();
const receiptModalCount = await receiptModal.count();
if (receiptModalCount > 0) {
await expect(receiptModal.first()).toBeVisible({ timeout: 10000 });
console.log('✓ Receipt modal displayed');
// Verify receipt contains sale details
const receiptText = await receiptModal.first().textContent();
expect(receiptText).toBeTruthy();
if (itemName) {
expect(receiptText.toLowerCase()).toContain(itemName.toLowerCase()).catch(() => {
console.log('Note: Item name not found in receipt, but receipt is visible');
});
}
} else {
// Check for receipt in page content
const receiptContent = await page.textContent();
expect(receiptContent).toMatch(/receipt|sale|total/i);
console.log('✓ Receipt content found on page');
}
console.log('Step 10: Verifying sale details...');
// Verify success message
const successMessage = page.locator('.alert-success, .success, .success-message, .flash-success').first();
const successCount = await successMessage.count();
if (successCount > 0) {
await expect(successMessage.first()).toBeVisible({ timeout: 10000 });
console.log('✓ Success message displayed');
}
// Close receipt/modal if there's a close button
const closeButton = page.locator('button:has-text("Close"), button:has-text("OK"), .close, .modal-close, [aria-label="Close"]').first();
const closeCount = await closeButton.count();
if (closeCount > 0) {
await closeButton.click().catch(() => {
console.log('Close button click failed, but that might be OK');
});
}
console.log('\n=== Sale flow completed successfully! ===');
});
test('should create sale with multiple items', async ({ page }) => {
console.log('Creating test items for multi-item sale...');
// Create two test items
const items = [];
for (let i = 1; i <= 2; i++) {
await page.goto('/items');
await page.waitForLoadState('networkidle');
await page.locator('button:has-text("Add"), button:has-text("New")').first().click();
await page.waitForLoadState('networkidle');
const itemData = {
name: `Multi Item ${i} ${Date.now()}`,
number: `MUL-${Date.now()}-${i}`,
price: (10 * i).toFixed(2),
cost: (5 * i).toFixed(2),
quantity: '50'
};
await page.fill('input[name="name"], input[name="item_name"], #name', itemData.name);
await page.fill('input[name="item_number"], input[name="number"], #item_number', itemData.number);
await page.fill('input[name="unit_price"], #unit_price', itemData.price);
await page.fill('input[name="cost_price"], #cost_price', itemData.cost);
await page.fill('input[name="quantity"], #quantity', itemData.quantity);
await page.locator('button[type="submit"], button:has-text("Save")').first().click();
await page.waitForLoadState('networkidle');
items.push(itemData);
}
console.log('✓ Test items created');
console.log('Starting multi-item sale...');
// Navigate to sales
await page.goto('/sales');
await page.waitForLoadState('networkidle');
// Add items to cart
for (const item of items) {
const itemSearch = page.locator('input[name="item"], input[placeholder*="Item"], .item-search').first();
await itemSearch.fill(item.name);
await page.keyboard.press('Enter');
await page.waitForTimeout(1000);
}
console.log('✓ Items added to cart');
// Complete payment and sale
await page.locator('button:has-text("Payment"), button:has-text("Pay")').first().click();
await page.waitForLoadState('networkidle');
await page.locator('button:has-text("Complete"), button:has-text("Confirm")').first().click();
await page.waitForLoadState('networkidle');
// Verify receipt
const receiptModal = page.locator('.receipt, .modal, #receipt').first();
await expect(receiptModal.first()).toBeVisible({ timeout: 10000 });
console.log('✓ Multi-item sale completed with receipt');
});
test('should complete sale with cash payment', async ({ page }) => {
console.log('Testing cash payment flow...');
// Use existing item (if available) or create one
await page.goto('/items');
await page.waitForLoadState('networkidle');
// Check if there are existing items
const itemRows = page.locator('table tbody tr').count();
let itemToUse = 'Test Item';
if (itemRows === 0) {
await page.locator('button:has-text("Add"), button:has-text("New")').first().click();
await page.waitForLoadState('networkidle');
itemToUse = `Cash Test ${Date.now()}`;
await page.fill('input[name="name"], input[name="item_name"], #name', itemToUse);
await page.fill('input[name="item_number"], input[name="number"], #item_number', `CASH-${Date.now()}`);
await page.fill('input[name="unit_price"], #unit_price', '50.00');
await page.fill('input[name="cost_price"], #cost_price', '25.00');
await page.fill('input[name="quantity"], #quantity', '20');
await page.locator('button:has-text("Save")').first().click();
await page.waitForLoadState('networkidle');
}
console.log('Creating sale with cash payment...');
await page.goto('/sales');
await page.waitForLoadState('networkidle');
// Add item
const itemSearch = page.locator('input[name="item"], input[placeholder*="Item"], .item-search').first();
await itemSearch.fill(itemToUse);
await page.keyboard.press('Enter');
await page.waitForTimeout(1000);
// Select cash payment
await page.locator('button:has-text("Payment"), button:has-text("Pay")').first().click();
await page.waitForLoadState('networkidle');
const paymentMethod = page.locator('select[name*="payment_method"], select[name*="payment"]').first();
await paymentMethod.selectOption('Cash').catch(() => paymentMethod.selectOption({ index: 0 }));
// Complete sale
await page.locator('button:has-text("Complete"), button:has-text("Confirm")').first().click();
await page.waitForLoadState('networkidle');
// Verify receipt is generated
const receiptVisible = await page.locator('.receipt, .modal, #receipt').count();
expect(receiptVisible).toBeGreaterThan(0);
console.log('✓ Cash payment sale completed with receipt');
});
});

76
package-lock.json generated
View File

@@ -28,7 +28,7 @@
"chartist-plugin-tooltips": "^0.0.17",
"clipboard": "^2.0.11",
"coffeescript": "^2.7.0",
"dompurify": "^3.3.0",
"dompurify": "^3.3.2",
"elegant-circles": "github:opensourcepos/elegant-circles#minified",
"es6-promise": "^4.2.8",
"file-saver": "^2.0.5",
@@ -43,6 +43,8 @@
"tableexport.jquery.plugin": "^1.30.0"
},
"devDependencies": {
"@playwright/test": "^1.44.0",
"@types/node": "^20.11.0",
"gulp": "^5.0.0",
"gulp-clean": "^0.4.0",
"gulp-clean-css": "^4.3.0",
@@ -100,6 +102,22 @@
"dev": true,
"license": "MIT"
},
"node_modules/@playwright/test": {
"version": "1.58.2",
"resolved": "https://registry.npmjs.org/@playwright/test/-/test-1.58.2.tgz",
"integrity": "sha512-akea+6bHYBBfA9uQqSYmlJXn61cTa+jbO87xVLCWbTqbWadRVmhxlXATaOjOgcBaWU4ePo0wB41KMFv3o35IXA==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
"playwright": "1.58.2"
},
"bin": {
"playwright": "cli.js"
},
"engines": {
"node": ">=18"
}
},
"node_modules/@popperjs/core": {
"version": "2.11.8",
"resolved": "https://registry.npmjs.org/@popperjs/core/-/core-2.11.8.tgz",
@@ -1483,10 +1501,13 @@
"integrity": "sha512-ED3jP8saaweFTjeGX8HQPjeC1YYyZs98jGNZx6IiBvxW7JG5v492kamAQB3m2wop07CvU/RQmzcKr6bgcC5D/Q=="
},
"node_modules/dompurify": {
"version": "3.3.1",
"resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz",
"integrity": "sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q==",
"version": "3.3.2",
"resolved": "https://registry.npmjs.org/dompurify/-/dompurify-3.3.2.tgz",
"integrity": "sha512-6obghkliLdmKa56xdbLOpUZ43pAR6xFy1uOrxBaIDjT+yaRuuybLjGS9eVBoSR/UPU5fq3OXClEHLJNGvbxKpQ==",
"license": "(MPL-2.0 OR Apache-2.0)",
"engines": {
"node": ">=20"
},
"optionalDependencies": {
"@types/trusted-types": "^2.0.7"
}
@@ -4445,6 +4466,53 @@
"url": "https://github.com/sponsors/jonschlinkert"
}
},
"node_modules/playwright": {
"version": "1.58.2",
"resolved": "https://registry.npmjs.org/playwright/-/playwright-1.58.2.tgz",
"integrity": "sha512-vA30H8Nvkq/cPBnNw4Q8TWz1EJyqgpuinBcHET0YVJVFldr8JDNiU9LaWAE1KqSkRYazuaBhTpB5ZzShOezQ6A==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
"playwright-core": "1.58.2"
},
"bin": {
"playwright": "cli.js"
},
"engines": {
"node": ">=18"
},
"optionalDependencies": {
"fsevents": "2.3.2"
}
},
"node_modules/playwright-core": {
"version": "1.58.2",
"resolved": "https://registry.npmjs.org/playwright-core/-/playwright-core-1.58.2.tgz",
"integrity": "sha512-yZkEtftgwS8CsfYo7nm0KE8jsvm6i/PTgVtB8DL726wNf6H2IMsDuxCpJj59KDaxCtSnrWan2AeDqM7JBaultg==",
"dev": true,
"license": "Apache-2.0",
"bin": {
"playwright-core": "cli.js"
},
"engines": {
"node": ">=18"
}
},
"node_modules/playwright/node_modules/fsevents": {
"version": "2.3.2",
"resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.2.tgz",
"integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
"dev": true,
"hasInstallScript": true,
"license": "MIT",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
}
},
"node_modules/plugin-error": {
"version": "0.1.2",
"resolved": "https://registry.npmjs.org/plugin-error/-/plugin-error-0.1.2.tgz",

11
package.json
View File

@@ -26,7 +26,12 @@
},
"scripts": {
"build": "gulp default",
"gulp": "gulp"
"gulp": "gulp",
"test": "cd integration-tests && playwright test",
"test:headed": "cd integration-tests && playwright test --headed",
"test:ui": "cd integration-tests && playwright test --ui",
"test:debug": "cd integration-tests && playwright test --debug",
"test:install": "cd integration-tests && playwright install --with-deps"
},
"type": "module",
"dependencies": {
@@ -49,7 +54,7 @@
"chartist-plugin-tooltips": "^0.0.17",
"clipboard": "^2.0.11",
"coffeescript": "^2.7.0",
"dompurify": "^3.3.0",
"dompurify": "^3.3.2",
"elegant-circles": "github:opensourcepos/elegant-circles#minified",
"es6-promise": "^4.2.8",
"file-saver": "^2.0.5",
@@ -64,6 +69,8 @@
"tableexport.jquery.plugin": "^1.30.0"
},
"devDependencies": {
"@playwright/test": "^1.44.0",
"@types/node": "^20.11.0",
"gulp": "^5.0.0",
"gulp-clean": "^0.4.0",
"gulp-clean-css": "^4.3.0",

195
tests/Controllers/HomeTest.php
View File

@@ -228,4 +228,199 @@ class HomeTest extends CIUnitTestCase
$session->destroy();
$session->set('person_id', 1); // Admin user
}
/**
* Create a non-admin employee for testing
*
* @return int The person_id of the created employee
*/
protected function createNonAdminEmployee(): int
{
$personData = [
'first_name' => 'NonAdmin',
'last_name' => 'User',
'email' => 'nonadmin@test.com',
'phone_number' => '555-1234'
];
$employeeData = [
'username' => 'nonadmin',
'password' => password_hash('password123', PASSWORD_DEFAULT),
'hash_version' => 2,
'language_code' => 'en',
'language' => 'english'
];
$grantsData = [
['permission_id' => 'customers', 'menu_group' => 'home'],
['permission_id' => 'sales', 'menu_group' => 'home']
];
$employeeModel = model(Employee::class);
$employeeModel->save_employee($personData, $employeeData, $grantsData, NEW_ENTRY);
return $employeeModel->get_found_rows('');
}
/**
* Login as a specific user
*
* @param int $personId
* @return void
*/
protected function loginAs(int $personId): void
{
$session = Services::session();
$session->destroy();
$session->set('person_id', $personId);
$session->set('menu_group', 'home');
}
// ========== BOLA Authorization Tests ==========
/**
* Test non-admin cannot view admin password change form
* BOLA vulnerability fix: GHSA-q58g-gg7v-f9rf
*
* @return void
*/
public function testNonAdminCannotViewAdminPasswordForm(): void
{
$nonAdminId = $this->createNonAdminEmployee();
$this->loginAs($nonAdminId);
$response = $this->get('/home/changePassword/1');
$response->assertRedirect();
$this->assertStringContainsString('no_access', $response->getRedirectUrl());
}
/**
* Test non-admin cannot change admin password
* BOLA vulnerability fix: GHSA-q58g-gg7v-f9rf
*
* @return void
*/
public function testNonAdminCannotChangeAdminPassword(): void
{
$nonAdminId = $this->createNonAdminEmployee();
$this->loginAs($nonAdminId);
$response = $this->post('/home/save/1', [
'username' => 'admin',
'current_password' => 'pointofsale',
'password' => 'hacked123'
]);
$response->assertStatus(403);
$result = json_decode($response->getJSON(), true);
$this->assertFalse($result['success']);
// Verify admin password was NOT changed
$employee = model(Employee::class);
$admin = $employee->get_info(1);
$this->assertTrue(password_verify('pointofsale', $admin->password),
'Admin password should not have been changed by non-admin');
}
/**
* Test user can view their own password change form
*
* @return void
*/
public function testUserCanViewOwnPasswordForm(): void
{
$nonAdminId = $this->createNonAdminEmployee();
$this->loginAs($nonAdminId);
$response = $this->get('/home/changePassword/' . $nonAdminId);
$response->assertStatus(200);
$response->assertSee('nonadmin'); // Username should be visible
}
/**
* Test user can change their own password
*
* @return void
*/
public function testUserCanChangeOwnPassword(): void
{
$nonAdminId = $this->createNonAdminEmployee();
$this->loginAs($nonAdminId);
$response = $this->post('/home/save/' . $nonAdminId, [
'username' => 'nonadmin',
'current_password' => 'password123',
'password' => 'newpassword123'
]);
$response->assertStatus(200);
$result = json_decode($response->getJSON(), true);
$this->assertTrue($result['success']);
// Verify password was changed
$employee = model(Employee::class);
$user = $employee->get_info($nonAdminId);
$this->assertTrue(password_verify('newpassword123', $user->password));
}
/**
* Test admin can view any user's password form
*
* @return void
*/
public function testAdminCanViewAnyPasswordForm(): void
{
$nonAdminId = $this->createNonAdminEmployee();
$this->resetSession(); // Login as admin
$response = $this->get('/home/changePassword/' . $nonAdminId);
$response->assertStatus(200);
$response->assertSee('nonadmin');
}
/**
* Test admin can change any user's password
*
* @return void
*/
public function testAdminCanChangeAnyPassword(): void
{
$nonAdminId = $this->createNonAdminEmployee();
$this->resetSession(); // Login as admin
$response = $this->post('/home/save/' . $nonAdminId, [
'username' => 'nonadmin',
'current_password' => 'password123',
'password' => 'adminset123'
]);
$response->assertStatus(200);
$result = json_decode($response->getJSON(), true);
$this->assertTrue($result['success']);
// Verify password was changed
$employee = model(Employee::class);
$user = $employee->get_info($nonAdminId);
$this->assertTrue(password_verify('adminset123', $user->password));
}
/**
* Test default employee_id parameter uses current user
*
* @return void
*/
public function testDefaultEmployeeIdUsesCurrentUser(): void
{
$nonAdminId = $this->createNonAdminEmployee();
$this->loginAs($nonAdminId);
// Calling without employee_id should use current user
$response = $this->get('/home/changePassword');
$response->assertStatus(200);
$response->assertSee('nonadmin');
}
}

981
tests/Controllers/ItemsCsvImportTest.php Normal file
View File

@@ -0,0 +1,981 @@
<?php
namespace Tests\Controllers;
use CodeIgniter\Test\CIUnitTestCase;
use CodeIgniter\Test\DatabaseTestTrait;
use App\Models\Item;
use App\Models\Item_quantity;
use App\Models\Inventory;
use App\Models\Item_taxes;
use App\Models\Attribute;
use App\Models\Stock_location;
use App\Models\Supplier;
class ItemsCsvImportTest extends CIUnitTestCase
{
use DatabaseTestTrait;
protected $migrate = true;
protected $migrateOnce = false;
protected $refresh = true;
protected $namespace = null;
protected $item;
protected $item_quantity;
protected $inventory;
protected $item_taxes;
protected $attribute;
protected $stock_location;
protected $supplier;
protected function setUp(): void
{
parent::setUp();
helper('importfile');
helper('attribute');
$this->item = model(Item::class);
$this->item_quantity = model(Item_quantity::class);
$this->inventory = model(Inventory::class);
$this->item_taxes = model(Item_taxes::class);
$this->attribute = model(Attribute::class);
$this->stock_location = model(Stock_location::class);
$this->supplier = model(Supplier::class);
}
protected function tearDown(): void
{
parent::tearDown();
}
public function testGenerateCsvHeaderBasic(): void
{
$stock_locations = ['Warehouse'];
$attributes = [];
$csv = generate_import_items_csv($stock_locations, $attributes);
$this->assertStringContainsString('Id,Barcode,"Item Name"', $csv);
$this->assertStringContainsString('Category,"Supplier ID"', $csv);
$this->assertStringContainsString('"Cost Price","Unit Price"', $csv);
$this->assertStringContainsString('"Tax 1 Name","Tax 1 Percent"', $csv);
$this->assertStringContainsString('"Tax 2 Name","Tax 2 Percent"', $csv);
$this->assertStringContainsString('"Reorder Level"', $csv);
$this->assertStringContainsString('Description,"Allow Alt Description"', $csv);
$this->assertStringContainsString('"Item has Serial Number"', $csv);
$this->assertStringContainsString('Image,HSN', $csv);
$this->assertStringContainsString('"location_Warehouse"', $csv);
$this->assertStringContainsString("\xEF\xBB\xBF", $csv);
}
public function testGenerateCsvHeaderMultipleLocations(): void
{
$stock_locations = ['Warehouse', 'Store', 'Backroom'];
$attributes = [];
$csv = generate_import_items_csv($stock_locations, $attributes);
$this->assertStringContainsString('"location_Warehouse"', $csv);
$this->assertStringContainsString('"location_Store"', $csv);
$this->assertStringContainsString('"location_Backroom"', $csv);
}
public function testGenerateCsvHeaderWithAttributes(): void
{
$stock_locations = ['Warehouse'];
$attributes = ['Color', 'Size', 'Weight'];
$csv = generate_import_items_csv($stock_locations, $attributes);
$this->assertStringContainsString('"attribute_Color"', $csv);
$this->assertStringContainsString('"attribute_Size"', $csv);
$this->assertStringContainsString('"attribute_Weight"', $csv);
}
public function testGenerateStockLocationHeaders(): void
{
$locations = ['Warehouse', 'Store'];
$headers = generate_stock_location_headers($locations);
$this->assertEquals(',"location_Warehouse","location_Store"', $headers);
}
public function testGenerateAttributeHeaders(): void
{
$attributes = ['Color', 'Size'];
$headers = generate_attribute_headers($attributes);
$this->assertEquals(',"attribute_Color","attribute_Size"', $headers);
}
public function testGenerateAttributeHeadersRemovesNegativeOneIndex(): void
{
$attributes = [-1 => 'None', 'Color' => 'Color'];
unset($attributes[-1]);
$headers = generate_attribute_headers($attributes);
$this->assertStringContainsString('"attribute_Color"', $headers);
}
public function testGetCsvFileBasic(): void
{
$csv_content = "Id,Barcode,\"Item Name\",Category,\"Supplier ID\",\"Cost Price\",\"Unit Price\",\"Tax 1 Name\",\"Tax 1 Percent\",\"Tax 2 Name\",\"Tax 2 Percent\",\"Reorder Level\",Description,\"Allow Alt Description\",\"Item has Serial Number\",Image,HSN\n";
$csv_content .= ",ITEM001,Test Item,Electronics,1,10.00,15.00,,,,,5,Test Description,0,0,,HSN001\n";
$temp_file = tempnam(sys_get_temp_dir(), 'csv_test_');
file_put_contents($temp_file, $csv_content);
$rows = get_csv_file($temp_file);
$this->assertCount(1, $rows);
$this->assertEquals('', $rows[0]['Id']);
$this->assertEquals('ITEM001', $rows[0]['Barcode']);
$this->assertEquals('Test Item', $rows[0]['Item Name']);
$this->assertEquals('Electronics', $rows[0]['Category']);
unlink($temp_file);
}
public function testGetCsvFileWithBom(): void
{
$bom = pack('CCC', 0xef, 0xbb, 0xbf);
$csv_content = $bom . "Id,\"Item Name\",Category\n";
$csv_content .= "1,Test Item,Electronics\n";
$temp_file = tempnam(sys_get_temp_dir(), 'csv_test_bom_');
file_put_contents($temp_file, $csv_content);
$rows = get_csv_file($temp_file);
$this->assertCount(1, $rows);
$this->assertEquals('1', $rows[0]['Id']);
$this->assertEquals('Test Item', $rows[0]['Item Name']);
unlink($temp_file);
}
public function testGetCsvFileMultipleRows(): void
{
$csv_content = "Id,\"Item Name\",Category\n";
$csv_content .= "1,Item One,Cat A\n";
$csv_content .= "2,Item Two,Cat B\n";
$csv_content .= "3,Item Three,Cat C\n";
$temp_file = tempnam(sys_get_temp_dir(), 'csv_test_multi_');
file_put_contents($temp_file, $csv_content);
$rows = get_csv_file($temp_file);
$this->assertCount(3, $rows);
$this->assertEquals('Item One', $rows[0]['Item Name']);
$this->assertEquals('Item Two', $rows[1]['Item Name']);
$this->assertEquals('Item Three', $rows[2]['Item Name']);
unlink($temp_file);
}
public function testBomExists(): void
{
$bom = pack('CCC', 0xef, 0xbb, 0xbf);
$content_with_bom = $bom . "test content";
$temp_file = tempnam(sys_get_temp_dir(), 'bom_test_');
file_put_contents($temp_file, $content_with_bom);
$handle = fopen($temp_file, 'r');
$result = bom_exists($handle);
fclose($handle);
$this->assertTrue($result);
unlink($temp_file);
}
public function testBomNotExists(): void
{
$content_without_bom = "test content without BOM";
$temp_file = tempnam(sys_get_temp_dir(), 'no_bom_test_');
file_put_contents($temp_file, $content_without_bom);
$handle = fopen($temp_file, 'r');
$result = bom_exists($handle);
fclose($handle);
$this->assertFalse($result);
unlink($temp_file);
}
public function testImportItemBasicFields(): void
{
$item_data = [
'item_id' => null,
'name' => 'CSV Imported Item',
'description' => 'Description from CSV',
'category' => 'Electronics',
'cost_price' => 10.50,
'unit_price' => 25.99,
'reorder_level' => 5,
'supplier_id' => null,
'item_number' => 'CSV-ITEM-001',
'allow_alt_description' => 0,
'is_serialized' => 0,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$this->assertIsInt($item_id);
$this->assertGreaterThan(0, $item_id);
$saved_item = $this->item->get_info($item_id);
$this->assertEquals('CSV Imported Item', $saved_item->name);
$this->assertEquals('Description from CSV', $saved_item->description);
$this->assertEquals('Electronics', $saved_item->category);
$this->assertEquals(10.50, (float)$saved_item->cost_price);
$this->assertEquals(25.99, (float)$saved_item->unit_price);
}
public function testImportItemWithQuantity(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item With Quantity',
'category' => 'Test Category',
'cost_price' => 5.00,
'unit_price' => 10.00,
'reorder_level' => 2,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$location_id = 1;
$quantity = 100;
$item_quantity_data = [
'item_id' => $item_id,
'location_id' => $location_id,
'quantity' => $quantity
];
$result = $this->item_quantity->save_value($item_quantity_data, $item_id, $location_id);
$this->assertTrue($result);
$saved_quantity = $this->item_quantity->get_item_quantity($item_id, $location_id);
$this->assertEquals($quantity, $saved_quantity->quantity);
}
public function testImportItemCreatesInventoryRecord(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item With Inventory',
'category' => 'Test',
'cost_price' => 5.00,
'unit_price' => 10.00,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$inventory_data = [
'trans_inventory' => 50,
'trans_items' => $item_id,
'trans_location' => 1,
'trans_comment' => 'CSV Import',
'trans_user' => 1
];
$trans_id = $this->inventory->insert($inventory_data);
$this->assertIsInt($trans_id);
$this->assertGreaterThan(0, $trans_id);
$inventory_records = $this->inventory->get_inventory_data_for_item($item_id, 1);
$this->assertGreaterThanOrEqual(1, $inventory_records->getNumRows());
}
public function testImportItemWithTaxes(): void
{
$item_data = [
'item_id' => null,
'name' => 'Taxable Item',
'category' => 'Test',
'cost_price' => 100.00,
'unit_price' => 150.00,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$taxes_data = [
['name' => 'VAT', 'percent' => 20],
['name' => 'GST', 'percent' => 10]
];
$result = $this->item_taxes->save_value($taxes_data, $item_id);
$this->assertTrue($result);
$saved_taxes = $this->item_taxes->get_info($item_id);
$tax_names = array_column($saved_taxes, 'name');
$this->assertContains('VAT', $tax_names);
$this->assertContains('GST', $tax_names);
}
public function testImportMultipleItemsFromSimulatedCsv(): void
{
$csv_data = [
[
'Id' => '',
'Barcode' => 'ITEM-A',
'Item Name' => 'First Item',
'Category' => 'Category A',
'Supplier ID' => '',
'Cost Price' => '10.00',
'Unit Price' => '20.00',
'Tax 1 Name' => '',
'Tax 1 Percent' => '',
'Tax 2 Name' => '',
'Tax 2 Percent' => '',
'Reorder Level' => '5',
'Description' => 'First item description',
'Allow Alt Description' => '0',
'Item has Serial Number' => '0',
'Image' => '',
'HSN' => '',
'location_Warehouse' => '100'
],
[
'Id' => '',
'Barcode' => 'ITEM-B',
'Item Name' => 'Second Item',
'Category' => 'Category B',
'Supplier ID' => '',
'Cost Price' => '15.00',
'Unit Price' => '30.00',
'Tax 1 Name' => '',
'Tax 1 Percent' => '',
'Tax 2 Name' => '',
'Tax 2 Percent' => '',
'Reorder Level' => '10',
'Description' => 'Second item description',
'Allow Alt Description' => '0',
'Item has Serial Number' => '0',
'Image' => '',
'HSN' => '',
'location_Warehouse' => '50'
]
];
$imported_item_ids = [];
foreach ($csv_data as $row) {
$item_data = [
'item_id' => (int)$row['Id'] ?: null,
'name' => $row['Item Name'],
'description' => $row['Description'],
'category' => $row['Category'],
'cost_price' => (float)$row['Cost Price'],
'unit_price' => (float)$row['Unit Price'],
'reorder_level' => (int)$row['Reorder Level'],
'item_number' => $row['Barcode'] ?: null,
'allow_alt_description' => empty($row['Allow Alt Description']) ? '0' : '1',
'is_serialized' => empty($row['Item has Serial Number']) ? '0' : '1',
'deleted' => false
];
$item_id = $this->item->save_value($item_data);
$imported_item_ids[] = $item_id;
}
$this->assertCount(2, $imported_item_ids);
$item1 = $this->item->get_info($imported_item_ids[0]);
$this->assertEquals('First Item', $item1->name);
$this->assertEquals(10.00, (float)$item1->cost_price);
$item2 = $this->item->get_info($imported_item_ids[1]);
$this->assertEquals('Second Item', $item2->name);
$this->assertEquals(15.00, (float)$item2->cost_price);
}
public function testImportUpdateExistingItem(): void
{
$original_data = [
'item_id' => null,
'name' => 'Original Name',
'category' => 'Original Category',
'cost_price' => 10.00,
'unit_price' => 20.00,
'deleted' => 0
];
$item_id = $this->item->save_value($original_data);
$updated_data = [
'item_id' => $item_id,
'name' => 'Updated Name',
'category' => 'Updated Category',
'cost_price' => 15.00,
'unit_price' => 30.00,
'description' => 'New description',
'reorder_level' => 10,
'deleted' => 0
];
$this->item->save_value($updated_data);
$updated_item = $this->item->get_info($item_id);
$this->assertEquals('Updated Name', $updated_item->name);
$this->assertEquals('Updated Category', $updated_item->category);
$this->assertEquals(15.00, (float)$updated_item->cost_price);
$this->assertEquals(30.00, (float)$updated_item->unit_price);
}
public function testImportItemWithAttributeText(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item With Attribute',
'category' => 'Test',
'cost_price' => 10.00,
'unit_price' => 20.00,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$definition_data = [
'definition_name' => 'Color',
'definition_type' => TEXT,
'definition_flags' => 0,
'deleted' => 0
];
$definition_id = $this->attribute->saveDefinition($definition_data);
$attribute_value = 'Red';
$attribute_id = $this->attribute->saveAttributeValue(
$attribute_value,
$definition_id,
$item_id,
false,
TEXT
);
$this->assertNotFalse($attribute_id);
$saved_value = $this->attribute->getAttributeValue($item_id, $definition_id);
$this->assertEquals('Red', $saved_value->attribute_value);
}
public function testImportItemWithAttributeDropdown(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item With Dropdown',
'category' => 'Test',
'cost_price' => 10.00,
'unit_price' => 20.00,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$definition_data = [
'definition_name' => 'Size',
'definition_type' => DROPDOWN,
'definition_flags' => 0,
'deleted' => 0
];
$definition_id = $this->attribute->saveDefinition($definition_data);
$dropdown_values = ['Small', 'Medium', 'Large'];
foreach ($dropdown_values as $i => $value) {
$this->db->table('attribute_values')->insert([
'attribute_value' => $value,
'definition_id' => $definition_id,
'definition_type' => DROPDOWN,
'attribute_group' => $i,
'deleted' => 0
]);
}
$attribute_value = 'Medium';
$attribute_id = $this->attribute->saveAttributeValue(
$attribute_value,
$definition_id,
$item_id,
false,
DROPDOWN
);
$this->assertNotFalse($attribute_id);
$saved_value = $this->attribute->getAttributeValue($item_id, $definition_id);
$this->assertEquals('Medium', $saved_value->attribute_value);
}
public function testImportItemQuantityZero(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item Zero Quantity',
'category' => 'Test',
'cost_price' => 5.00,
'unit_price' => 10.00,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$location_id = 1;
$item_quantity_data = [
'item_id' => $item_id,
'location_id' => $location_id,
'quantity' => 0
];
$result = $this->item_quantity->save_value($item_quantity_data, $item_id, $location_id);
$this->assertTrue($result);
$saved_quantity = $this->item_quantity->get_item_quantity($item_id, $location_id);
$this->assertEquals(0, (int)$saved_quantity->quantity);
}
public function testImportItemWithNegativeReorderLevel(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item Negative Reorder',
'category' => 'Test',
'cost_price' => 5.00,
'unit_price' => 10.00,
'reorder_level' => -1,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$saved_item = $this->item->get_info($item_id);
$this->assertEquals(-1, (int)$saved_item->reorder_level);
}
public function testImportItemWithHighPrecisionPrices(): void
{
$item_data = [
'item_id' => null,
'name' => 'High Precision Item',
'category' => 'Test',
'cost_price' => 10.123456,
'unit_price' => 25.876543,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$saved_item = $this->item->get_info($item_id);
$cost_diff = abs(10.123456 - (float)$saved_item->cost_price);
$price_diff = abs(25.876543 - (float)$saved_item->unit_price);
$this->assertLessThan(0.001, $cost_diff, 'Cost price should maintain precision');
$this->assertLessThan(0.001, $price_diff, 'Unit price should maintain precision');
}
public function testImportItemWithHsnCode(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item With HSN',
'category' => 'Test',
'cost_price' => 10.00,
'unit_price' => 20.00,
'hsn_code' => '8471',
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$saved_item = $this->item->get_info($item_id);
$this->assertEquals('8471', $saved_item->hsn_code);
}
public function testImportItemQuantityMultipleLocations(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item Multi Location',
'category' => 'Test',
'cost_price' => 10.00,
'unit_price' => 20.00,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$quantities = [
['location_id' => 1, 'quantity' => 100],
['location_id' => 2, 'quantity' => 50],
['location_id' => 3, 'quantity' => 25]
];
foreach ($quantities as $q) {
$result = $this->item_quantity->save_value(
['item_id' => $item_id, 'location_id' => $q['location_id'], 'quantity' => $q['quantity']],
$item_id,
$q['location_id']
);
$this->assertTrue($result);
}
foreach ($quantities as $q) {
$saved = $this->item_quantity->get_item_quantity($item_id, $q['location_id']);
$this->assertEquals($q['quantity'], (int)$saved->quantity, "Quantity at location {$q['location_id']} should match");
}
}
public function testCsvImportQuantityValidationNumeric(): void
{
$csv_data = [
'Id' => '',
'Barcode' => 'VALID-ITEM',
'Item Name' => 'Valid Item',
'Category' => 'Test',
'Cost Price' => '10.00',
'Unit Price' => '20.00',
'location_Warehouse' => '100'
];
$this->assertTrue(is_numeric($csv_data['location_Warehouse']));
$this->assertTrue(is_numeric($csv_data['Cost Price']));
$this->assertTrue(is_numeric($csv_data['Unit Price']));
}
public function testCsvImportEmptyBarcodeAllowed(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item Without Barcode',
'category' => 'Test',
'cost_price' => 10.00,
'unit_price' => 20.00,
'item_number' => null,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$this->assertIsInt($item_id);
$this->assertGreaterThan(0, $item_id);
$saved_item = $this->item->get_info($item_id);
$this->assertEquals('Item Without Barcode', $saved_item->name);
}
public function testCsvImportItemExistsCheck(): void
{
$item_data = [
'item_id' => null,
'name' => 'Existing Item',
'category' => 'Test',
'cost_price' => 10.00,
'unit_price' => 20.00,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$exists = $this->item->exists($item_id);
$this->assertTrue($exists);
$not_exists = $this->item->exists(999999);
$this->assertFalse($not_exists);
}
public function testFullCsvImportFlowSimulated(): void
{
$csv_row = [
'Id' => '',
'Barcode' => 'FULL-TEST-001',
'Item Name' => 'Complete Test Item',
'Category' => 'Electronics',
'Supplier ID' => '',
'Cost Price' => '50.00',
'Unit Price' => '100.00',
'Tax 1 Name' => 'VAT',
'Tax 1 Percent' => '20',
'Tax 2 Name' => '',
'Tax 2 Percent' => '',
'Reorder Level' => '10',
'Description' => 'A complete test item for CSV import',
'Allow Alt Description' => '1',
'Item has Serial Number' => '0',
'Image' => '',
'HSN' => '84713020'
];
$item_data = [
'item_id' => (int)$csv_row['Id'] ?: null,
'name' => $csv_row['Item Name'],
'description' => $csv_row['Description'],
'category' => $csv_row['Category'],
'cost_price' => (float)$csv_row['Cost Price'],
'unit_price' => (float)$csv_row['Unit Price'],
'reorder_level' => (int)$csv_row['Reorder Level'],
'item_number' => $csv_row['Barcode'] ?: null,
'allow_alt_description' => empty($csv_row['Allow Alt Description']) ? '0' : '1',
'is_serialized' => empty($csv_row['Item has Serial Number']) ? '0' : '1',
'hsn_code' => $csv_row['HSN'],
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$taxes_data = [];
if (is_numeric($csv_row['Tax 1 Percent']) && $csv_row['Tax 1 Name'] !== '') {
$taxes_data[] = ['name' => $csv_row['Tax 1 Name'], 'percent' => $csv_row['Tax 1 Percent']];
}
if (is_numeric($csv_row['Tax 2 Percent']) && $csv_row['Tax 2 Name'] !== '') {
$taxes_data[] = ['name' => $csv_row['Tax 2 Name'], 'percent' => $csv_row['Tax 2 Percent']];
}
if (!empty($taxes_data)) {
$this->item_taxes->save_value($taxes_data, $item_id);
}
$location_id = 1;
$quantity = 75;
$quantity_data = [
'item_id' => $item_id,
'location_id' => $location_id,
'quantity' => $quantity
];
$this->item_quantity->save_value($quantity_data, $item_id, $location_id);
$inventory_data = [
'trans_inventory' => $quantity,
'trans_items' => $item_id,
'trans_location' => $location_id,
'trans_comment' => 'CSV import quantity',
'trans_user' => 1
];
$this->inventory->insert($inventory_data);
$saved_item = $this->item->get_info($item_id);
$this->assertEquals('Complete Test Item', $saved_item->name);
$this->assertEquals('Electronics', $saved_item->category);
$this->assertEquals(50.00, (float)$saved_item->cost_price);
$this->assertEquals(100.00, (float)$saved_item->unit_price);
$this->assertEquals('84713020', $saved_item->hsn_code);
$saved_quantity = $this->item_quantity->get_item_quantity($item_id, $location_id);
$this->assertEquals($quantity, (int)$saved_quantity->quantity);
$saved_taxes = $this->item_taxes->get_info($item_id);
$this->assertCount(1, $saved_taxes);
$this->assertEquals('VAT', $saved_taxes[0]['name']);
$this->assertEquals(20, (float)$saved_taxes[0]['percent']);
$inventory_records = $this->inventory->get_inventory_data_for_item($item_id, $location_id);
$this->assertGreaterThanOrEqual(1, $inventory_records->getNumRows());
}
public function testImportCsvInvalidStockLocationColumn(): void
{
$csv_headers = ['Id', 'Item Name', 'Category', 'Cost Price', 'Unit Price', 'location_NonExistentLocation'];
$csv_row = [
'Id' => '',
'Item Name' => 'Test Item Invalid Location',
'Category' => 'Test',
'Cost Price' => '10.00',
'Unit Price' => '20.00',
'location_NonExistentLocation' => '100'
];
$allowed_locations = [1 => 'Warehouse'];
$location_columns_in_csv = [];
foreach (array_keys($csv_row) as $key) {
if (str_starts_with($key, 'location_')) {
$location_columns_in_csv[$key] = substr($key, 9);
}
}
$invalid_locations = [];
foreach ($location_columns_in_csv as $column => $location_name) {
if (!in_array($location_name, $allowed_locations)) {
$invalid_locations[] = $location_name;
}
}
$this->assertNotEmpty($invalid_locations, 'Should detect invalid location in CSV');
$this->assertContains('NonExistentLocation', $invalid_locations);
}
public function testImportCsvValidStockLocationColumn(): void
{
$csv_row = [
'Id' => '',
'Item Name' => 'Test Item Valid Location',
'Category' => 'Test',
'Cost Price' => '10.00',
'Unit Price' => '20.00',
'location_Warehouse' => '100'
];
$allowed_locations = [1 => 'Warehouse'];
$location_columns_in_csv = [];
foreach (array_keys($csv_row) as $key) {
if (str_starts_with($key, 'location_')) {
$location_columns_in_csv[$key] = substr($key, 9);
}
}
$invalid_locations = [];
foreach ($location_columns_in_csv as $column => $location_name) {
if (!in_array($location_name, $allowed_locations)) {
$invalid_locations[] = $location_name;
}
}
$this->assertEmpty($invalid_locations, 'Should have no invalid locations');
}
public function testImportCsvMixedValidAndInvalidLocations(): void
{
$csv_row = [
'Id' => '',
'Item Name' => 'Test Item Mixed Locations',
'Category' => 'Test',
'Cost Price' => '10.00',
'Unit Price' => '20.00',
'location_Warehouse' => '100',
'location_InvalidLocation' => '50'
];
$allowed_locations = [1 => 'Warehouse', 2 => 'Store'];
$location_columns_in_csv = [];
foreach (array_keys($csv_row) as $key) {
if (str_starts_with($key, 'location_')) {
$location_columns_in_csv[$key] = substr($key, 9);
}
}
$invalid_locations = [];
foreach ($location_columns_in_csv as $column => $location_name) {
if (!in_array($location_name, $allowed_locations)) {
$invalid_locations[] = $location_name;
}
}
$this->assertCount(1, $invalid_locations, 'Should have exactly one invalid location');
$this->assertContains('InvalidLocation', $invalid_locations);
}
public function testValidateCsvStockLocations(): void
{
$csv_content = "Id,\"Item Name\",Category,\"Cost Price\",\"Unit Price\",\"location_Warehouse\",\"location_FakeLocation\"\n";
$csv_content .= ",Test Item,Test,10.00,20.00,100,50\n";
$temp_file = tempnam(sys_get_temp_dir(), 'csv_location_test_');
file_put_contents($temp_file, $csv_content);
$rows = get_csv_file($temp_file);
$this->assertCount(1, $rows);
$row = $rows[0];
$this->assertArrayHasKey('location_Warehouse', $row);
$this->assertArrayHasKey('location_FakeLocation', $row);
unlink($temp_file);
}
public function testImportItemQuantityOnlyForValidLocations(): void
{
$item_data = [
'item_id' => null,
'name' => 'Item Location Test',
'category' => 'Test',
'cost_price' => 10.00,
'unit_price' => 20.00,
'deleted' => 0
];
$item_id = $this->item->save_value($item_data);
$allowed_locations = [1 => 'Warehouse', 2 => 'Store'];
$csv_row_simulated = [
'location_Warehouse' => '100',
'location_Store' => '50',
'location_NonExistent' => '25'
];
foreach ($allowed_locations as $location_id => $location_name) {
$column_name = "location_$location_name";
if (isset($csv_row_simulated[$column_name]) || $csv_row_simulated[$column_name] === '0') {
$quantity_data = [
'item_id' => $item_id,
'location_id' => $location_id,
'quantity' => (int)$csv_row_simulated[$column_name]
];
$this->item_quantity->save_value($quantity_data, $item_id, $location_id);
}
}
$warehouse_qty = $this->item_quantity->get_item_quantity($item_id, 1);
$this->assertEquals(100, (int)$warehouse_qty->quantity);
$store_qty = $this->item_quantity->get_item_quantity($item_id, 2);
$this->assertEquals(50, (int)$store_qty->quantity);
$result = $this->item_quantity->exists($item_id, 999);
$this->assertFalse($result, 'Should not have quantity for non-existent location');
}
public function testDetectCsvLocationColumns(): void
{
$row = [
'Id' => '',
'Item Name' => 'Test',
'location_Warehouse' => '100',
'location_Store' => '50',
'attribute_Color' => 'Red'
];
$location_columns = [];
foreach (array_keys($row) as $key) {
if (str_starts_with($key, 'location_')) {
$location_columns[$key] = substr($key, 9);
}
}
$this->assertCount(2, $location_columns);
$this->assertArrayHasKey('location_Warehouse', $location_columns);
$this->assertArrayHasKey('location_Store', $location_columns);
$this->assertEquals('Warehouse', $location_columns['location_Warehouse']);
$this->assertEquals('Store', $location_columns['location_Store']);
}
public function testValidateLocationNamesCaseSensitivity(): void
{
$allowed_locations = [1 => 'Warehouse', 2 => 'Store'];
$csv_location_name = 'warehouse';
$is_valid = in_array($csv_location_name, $allowed_locations);
$this->assertFalse($is_valid, 'Location names should be case-sensitive');
$csv_location_name = 'Warehouse';
$is_valid = in_array($csv_location_name, $allowed_locations);
$this->assertTrue($is_valid, 'Valid location name should pass validation');
}
}

42
tests/Models/EmployeeTest.php
View File

@@ -24,7 +24,7 @@ class EmployeeTest extends CIUnitTestCase
{
$employeeModel = model(Employee::class);
$result = $employeeModel->is_admin(1);
$result = $employeeModel->isAdmin(1);
$this->assertTrue($result);
}
@@ -38,7 +38,7 @@ class EmployeeTest extends CIUnitTestCase
$employeeModel->method('has_grant')
->willReturn(true);
$result = $employeeModel->is_admin(2);
$result = $employeeModel->isAdmin(2);
$this->assertTrue($result);
}
@@ -54,7 +54,7 @@ class EmployeeTest extends CIUnitTestCase
return $permissionId !== 'config';
});
$result = $employeeModel->is_admin(3);
$result = $employeeModel->isAdmin(3);
$this->assertFalse($result);
}
@@ -62,13 +62,13 @@ class EmployeeTest extends CIUnitTestCase
public function testCanModifyEmployeeReturnsTrueForOwnAccount(): void
{
$employeeModel = $this->getMockBuilder(Employee::class)
->onlyMethods(['is_admin'])
->onlyMethods(['isAdmin'])
->getMock();
$employeeModel->method('is_admin')
$employeeModel->method('isAdmin')
->willReturn(false);
$result = $employeeModel->can_modify_employee(1, 1);
$result = $employeeModel->canModifyEmployee(1, 1);
$this->assertTrue($result);
}
@@ -76,13 +76,13 @@ class EmployeeTest extends CIUnitTestCase
public function testCanModifyEmployeeReturnsTrueForOwnAdminAccount(): void
{
$employeeModel = $this->getMockBuilder(Employee::class)
->onlyMethods(['is_admin'])
->onlyMethods(['isAdmin'])
->getMock();
$employeeModel->method('is_admin')
$employeeModel->method('isAdmin')
->willReturn(true);
$result = $employeeModel->can_modify_employee(1, 1);
$result = $employeeModel->canModifyEmployee(1, 1);
$this->assertTrue($result);
}
@@ -90,15 +90,15 @@ class EmployeeTest extends CIUnitTestCase
public function testCanModifyEmployeeReturnsFalseWhenNonAdminModifiesAdmin(): void
{
$employeeModel = $this->getMockBuilder(Employee::class)
->onlyMethods(['is_admin'])
->onlyMethods(['isAdmin'])
->getMock();
$employeeModel->method('is_admin')
$employeeModel->method('isAdmin')
->willReturnCallback(function($personId) {
return $personId === 1;
});
$result = $employeeModel->can_modify_employee(1, 2);
$result = $employeeModel->canModifyEmployee(1, 2);
$this->assertFalse($result);
}
@@ -106,15 +106,15 @@ class EmployeeTest extends CIUnitTestCase
public function testCanModifyEmployeeReturnsTrueWhenAdminModifiesNonAdmin(): void
{
$employeeModel = $this->getMockBuilder(Employee::class)
->onlyMethods(['is_admin'])
->onlyMethods(['isAdmin'])
->getMock();
$employeeModel->method('is_admin')
$employeeModel->method('isAdmin')
->willReturnCallback(function($personId) {
return $personId === 1;
});
$result = $employeeModel->can_modify_employee(2, 1);
$result = $employeeModel->canModifyEmployee(2, 1);
$this->assertTrue($result);
}
@@ -122,13 +122,13 @@ class EmployeeTest extends CIUnitTestCase
public function testCanModifyEmployeeReturnsTrueWhenNonAdminModifiesNonAdmin(): void
{
$employeeModel = $this->getMockBuilder(Employee::class)
->onlyMethods(['is_admin'])
->onlyMethods(['isAdmin'])
->getMock();
$employeeModel->method('is_admin')
$employeeModel->method('isAdmin')
->willReturn(false);
$result = $employeeModel->can_modify_employee(2, 3);
$result = $employeeModel->canModifyEmployee(2, 3);
$this->assertTrue($result);
}
@@ -136,15 +136,15 @@ class EmployeeTest extends CIUnitTestCase
public function testCanModifyEmployeeReturnsFalseForNonAdminEditingAdmin(): void
{
$employeeModel = $this->getMockBuilder(Employee::class)
->onlyMethods(['is_admin'])
->onlyMethods(['isAdmin'])
->getMock();
$employeeModel->method('is_admin')
$employeeModel->method('isAdmin')
->willReturnCallback(function($personId) {
return $personId === 1;
});
$result = $employeeModel->can_modify_employee(1, 2);
$result = $employeeModel->canModifyEmployee(1, 2);
$this->assertFalse($result);
}

51
tests/Models/Reports/Summary_discounts_test.php Normal file
View File

@@ -0,0 +1,51 @@
<?php
namespace Tests\Models\Reports;
use CodeIgniter\Test\CIUnitTestCase;
use App\Models\Reports\Summary_discounts;
class Summary_discounts_test extends CIUnitTestCase
{
public function testCurrencySymbolEscaping(): void
{
$malicious_symbols = [
'"',
"'",
'" + SLEEP(5) + "',
'", SLEEP(5), "',
"' + (SELECT * FROM (SELECT(SLEEP(5)))a) + '",
'"; DROP TABLE ospos_sales_items; --',
'" OR 1=1 --'
];
foreach ($malicious_symbols as $symbol) {
$escaped = $this->escapeCurrencySymbol($symbol);
$this->assertStringNotContainsString('SLEEP', $escaped, "SQL injection attempt should be escaped: $symbol");
$this->assertStringNotContainsString('DROP', $escaped, "SQL injection attempt should be escaped: $symbol");
$this->assertStringNotContainsString(';', $escaped, "Query termination should be escaped: $symbol");
}
}
public function testNormalCurrencySymbolHandling(): void
{
$normal_symbols = ['$', '€', '£', '¥', '₹', '₩', '₽', 'kr', 'CHF'];
foreach ($normal_symbols as $symbol) {
$escaped = $this->escapeCurrencySymbol($symbol);
$this->assertNotEmpty($escaped, "Normal currency symbol should be preserved: $symbol");
}
}
private function escapeCurrencySymbol(string $symbol): string
{
if (strlen($symbol) === 0) {
return "''";
}
$symbol = addslashes($symbol);
return "'" . $symbol . "'";
}
}