feat(offers): 補齊 provider-verification 可見性缺口——子端點過濾與預約入口檢查
Run Tests / test (pull_request) Successful in 1m56s
Run Tests / test (pull_request) Successful in 1m56s
實作 openspec change provider-verification-gaps(8/8 tasks): - schedules/reviews publicList 套用 visibleToPublic,隱藏課程回 404 - MemberBookingController::store Layer 1 擋未驗證教練課程的新預約(422) - 政策:教練被取消驗證只擋新預約,既有 pending/confirmed/completed 照常 - 主規格 Notes 已知限制轉為正式 Requirements - 測試 +5(可見性子端點 3、預約入口 2),既有 booking/review 測試 helper 補 verified ProviderProfile - 容器內全套件 151 passed / 388 assertions;另以 demo 資料端到端驗證 (已驗證教練 200/200/200、未驗證 404/404/404) Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
@@ -45,9 +45,14 @@ class MemberBookingController extends Controller
|
||||
'notes' => 'nullable|string|max:500',
|
||||
]);
|
||||
|
||||
$schedule = CourseSchedule::with('divingOffer')->findOrFail($data['schedule_id']);
|
||||
$schedule = CourseSchedule::with('divingOffer.provider.providerProfile')->findOrFail($data['schedule_id']);
|
||||
|
||||
// Layer 1:快速失敗
|
||||
// 可見性繞過防護:課程屬未驗證教練時不可建立新預約(既有預約不受影響,見 provider-verification 規格)
|
||||
$offer = $schedule->divingOffer;
|
||||
if ($offer->provider_id !== null && !($offer->provider?->providerProfile?->is_verified)) {
|
||||
return response()->json(['status' => false, 'message' => '此課程目前不開放預約'], 422);
|
||||
}
|
||||
if ($schedule->status !== ScheduleStatus::Open) {
|
||||
return response()->json(['status' => false, 'message' => '此時段不開放預約'], 422);
|
||||
}
|
||||
|
||||
@@ -21,7 +21,7 @@ class ReviewController extends Controller
|
||||
|
||||
public function publicList(Request $request, int $offerId)
|
||||
{
|
||||
$offer = DivingOffer::findOrFail($offerId);
|
||||
$offer = DivingOffer::visibleToPublic()->findOrFail($offerId);
|
||||
$user = $request->user();
|
||||
$perPage = min((int) $request->query('per_page', 20), 50);
|
||||
$sort = $request->query('sort', 'helpful');
|
||||
|
||||
@@ -95,7 +95,7 @@ class ScheduleController extends Controller
|
||||
|
||||
public function publicList(int $offerId)
|
||||
{
|
||||
$offer = DivingOffer::findOrFail($offerId);
|
||||
$offer = DivingOffer::visibleToPublic()->findOrFail($offerId);
|
||||
$schedules = CourseSchedule::where('diving_offer_id', $offer->id)
|
||||
->where('status', ScheduleStatus::Open->value)
|
||||
->whereDate('scheduled_date', '>=', now()->toDateString())
|
||||
|
||||
@@ -1,19 +1,19 @@
|
||||
## 1. 公開子端點套用可見性
|
||||
|
||||
- [ ] 1.1 `ScheduleController::publicList`:`DivingOffer::findOrFail($offerId)` → `DivingOffer::visibleToPublic()->findOrFail($offerId)`
|
||||
- [ ] 1.2 `ReviewController::publicList`:同 1.1
|
||||
- [ ] 1.3 [整合測試] `DivingOfferVisibilityTest` 擴充:未驗證教練課程的 `/schedules` 回 404、`/reviews` 回 404、已驗證教練兩端點正常(3~4 案例)
|
||||
- [x] 1.1 `ScheduleController::publicList`:`DivingOffer::findOrFail($offerId)` → `DivingOffer::visibleToPublic()->findOrFail($offerId)`
|
||||
- [x] 1.2 `ReviewController::publicList`:同 1.1
|
||||
- [x] 1.3 [整合測試] `DivingOfferVisibilityTest` 擴充:未驗證教練課程的 `/schedules` 回 404、`/reviews` 回 404、已驗證教練兩端點正常(3~4 案例)
|
||||
|
||||
## 2. 預約入口檢查
|
||||
|
||||
- [ ] 2.1 `MemberBookingController::store` Layer 1 增加課程可預約檢查(provider_id null 或教練已驗證),不符回 422 `此課程目前不開放預約`
|
||||
- [ ] 2.2 [整合測試] `BookingLifecycleTest` 擴充:未驗證教練課程的 schedule 不可建立預約(422)、已驗證可預約、教練被取消驗證後既有 confirmed 預約聊天/完課照常(3 案例)
|
||||
- [x] 2.1 `MemberBookingController::store` Layer 1 增加課程可預約檢查(provider_id null 或教練已驗證),不符回 422 `此課程目前不開放預約`
|
||||
- [x] 2.2 [整合測試] `BookingLifecycleTest` 擴充:未驗證教練課程的 schedule 不可建立預約(422)、已驗證可預約、教練被取消驗證後既有 confirmed 預約聊天/完課照常(3 案例)
|
||||
|
||||
## 3. 規格同步
|
||||
|
||||
- [ ] 3.1 `openspec/specs/provider-verification/spec.md`:新增「公開子端點套用相同可見性」「未驗證教練課程不可建立新預約」requirements(含既有預約不受影響 scenario),移除 Notes 已知限制段落
|
||||
- [x] 3.1 `openspec/specs/provider-verification/spec.md`:新增「公開子端點套用相同可見性」「未驗證教練課程不可建立新預約」requirements(含既有預約不受影響 scenario),移除 Notes 已知限制段落
|
||||
|
||||
## 4. 驗證
|
||||
|
||||
- [ ] 4.1 容器內 `php artisan test` 全綠(基準:146 passed)
|
||||
- [ ] 4.2 手動驗證 DemoSeeder 未驗證教練課程:時段/評價查詢 404、無法新預約
|
||||
- [x] 4.1 容器內 `php artisan test` 全綠(基準:146 passed)
|
||||
- [x] 4.2 手動驗證 DemoSeeder 未驗證教練課程:時段/評價查詢 404、無法新預約
|
||||
|
||||
@@ -36,6 +36,36 @@
|
||||
|
||||
---
|
||||
|
||||
### Requirement: 公開子端點套用相同可見性
|
||||
課程的公開子端點(`GET /api/diving-offers/{id}/schedules`、`GET /api/diving-offers/{id}/reviews`)SHALL 套用與課程詳情相同的可見性規則:課程屬未驗證教練時回傳 HTTP 404。
|
||||
|
||||
#### Scenario: 隱藏課程的時段查詢回 404
|
||||
- **WHEN** 匿名使用者請求 `GET /api/diving-offers/{id}/schedules`,該課程屬未驗證教練
|
||||
- **THEN** 回傳 HTTP 404
|
||||
|
||||
#### Scenario: 隱藏課程的評價查詢回 404
|
||||
- **WHEN** 匿名使用者請求 `GET /api/diving-offers/{id}/reviews`,該課程屬未驗證教練
|
||||
- **THEN** 回傳 HTTP 404
|
||||
|
||||
#### Scenario: 可見課程的子端點正常
|
||||
- **WHEN** 課程屬已驗證教練或 `provider_id` 為 null
|
||||
- **THEN** 時段與評價端點照常回傳資料
|
||||
|
||||
---
|
||||
|
||||
### Requirement: 未驗證教練的課程不可建立新預約
|
||||
`POST /api/member/bookings` SHALL 在建立預約前驗證 schedule 所屬課程可預約(`provider_id` 為 null 或教練 `is_verified = true`),不符時回傳 HTTP 422,不建立預約。既有預約(pending / confirmed / completed)SHALL 不受教練驗證狀態變動影響:教練仍可處理 pending、confirmed 的聊天與完課流程照常、completed 可正常評價。
|
||||
|
||||
#### Scenario: 未驗證教練課程的新預約被拒絕
|
||||
- **WHEN** 會員以未驗證教練課程的 schedule_id 送出預約
|
||||
- **THEN** 回傳 HTTP 422,`{ status: false, message: "此課程目前不開放預約" }`,不建立 Booking
|
||||
|
||||
#### Scenario: 教練被取消驗證後既有預約照常
|
||||
- **WHEN** 教練在預約 confirmed 之後被取消驗證
|
||||
- **THEN** 該預約的聊天、完課、評價流程照常運作;僅新預約被擋
|
||||
|
||||
---
|
||||
|
||||
### Requirement: 教練自有管理端點不受可見性限制
|
||||
Provider 對自己課程的管理端點(`/api/provider/offers*`)與 Admin 管理端點(`/api/admin/offers*`)SHALL 不受公開可見性過濾影響,未驗證教練仍可登入、編輯與管理自己的課程。
|
||||
|
||||
@@ -45,4 +75,4 @@ Provider 對自己課程的管理端點(`/api/provider/offers*`)與 Admin
|
||||
|
||||
## Notes
|
||||
|
||||
已知限制(留待完整教練審核流程處理):`GET /api/diving-offers/{id}/schedules`、`GET /api/diving-offers/{id}/reviews` 與預約建立流程尚未套用相同過濾,知道課程 id 的使用者仍可間接互動。完整審核流程(verification_status enum、證照上傳、審核佇列)見 `docs/analysis/2026-06-11-future-roadmap-feasibility.md` §2.1。
|
||||
完整審核流程(verification_status enum、證照上傳、審核佇列)見 `docs/analysis/2026-06-11-future-roadmap-feasibility.md` §2.1。
|
||||
|
||||
@@ -7,6 +7,7 @@ use App\Enums\ScheduleStatus;
|
||||
use App\Models\Booking;
|
||||
use App\Models\CourseSchedule;
|
||||
use App\Models\DivingOffer;
|
||||
use App\Models\ProviderProfile;
|
||||
use App\Models\User;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Notification;
|
||||
@@ -37,9 +38,16 @@ class BookingLifecycleTest extends TestCase
|
||||
return User::factory()->create(['role' => 'member']);
|
||||
}
|
||||
|
||||
private function makeProvider(): User
|
||||
private function makeProvider(bool $isVerified = true): User
|
||||
{
|
||||
return User::factory()->create(['role' => 'provider']);
|
||||
$provider = User::factory()->create(['role' => 'provider']);
|
||||
|
||||
ProviderProfile::create([
|
||||
'user_id' => $provider->id,
|
||||
'is_verified' => $isVerified,
|
||||
]);
|
||||
|
||||
return $provider;
|
||||
}
|
||||
|
||||
private function makeOffer(User $provider): DivingOffer
|
||||
@@ -140,6 +148,43 @@ class BookingLifecycleTest extends TestCase
|
||||
])->assertStatus(422);
|
||||
}
|
||||
|
||||
// ── 可見性繞過防護(provider-verification 規格) ─────────
|
||||
|
||||
public function test_cannot_book_unverified_provider_course_via_schedule_id(): void
|
||||
{
|
||||
$unverified = $this->makeProvider(isVerified: false);
|
||||
$schedule = $this->makeSchedule($this->makeOffer($unverified));
|
||||
|
||||
$this->actingAs($this->makeMember())->postJson('/api/member/bookings', [
|
||||
'schedule_id' => $schedule->id,
|
||||
'participants' => 1,
|
||||
])->assertStatus(422)
|
||||
->assertJsonPath('message', '此課程目前不開放預約');
|
||||
|
||||
$this->assertSame(0, Booking::count());
|
||||
}
|
||||
|
||||
public function test_existing_confirmed_booking_survives_provider_unverification(): void
|
||||
{
|
||||
$provider = $this->makeProvider();
|
||||
$schedule = $this->makeSchedule($this->makeOffer($provider), ['current_participants' => 1]);
|
||||
$member = $this->makeMember();
|
||||
$booking = $this->makeBooking($member, $schedule, BookingStatus::Confirmed);
|
||||
|
||||
// 教練在預約成立後被取消驗證:只擋新預約,不毀既有合約
|
||||
$provider->providerProfile->update(['is_verified' => false]);
|
||||
|
||||
$this->actingAs($member)
|
||||
->getJson("/api/bookings/{$booking->id}/messages")
|
||||
->assertOk();
|
||||
|
||||
$this->actingAs($provider)
|
||||
->putJson("/api/provider/bookings/{$booking->id}/complete")
|
||||
->assertOk();
|
||||
|
||||
$this->assertSame(BookingStatus::Completed, $booking->fresh()->status);
|
||||
}
|
||||
|
||||
// ── Provider 確認 / 拒絕 ─────────────────────────────────
|
||||
|
||||
public function test_provider_confirms_pending_booking_and_occupies_spots(): void
|
||||
|
||||
@@ -7,6 +7,7 @@ use App\Enums\ScheduleStatus;
|
||||
use App\Models\Booking;
|
||||
use App\Models\CourseSchedule;
|
||||
use App\Models\DivingOffer;
|
||||
use App\Models\ProviderProfile;
|
||||
use App\Models\User;
|
||||
use Illuminate\Foundation\Testing\RefreshDatabase;
|
||||
use Illuminate\Support\Facades\Notification;
|
||||
@@ -33,6 +34,11 @@ class BookingOversellTest extends TestCase
|
||||
{
|
||||
$provider = User::factory()->create(['role' => 'provider']);
|
||||
|
||||
ProviderProfile::create([
|
||||
'user_id' => $provider->id,
|
||||
'is_verified' => true,
|
||||
]);
|
||||
|
||||
$offer = DivingOffer::create([
|
||||
'provider_id' => $provider->id,
|
||||
'title' => 'Oversell Course',
|
||||
|
||||
@@ -98,6 +98,33 @@ class DivingOfferVisibilityTest extends TestCase
|
||||
->assertJsonPath('data.title', 'Visible Course');
|
||||
}
|
||||
|
||||
// ── 公開子端點套用相同可見性 ─────────────────────────────
|
||||
|
||||
public function test_schedules_endpoint_returns_404_for_unverified_provider_offer(): void
|
||||
{
|
||||
$unverified = $this->makeProvider(false);
|
||||
$offer = $this->makeOffer($unverified->id, 'Hidden Schedules Course');
|
||||
|
||||
$this->getJson("/api/diving-offers/{$offer->id}/schedules")->assertStatus(404);
|
||||
}
|
||||
|
||||
public function test_reviews_endpoint_returns_404_for_unverified_provider_offer(): void
|
||||
{
|
||||
$unverified = $this->makeProvider(false);
|
||||
$offer = $this->makeOffer($unverified->id, 'Hidden Reviews Course');
|
||||
|
||||
$this->getJson("/api/diving-offers/{$offer->id}/reviews")->assertStatus(404);
|
||||
}
|
||||
|
||||
public function test_sub_endpoints_work_for_verified_provider_offer(): void
|
||||
{
|
||||
$verified = $this->makeProvider(true);
|
||||
$offer = $this->makeOffer($verified->id, 'Visible Sub Course');
|
||||
|
||||
$this->getJson("/api/diving-offers/{$offer->id}/schedules")->assertOk();
|
||||
$this->getJson("/api/diving-offers/{$offer->id}/reviews")->assertOk();
|
||||
}
|
||||
|
||||
// ── 驗證狀態切換立即生效(快取失效) ─────────────────────
|
||||
|
||||
public function test_toggle_verified_takes_effect_immediately_despite_cache(): void
|
||||
|
||||
@@ -6,6 +6,7 @@ use App\Enums\BookingStatus;
|
||||
use App\Models\Booking;
|
||||
use App\Models\CourseSchedule;
|
||||
use App\Models\DivingOffer;
|
||||
use App\Models\ProviderProfile;
|
||||
use App\Models\Review;
|
||||
use App\Models\ReviewEdit;
|
||||
use App\Models\ReviewVote;
|
||||
@@ -32,6 +33,8 @@ class ReviewTest extends TestCase
|
||||
private function createOffer(): DivingOffer
|
||||
{
|
||||
$provider = User::factory()->create(['role' => 'provider']);
|
||||
// 公開評價端點僅對已驗證教練的課程開放(provider-verification 規格)
|
||||
ProviderProfile::create(['user_id' => $provider->id, 'is_verified' => true]);
|
||||
return DivingOffer::create([
|
||||
'provider_id' => $provider->id,
|
||||
'title' => '測試潛水課程',
|
||||
|
||||
Reference in New Issue
Block a user