santhoshj/headroom
1
0
Fork 0
Code Issues 18 Pull Requests Actions Packages Projects Releases Wiki Activity

feat(team-member): Complete Team Member Management capability

Browse Source 
Implement full CRUD operations for team members with TDD approach:

Backend:
- TeamMemberController with REST API endpoints
- TeamMemberService for business logic extraction
- TeamMemberPolicy for authorization (superuser/manager access)
- 14 tests passing (8 API, 6 unit tests)

Frontend:
- Team member list with search and status filter
- Create/Edit modal with form validation
- Delete confirmation with constraint checking
- Currency formatting for hourly rates
- Real API integration with teamMemberService

Tests:
- E2E tests fixed with seed data helper
- All 157 tests passing (backend + frontend + E2E)

Closes #22
This commit is contained in:
Santhosh Janardhanan
2026-02-18 22:01:57 -05:00
parent 249e0ade8e
commit 3173d4250c
18 changed files with 1588 additions and 1100 deletions
Download Patch File Download Diff File Expand all files Collapse all files

226
backend/.scribe/endpoints.cache/00.yaml
View File

@@ -1,226 +0,0 @@
## Autogenerated by Scribe. DO NOT MODIFY.
name: Authentication
description: |-
Endpoints for JWT authentication and session lifecycle.
endpoints:
-
custom: []
httpMethods:
- POST
uri: api/auth/login
metadata:
custom: []
groupName: Authentication
groupDescription: |-
Endpoints for JWT authentication and session lifecycle.
subgroup: ''
subgroupDescription: ''
title: 'Login and get tokens'
description: 'Authenticate with email and password to receive an access token and refresh token.'
authenticated: true
deprecated: false
headers:
Authorization: 'Bearer Bearer {token}'
Content-Type: application/json
Accept: application/json
urlParameters: []
cleanUrlParameters: []
queryParameters: []
cleanQueryParameters: []
bodyParameters:
email:
custom: []
name: email
description: 'User email address.'
required: true
example: user@example.com
type: string
enumValues: []
exampleWasSpecified: true
nullable: false
deprecated: false
password:
custom: []
name: password
description: 'User password.'
required: true
example: secret123
type: string
enumValues: []
exampleWasSpecified: true
nullable: false
deprecated: false
cleanBodyParameters:
email: user@example.com
password: secret123
fileParameters: []
responses:
-
custom: []
status: 200
content: |-
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"refresh_token": "abc123def456",
"token_type": "bearer",
"expires_in": 3600,
"user": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "Alice Johnson",
"email": "user@example.com",
"role": "manager"
}
}
headers: []
description: ''
-
custom: []
status: 401
content: '{"message":"Invalid credentials"}'
headers: []
description: ''
-
custom: []
status: 403
content: '{"message":"Account is inactive"}'
headers: []
description: ''
-
custom: []
status: 422
content: '{"errors":{"email":["The email field is required."],"password":["The password field is required."]}}'
headers: []
description: ''
responseFields: []
auth:
- headers
- Authorization
- 'Bearer Bearer {token}'
controller: null
method: null
route: null
-
custom: []
httpMethods:
- POST
uri: api/auth/refresh
metadata:
custom: []
groupName: Authentication
groupDescription: |-
Endpoints for JWT authentication and session lifecycle.
subgroup: ''
subgroupDescription: ''
title: 'Refresh access token'
description: 'Exchange a valid refresh token for a new access token and refresh token pair.'
authenticated: true
deprecated: false
headers:
Authorization: 'Bearer Bearer {token}'
Content-Type: application/json
Accept: application/json
urlParameters: []
cleanUrlParameters: []
queryParameters: []
cleanQueryParameters: []
bodyParameters:
refresh_token:
custom: []
name: refresh_token
description: 'Refresh token returned by login.'
required: true
example: abc123def456
type: string
enumValues: []
exampleWasSpecified: true
nullable: false
deprecated: false
cleanBodyParameters:
refresh_token: abc123def456
fileParameters: []
responses:
-
custom: []
status: 200
content: |-
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"refresh_token": "newtoken123",
"token_type": "bearer",
"expires_in": 3600
}
headers: []
description: ''
-
custom: []
status: 401
content: '{"message":"Invalid or expired refresh token"}'
headers: []
description: ''
responseFields: []
auth:
- headers
- Authorization
- 'Bearer Bearer {token}'
controller: null
method: null
route: null
-
custom: []
httpMethods:
- POST
uri: api/auth/logout
metadata:
custom: []
groupName: Authentication
groupDescription: |-
Endpoints for JWT authentication and session lifecycle.
subgroup: ''
subgroupDescription: ''
title: 'Logout current session'
description: 'Invalidate a refresh token and end the active authenticated session.'
authenticated: true
deprecated: false
headers:
Authorization: 'Bearer Bearer {token}'
Content-Type: application/json
Accept: application/json
urlParameters: []
cleanUrlParameters: []
queryParameters: []
cleanQueryParameters: []
bodyParameters:
refresh_token:
custom: []
name: refresh_token
description: 'Optional refresh token to invalidate immediately.'
required: false
example: abc123def456
type: string
enumValues: []
exampleWasSpecified: true
nullable: false
deprecated: false
cleanBodyParameters:
refresh_token: abc123def456
fileParameters: []
responses:
-
custom: []
status: 200
content: '{"message":"Logged out successfully"}'
headers: []
description: ''
responseFields: []
auth:
- headers
- Authorization
- 'Bearer Bearer {token}'
controller: null
method: null
route: null

224
backend/.scribe/endpoints/00.yaml
View File

@@ -1,224 +0,0 @@
name: Authentication
description: |-
Endpoints for JWT authentication and session lifecycle.
endpoints:
-
custom: []
httpMethods:
- POST
uri: api/auth/login
metadata:
custom: []
groupName: Authentication
groupDescription: |-
Endpoints for JWT authentication and session lifecycle.
subgroup: ''
subgroupDescription: ''
title: 'Login and get tokens'
description: 'Authenticate with email and password to receive an access token and refresh token.'
authenticated: true
deprecated: false
headers:
Authorization: 'Bearer Bearer {token}'
Content-Type: application/json
Accept: application/json
urlParameters: []
cleanUrlParameters: []
queryParameters: []
cleanQueryParameters: []
bodyParameters:
email:
custom: []
name: email
description: 'User email address.'
required: true
example: user@example.com
type: string
enumValues: []
exampleWasSpecified: true
nullable: false
deprecated: false
password:
custom: []
name: password
description: 'User password.'
required: true
example: secret123
type: string
enumValues: []
exampleWasSpecified: true
nullable: false
deprecated: false
cleanBodyParameters:
email: user@example.com
password: secret123
fileParameters: []
responses:
-
custom: []
status: 200
content: |-
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"refresh_token": "abc123def456",
"token_type": "bearer",
"expires_in": 3600,
"user": {
"id": "550e8400-e29b-41d4-a716-446655440000",
"name": "Alice Johnson",
"email": "user@example.com",
"role": "manager"
}
}
headers: []
description: ''
-
custom: []
status: 401
content: '{"message":"Invalid credentials"}'
headers: []
description: ''
-
custom: []
status: 403
content: '{"message":"Account is inactive"}'
headers: []
description: ''
-
custom: []
status: 422
content: '{"errors":{"email":["The email field is required."],"password":["The password field is required."]}}'
headers: []
description: ''
responseFields: []
auth:
- headers
- Authorization
- 'Bearer Bearer {token}'
controller: null
method: null
route: null
-
custom: []
httpMethods:
- POST
uri: api/auth/refresh
metadata:
custom: []
groupName: Authentication
groupDescription: |-
Endpoints for JWT authentication and session lifecycle.
subgroup: ''
subgroupDescription: ''
title: 'Refresh access token'
description: 'Exchange a valid refresh token for a new access token and refresh token pair.'
authenticated: true
deprecated: false
headers:
Authorization: 'Bearer Bearer {token}'
Content-Type: application/json
Accept: application/json
urlParameters: []
cleanUrlParameters: []
queryParameters: []
cleanQueryParameters: []
bodyParameters:
refresh_token:
custom: []
name: refresh_token
description: 'Refresh token returned by login.'
required: true
example: abc123def456
type: string
enumValues: []
exampleWasSpecified: true
nullable: false
deprecated: false
cleanBodyParameters:
refresh_token: abc123def456
fileParameters: []
responses:
-
custom: []
status: 200
content: |-
{
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...",
"refresh_token": "newtoken123",
"token_type": "bearer",
"expires_in": 3600
}
headers: []
description: ''
-
custom: []
status: 401
content: '{"message":"Invalid or expired refresh token"}'
headers: []
description: ''
responseFields: []
auth:
- headers
- Authorization
- 'Bearer Bearer {token}'
controller: null
method: null
route: null
-
custom: []
httpMethods:
- POST
uri: api/auth/logout
metadata:
custom: []
groupName: Authentication
groupDescription: |-
Endpoints for JWT authentication and session lifecycle.
subgroup: ''
subgroupDescription: ''
title: 'Logout current session'
description: 'Invalidate a refresh token and end the active authenticated session.'
authenticated: true
deprecated: false
headers:
Authorization: 'Bearer Bearer {token}'
Content-Type: application/json
Accept: application/json
urlParameters: []
cleanUrlParameters: []
queryParameters: []
cleanQueryParameters: []
bodyParameters:
refresh_token:
custom: []
name: refresh_token
description: 'Optional refresh token to invalidate immediately.'
required: false
example: abc123def456
type: string
enumValues: []
exampleWasSpecified: true
nullable: false
deprecated: false
cleanBodyParameters:
refresh_token: abc123def456
fileParameters: []
responses:
-
custom: []
status: 200
content: '{"message":"Logged out successfully"}'
headers: []
description: ''
responseFields: []
auth:
- headers
- Authorization
- 'Bearer Bearer {token}'
controller: null
method: null
route: null

6
backend/Dockerfile
View File

@@ -28,6 +28,12 @@ COPY . .
# Install PHP dependencies
RUN composer install --no-interaction --optimize-autoloader
# Install Laravel Boost
RUN php artisan boost:install
RUN php artisan vendor:publish --provider="Laravel\Boost\BoostServiceProvider"
RUN php artisan config:clear
RUN composer dump-autoload
# Set permissions
RUN chmod -R 755 /var/www/html/storage

230
backend/app/Http/Controllers/Api/TeamMemberController.php Normal file
View File

@@ -0,0 +1,230 @@
<?php
namespace App\Http\Controllers\Api;
use App\Http\Controllers\Controller;
use App\Models\TeamMember;
use App\Services\TeamMemberService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Validation\ValidationException;
/**
* @group Team Members
*
* Endpoints for managing team members.
*/
class TeamMemberController extends Controller
{
/**
* Team Member Service instance
*/
protected TeamMemberService $teamMemberService;
/**
* Constructor
*/
public function __construct(TeamMemberService $teamMemberService)
{
$this->teamMemberService = $teamMemberService;
}
/**
* List all team members
*
* Get a list of all team members with optional filtering by active status.
*
* @authenticated
* @queryParam active boolean Filter by active status. Example: true
*
* @response 200 [
* {
* "id": "550e8400-e29b-41d4-a716-446655440000",
* "name": "John Doe",
* "role_id": 1,
* "role": {
* "id": 1,
* "name": "Backend Developer"
* },
* "hourly_rate": "150.00",
* "active": true,
* "created_at": "2024-01-15T10:00:00.000000Z",
* "updated_at": "2024-01-15T10:00:00.000000Z"
* }
* ]
*/
public function index(Request $request): JsonResponse
{
$active = $request->has('active')
? filter_var($request->query('active'), FILTER_VALIDATE_BOOLEAN)
: null;
$teamMembers = $this->teamMemberService->getAll($active);
return response()->json($teamMembers);
}
/**
* Create a new team member
*
* Create a new team member with name, role, and hourly rate.
*
* @authenticated
* @bodyParam name string required Team member name. Example: John Doe
* @bodyParam role_id integer required Role ID. Example: 1
* @bodyParam hourly_rate numeric required Hourly rate (must be > 0). Example: 150.00
* @bodyParam active boolean Active status (defaults to true). Example: true
*
* @response 201 {
* "id": "550e8400-e29b-41d4-a716-446655440000",
* "name": "John Doe",
* "role_id": 1,
* "role": {
* "id": 1,
* "name": "Backend Developer"
* },
* "hourly_rate": "150.00",
* "active": true,
* "created_at": "2024-01-15T10:00:00.000000Z",
* "updated_at": "2024-01-15T10:00:00.000000Z"
* }
* @response 422 {"message":"Validation failed","errors":{"name":["The name field is required."],"hourly_rate":["Hourly rate must be greater than 0"]}}
*/
public function store(Request $request): JsonResponse
{
try {
$teamMember = $this->teamMemberService->create($request->all());
return response()->json($teamMember, 201);
} catch (ValidationException $e) {
return response()->json([
'message' => 'Validation failed',
'errors' => $e->validator->errors(),
], 422);
}
}
/**
* Get a single team member
*
* Get details of a specific team member by ID.
*
* @authenticated
* @urlParam id string required Team member UUID. Example: 550e8400-e29b-41d4-a716-446655440000
*
* @response 200 {
* "id": "550e8400-e29b-41d4-a716-446655440000",
* "name": "John Doe",
* "role_id": 1,
* "role": {
* "id": 1,
* "name": "Backend Developer"
* },
* "hourly_rate": "150.00",
* "active": true,
* "created_at": "2024-01-15T10:00:00.000000Z",
* "updated_at": "2024-01-15T10:00:00.000000Z"
* }
* @response 404 {"message":"Team member not found"}
*/
public function show(string $id): JsonResponse
{
$teamMember = $this->teamMemberService->findById($id);
if (! $teamMember) {
return response()->json([
'message' => 'Team member not found',
], 404);
}
return response()->json($teamMember);
}
/**
* Update a team member
*
* Update details of an existing team member.
*
* @authenticated
* @urlParam id string required Team member UUID. Example: 550e8400-e29b-41d4-a716-446655440000
* @bodyParam name string Team member name. Example: John Doe
* @bodyParam role_id integer Role ID. Example: 1
* @bodyParam hourly_rate numeric Hourly rate (must be > 0). Example: 175.00
* @bodyParam active boolean Active status. Example: false
*
* @response 200 {
* "id": "550e8400-e29b-41d4-a716-446655440000",
* "name": "John Doe",
* "role_id": 1,
* "role": {
* "id": 1,
* "name": "Backend Developer"
* },
* "hourly_rate": "175.00",
* "active": false,
* "created_at": "2024-01-15T10:00:00.000000Z",
* "updated_at": "2024-01-15T11:00:00.000000Z"
* }
* @response 404 {"message":"Team member not found"}
* @response 422 {"message":"Validation failed","errors":{"hourly_rate":["Hourly rate must be greater than 0"]}}
*/
public function update(Request $request, string $id): JsonResponse
{
$teamMember = TeamMember::find($id);
if (! $teamMember) {
return response()->json([
'message' => 'Team member not found',
], 404);
}
try {
$teamMember = $this->teamMemberService->update($teamMember, $request->only([
'name', 'role_id', 'hourly_rate', 'active'
]));
return response()->json($teamMember);
} catch (ValidationException $e) {
return response()->json([
'message' => 'Validation failed',
'errors' => $e->validator->errors(),
], 422);
}
}
/**
* Delete a team member
*
* Delete a team member. Cannot delete if member has allocations or actuals.
*
* @authenticated
* @urlParam id string required Team member UUID. Example: 550e8400-e29b-41d4-a716-446655440000
*
* @response 200 {"message":"Team member deleted successfully"}
* @response 404 {"message":"Team member not found"}
* @response 422 {"message":"Cannot delete team member with active allocations","suggestion":"Consider deactivating the team member instead"}
* @response 422 {"message":"Cannot delete team member with historical data","suggestion":"Consider deactivating the team member instead"}
*/
public function destroy(string $id): JsonResponse
{
$teamMember = TeamMember::find($id);
if (! $teamMember) {
return response()->json([
'message' => 'Team member not found',
], 404);
}
try {
$this->teamMemberService->delete($teamMember);
return response()->json([
'message' => 'Team member deleted successfully',
]);
} catch (\RuntimeException $e) {
return response()->json([
'message' => $e->getMessage(),
'suggestion' => 'Consider deactivating the team member instead',
], 422);
}
}
}

72
backend/app/Policies/TeamMemberPolicy.php Normal file
View File

@@ -0,0 +1,72 @@
<?php
namespace App\Policies;
use App\Models\TeamMember;
use App\Models\User;
class TeamMemberPolicy
{
/**
* Determine whether the user can view any models.
*/
public function viewAny(User $user): bool
{
// All authenticated users can view team members
return true;
}
/**
* Determine whether the user can view the model.
*/
public function view(User $user, TeamMember $teamMember): bool
{
// All authenticated users can view individual team members
return true;
}
/**
* Determine whether the user can create models.
*/
public function create(User $user): bool
{
// Only superusers and managers can create team members
return in_array($user->role, ['superuser', 'manager']);
}
/**
* Determine whether the user can update the model.
*/
public function update(User $user, TeamMember $teamMember): bool
{
// Only superusers and managers can update team members
return in_array($user->role, ['superuser', 'manager']);
}
/**
* Determine whether the user can delete the model.
*/
public function delete(User $user, TeamMember $teamMember): bool
{
// Only superusers and managers can delete team members
return in_array($user->role, ['superuser', 'manager']);
}
/**
* Determine whether the user can restore the model.
*/
public function restore(User $user, TeamMember $teamMember): bool
{
// Only superusers and managers can restore team members
return in_array($user->role, ['superuser', 'manager']);
}
/**
* Determine whether the user can permanently delete the model.
*/
public function forceDelete(User $user, TeamMember $teamMember): bool
{
// Only superusers can force delete team members
return $user->role === 'superuser';
}
}

160
backend/app/Services/TeamMemberService.php Normal file
View File

@@ -0,0 +1,160 @@
<?php
namespace App\Services;
use App\Models\TeamMember;
use Illuminate\Database\Eloquent\Collection;
use Illuminate\Validation\ValidationException;
use Illuminate\Support\Facades\Validator;
/**
* Team Member Service
*
* Handles business logic for team member operations.
*/
class TeamMemberService
{
/**
* Get all team members with optional filtering.
*
* @param bool|null $active Filter by active status
* @return Collection<TeamMember>
*/
public function getAll(?bool $active = null): Collection
{
$query = TeamMember::with('role');
if ($active !== null) {
$query->where('active', $active);
}
return $query->get();
}
/**
* Find a team member by ID.
*
* @param string $id
* @return TeamMember|null
*/
public function findById(string $id): ?TeamMember
{
return TeamMember::with('role')->find($id);
}
/**
* Create a new team member.
*
* @param array $data
* @return TeamMember
* @throws ValidationException
*/
public function create(array $data): TeamMember
{
$validator = Validator::make($data, [
'name' => 'required|string|max:255',
'role_id' => 'required|integer|exists:roles,id',
'hourly_rate' => 'required|numeric|gt:0',
'active' => 'boolean',
], [
'hourly_rate.gt' => 'Hourly rate must be greater than 0',
]);
if ($validator->fails()) {
throw new ValidationException($validator);
}
$teamMember = TeamMember::create([
'name' => $data['name'],
'role_id' => $data['role_id'],
'hourly_rate' => $data['hourly_rate'],
'active' => $data['active'] ?? true,
]);
$teamMember->load('role');
return $teamMember;
}
/**
* Update an existing team member.
*
* @param TeamMember $teamMember
* @param array $data
* @return TeamMember
* @throws ValidationException
*/
public function update(TeamMember $teamMember, array $data): TeamMember
{
$validator = Validator::make($data, [
'name' => 'sometimes|string|max:255',
'role_id' => 'sometimes|integer|exists:roles,id',
'hourly_rate' => 'sometimes|numeric|gt:0',
'active' => 'sometimes|boolean',
], [
'hourly_rate.gt' => 'Hourly rate must be greater than 0',
]);
if ($validator->fails()) {
throw new ValidationException($validator);
}
$teamMember->update($data);
$teamMember->load('role');
return $teamMember;
}
/**
* Delete a team member.
*
* @param TeamMember $teamMember
* @return void
* @throws \RuntimeException
*/
public function delete(TeamMember $teamMember): void
{
// Check if team member has allocations
if ($teamMember->allocations()->exists()) {
throw new \RuntimeException(
'Cannot delete team member with active allocations',
422
);
}
// Check if team member has actuals
if ($teamMember->actuals()->exists()) {
throw new \RuntimeException(
'Cannot delete team member with historical data',
422
);
}
$teamMember->delete();
}
/**
* Check if a team member can be deleted.
*
* @param TeamMember $teamMember
* @return array{canDelete: bool, reason?: string}
*/
public function canDelete(TeamMember $teamMember): array
{
if ($teamMember->allocations()->exists()) {
return [
'canDelete' => false,
'reason' => 'Team member has active allocations',
];
}
if ($teamMember->actuals()->exists()) {
return [
'canDelete' => false,
'reason' => 'Team member has historical data',
];
}
return ['canDelete' => true];
}
}

7
backend/composer.json
View File

@@ -3,7 +3,10 @@
"name": "laravel/laravel",
"type": "project",
"description": "The skeleton application for the Laravel framework.",
"keywords": ["laravel", "framework"],
"keywords": [
"laravel",
"framework"
],
"license": "MIT",
"require": {
"php": "^8.2",
@@ -15,8 +18,8 @@
"tymon/jwt-auth": "^2.0"
},
"require-dev": {
"fakerphp/faker": "^1.23",
"laravel/boost": "^2.1",
"fakerphp/faker": "^1.23",
"laravel/pail": "^1.2.2",
"laravel/pint": "^1.24",
"laravel/sail": "^1.41",

51
backend/config/boost.php Normal file
View File

@@ -0,0 +1,51 @@
<?php
declare(strict_types=1);
return [
/*
|--------------------------------------------------------------------------
| Boost Master Switch
|--------------------------------------------------------------------------
|
| This option may be used to disable all Boost functionality - which
| will prevent Boost's routes from being registered and will also
| disable Boost's browser logging functionality from operating.
|
*/
'enabled' => env('BOOST_ENABLED', true),
/*
|--------------------------------------------------------------------------
| Boost Browser Logs Watcher
|--------------------------------------------------------------------------
|
| The following option may be used to enable or disable the browser logs
| watcher feature within Laravel Boost. The log watcher will read any
| errors within the browser's console to give Boost better context.
|
*/
'browser_logs_watcher' => env('BOOST_BROWSER_LOGS_WATCHER', true),
/*
|--------------------------------------------------------------------------
| Boost Executables Paths
|--------------------------------------------------------------------------
|
| These options allow you to specify custom paths for the executables that
| Boost uses. When configured, they take precedence over the automatic
| discovery mechanism. Leave empty to use defaults from your $PATH.
|
*/
'executable_paths' => [
'php' => env('BOOST_PHP_EXECUTABLE_PATH'),
'composer' => env('BOOST_COMPOSER_EXECUTABLE_PATH'),
'npm' => env('BOOST_NPM_EXECUTABLE_PATH'),
'vendor_bin' => env('BOOST_VENDOR_BIN_EXECUTABLE_PATH'),
],
];

562
backend/resources/views/scribe/index.blade.php
View File

@@ -66,22 +66,6 @@
<a href="#authenticating-requests">Authenticating requests</a>
</li>
</ul>
<ul id="tocify-header-authentication" class="tocify-header">
<li class="tocify-item level-1" data-unique="authentication">
<a href="#authentication">Authentication</a>
</li>
<ul id="tocify-subheader-authentication" class="tocify-subheader">
<li class="tocify-item level-2" data-unique="authentication-POSTapi-auth-login">
<a href="#authentication-POSTapi-auth-login">Login and get tokens</a>
</li>
<li class="tocify-item level-2" data-unique="authentication-POSTapi-auth-refresh">
<a href="#authentication-POSTapi-auth-refresh">Refresh access token</a>
</li>
<li class="tocify-item level-2" data-unique="authentication-POSTapi-auth-logout">
<a href="#authentication-POSTapi-auth-logout">Logout current session</a>
</li>
</ul>
</ul>
</div>
<ul class="toc-footer" id="toc-footer">
@@ -91,7 +75,7 @@
</ul>
<ul class="toc-footer" id="last-updated">
<li>Last updated: February 18, 2026</li>
<li>Last updated: February 19, 2026</li>
</ul>
</div>
@@ -112,549 +96,7 @@ Access tokens are valid for 60 minutes. Use `/api/auth/refresh` with your refres
<p>All authenticated endpoints are marked with a <code>requires authentication</code> badge in the documentation below.</p>
<p>Get tokens from <code>POST /api/auth/login</code>, send access token as <code>Bearer {token}</code>, and renew with <code>POST /api/auth/refresh</code> before access token expiry.</p>
<h1 id="authentication">Authentication</h1>
<p>Endpoints for JWT authentication and session lifecycle.</p>
<h2 id="authentication-POSTapi-auth-login">Login and get tokens</h2>
<p>
<small class="badge badge-darkred">requires authentication</small>
</p>
<p>Authenticate with email and password to receive an access token and refresh token.</p>
<span id="example-requests-POSTapi-auth-login">
<blockquote>Example request:</blockquote>
<div class="bash-example">
<pre><code class="language-bash">curl --request POST \
"http://localhost/api/api/auth/login" \
--header "Authorization: Bearer Bearer {token}" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--data "{
\"email\": \"user@example.com\",
\"password\": \"secret123\"
}"
</code></pre></div>
<div class="javascript-example">
<pre><code class="language-javascript">const url = new URL(
"http://localhost/api/api/auth/login"
);
const headers = {
"Authorization": "Bearer Bearer {token}",
"Content-Type": "application/json",
"Accept": "application/json",
};
let body = {
"email": "user@example.com",
"password": "secret123"
};
fetch(url, {
method: "POST",
headers,
body: JSON.stringify(body),
}).then(response =&gt; response.json());</code></pre></div>
</span>
<span id="example-responses-POSTapi-auth-login">
<blockquote>
<p>Example response (200):</p>
</blockquote>
<pre>
<code class="language-json" style="max-height: 300px;">{
&quot;access_token&quot;: &quot;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...&quot;,
&quot;refresh_token&quot;: &quot;abc123def456&quot;,
&quot;token_type&quot;: &quot;bearer&quot;,
&quot;expires_in&quot;: 3600,
&quot;user&quot;: {
&quot;id&quot;: &quot;550e8400-e29b-41d4-a716-446655440000&quot;,
&quot;name&quot;: &quot;Alice Johnson&quot;,
&quot;email&quot;: &quot;user@example.com&quot;,
&quot;role&quot;: &quot;manager&quot;
}
}</code>
</pre>
<blockquote>
<p>Example response (401):</p>
</blockquote>
<pre>
<code class="language-json" style="max-height: 300px;">{
&quot;message&quot;: &quot;Invalid credentials&quot;
}</code>
</pre>
<blockquote>
<p>Example response (403):</p>
</blockquote>
<pre>
<code class="language-json" style="max-height: 300px;">{
&quot;message&quot;: &quot;Account is inactive&quot;
}</code>
</pre>
<blockquote>
<p>Example response (422):</p>
</blockquote>
<pre>
<code class="language-json" style="max-height: 300px;">{
&quot;errors&quot;: {
&quot;email&quot;: [
&quot;The email field is required.&quot;
],
&quot;password&quot;: [
&quot;The password field is required.&quot;
]
}
}</code>
</pre>
</span>
<span id="execution-results-POSTapi-auth-login" hidden>
<blockquote>Received response<span
id="execution-response-status-POSTapi-auth-login"></span>:
</blockquote>
<pre class="json"><code id="execution-response-content-POSTapi-auth-login"
data-empty-response-text="<Empty response>" style="max-height: 400px;"></code></pre>
</span>
<span id="execution-error-POSTapi-auth-login" hidden>
<blockquote>Request failed with error:</blockquote>
<pre><code id="execution-error-message-POSTapi-auth-login">
Tip: Check that you&#039;re properly connected to the network.
If you&#039;re a maintainer of ths API, verify that your API is running and you&#039;ve enabled CORS.
You can check the Dev Tools console for debugging information.</code></pre>
</span>
<form id="form-POSTapi-auth-login" data-method="POST"
data-path="api/auth/login"
data-authed="1"
data-hasfiles="0"
data-isarraybody="0"
autocomplete="off"
onsubmit="event.preventDefault(); executeTryOut('POSTapi-auth-login', this);">
<h3>
Request&nbsp;&nbsp;&nbsp;
<button type="button"
style="background-color: #8fbcd4; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-tryout-POSTapi-auth-login"
onclick="tryItOut('POSTapi-auth-login');">Try it out
</button>
<button type="button"
style="background-color: #c97a7e; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-canceltryout-POSTapi-auth-login"
onclick="cancelTryOut('POSTapi-auth-login');" hidden>Cancel 🛑
</button>&nbsp;&nbsp;
<button type="submit"
style="background-color: #6ac174; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-executetryout-POSTapi-auth-login"
data-initial-text="Send Request 💥"
data-loading-text="⏱ Sending..."
hidden>Send Request 💥
</button>
</h3>
<p>
<small class="badge badge-black">POST</small>
<b><code>api/auth/login</code></b>
</p>
<h4 class="fancy-heading-panel"><b>Headers</b></h4>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Authorization</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Authorization" class="auth-value" data-endpoint="POSTapi-auth-login"
value="Bearer Bearer {token}"
data-component="header">
<br>
<p>Example: <code>Bearer Bearer {token}</code></p>
</div>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Content-Type</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Content-Type" data-endpoint="POSTapi-auth-login"
value="application/json"
data-component="header">
<br>
<p>Example: <code>application/json</code></p>
</div>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Accept</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Accept" data-endpoint="POSTapi-auth-login"
value="application/json"
data-component="header">
<br>
<p>Example: <code>application/json</code></p>
</div>
<h4 class="fancy-heading-panel"><b>Body Parameters</b></h4>
<div style=" padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>email</code></b>&nbsp;&nbsp;
<small>string</small>&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="email" data-endpoint="POSTapi-auth-login"
value="user@example.com"
data-component="body">
<br>
<p>User email address. Example: <code>user@example.com</code></p>
</div>
<div style=" padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>password</code></b>&nbsp;&nbsp;
<small>string</small>&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="password" data-endpoint="POSTapi-auth-login"
value="secret123"
data-component="body">
<br>
<p>User password. Example: <code>secret123</code></p>
</div>
</form>
<h2 id="authentication-POSTapi-auth-refresh">Refresh access token</h2>
<p>
<small class="badge badge-darkred">requires authentication</small>
</p>
<p>Exchange a valid refresh token for a new access token and refresh token pair.</p>
<span id="example-requests-POSTapi-auth-refresh">
<blockquote>Example request:</blockquote>
<div class="bash-example">
<pre><code class="language-bash">curl --request POST \
"http://localhost/api/api/auth/refresh" \
--header "Authorization: Bearer Bearer {token}" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--data "{
\"refresh_token\": \"abc123def456\"
}"
</code></pre></div>
<div class="javascript-example">
<pre><code class="language-javascript">const url = new URL(
"http://localhost/api/api/auth/refresh"
);
const headers = {
"Authorization": "Bearer Bearer {token}",
"Content-Type": "application/json",
"Accept": "application/json",
};
let body = {
"refresh_token": "abc123def456"
};
fetch(url, {
method: "POST",
headers,
body: JSON.stringify(body),
}).then(response =&gt; response.json());</code></pre></div>
</span>
<span id="example-responses-POSTapi-auth-refresh">
<blockquote>
<p>Example response (200):</p>
</blockquote>
<pre>
<code class="language-json" style="max-height: 300px;">{
&quot;access_token&quot;: &quot;eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9...&quot;,
&quot;refresh_token&quot;: &quot;newtoken123&quot;,
&quot;token_type&quot;: &quot;bearer&quot;,
&quot;expires_in&quot;: 3600
}</code>
</pre>
<blockquote>
<p>Example response (401):</p>
</blockquote>
<pre>
<code class="language-json" style="max-height: 300px;">{
&quot;message&quot;: &quot;Invalid or expired refresh token&quot;
}</code>
</pre>
</span>
<span id="execution-results-POSTapi-auth-refresh" hidden>
<blockquote>Received response<span
id="execution-response-status-POSTapi-auth-refresh"></span>:
</blockquote>
<pre class="json"><code id="execution-response-content-POSTapi-auth-refresh"
data-empty-response-text="<Empty response>" style="max-height: 400px;"></code></pre>
</span>
<span id="execution-error-POSTapi-auth-refresh" hidden>
<blockquote>Request failed with error:</blockquote>
<pre><code id="execution-error-message-POSTapi-auth-refresh">
Tip: Check that you&#039;re properly connected to the network.
If you&#039;re a maintainer of ths API, verify that your API is running and you&#039;ve enabled CORS.
You can check the Dev Tools console for debugging information.</code></pre>
</span>
<form id="form-POSTapi-auth-refresh" data-method="POST"
data-path="api/auth/refresh"
data-authed="1"
data-hasfiles="0"
data-isarraybody="0"
autocomplete="off"
onsubmit="event.preventDefault(); executeTryOut('POSTapi-auth-refresh', this);">
<h3>
Request&nbsp;&nbsp;&nbsp;
<button type="button"
style="background-color: #8fbcd4; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-tryout-POSTapi-auth-refresh"
onclick="tryItOut('POSTapi-auth-refresh');">Try it out
</button>
<button type="button"
style="background-color: #c97a7e; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-canceltryout-POSTapi-auth-refresh"
onclick="cancelTryOut('POSTapi-auth-refresh');" hidden>Cancel 🛑
</button>&nbsp;&nbsp;
<button type="submit"
style="background-color: #6ac174; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-executetryout-POSTapi-auth-refresh"
data-initial-text="Send Request 💥"
data-loading-text="⏱ Sending..."
hidden>Send Request 💥
</button>
</h3>
<p>
<small class="badge badge-black">POST</small>
<b><code>api/auth/refresh</code></b>
</p>
<h4 class="fancy-heading-panel"><b>Headers</b></h4>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Authorization</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Authorization" class="auth-value" data-endpoint="POSTapi-auth-refresh"
value="Bearer Bearer {token}"
data-component="header">
<br>
<p>Example: <code>Bearer Bearer {token}</code></p>
</div>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Content-Type</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Content-Type" data-endpoint="POSTapi-auth-refresh"
value="application/json"
data-component="header">
<br>
<p>Example: <code>application/json</code></p>
</div>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Accept</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Accept" data-endpoint="POSTapi-auth-refresh"
value="application/json"
data-component="header">
<br>
<p>Example: <code>application/json</code></p>
</div>
<h4 class="fancy-heading-panel"><b>Body Parameters</b></h4>
<div style=" padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>refresh_token</code></b>&nbsp;&nbsp;
<small>string</small>&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="refresh_token" data-endpoint="POSTapi-auth-refresh"
value="abc123def456"
data-component="body">
<br>
<p>Refresh token returned by login. Example: <code>abc123def456</code></p>
</div>
</form>
<h2 id="authentication-POSTapi-auth-logout">Logout current session</h2>
<p>
<small class="badge badge-darkred">requires authentication</small>
</p>
<p>Invalidate a refresh token and end the active authenticated session.</p>
<span id="example-requests-POSTapi-auth-logout">
<blockquote>Example request:</blockquote>
<div class="bash-example">
<pre><code class="language-bash">curl --request POST \
"http://localhost/api/api/auth/logout" \
--header "Authorization: Bearer Bearer {token}" \
--header "Content-Type: application/json" \
--header "Accept: application/json" \
--data "{
\"refresh_token\": \"abc123def456\"
}"
</code></pre></div>
<div class="javascript-example">
<pre><code class="language-javascript">const url = new URL(
"http://localhost/api/api/auth/logout"
);
const headers = {
"Authorization": "Bearer Bearer {token}",
"Content-Type": "application/json",
"Accept": "application/json",
};
let body = {
"refresh_token": "abc123def456"
};
fetch(url, {
method: "POST",
headers,
body: JSON.stringify(body),
}).then(response =&gt; response.json());</code></pre></div>
</span>
<span id="example-responses-POSTapi-auth-logout">
<blockquote>
<p>Example response (200):</p>
</blockquote>
<pre>
<code class="language-json" style="max-height: 300px;">{
&quot;message&quot;: &quot;Logged out successfully&quot;
}</code>
</pre>
</span>
<span id="execution-results-POSTapi-auth-logout" hidden>
<blockquote>Received response<span
id="execution-response-status-POSTapi-auth-logout"></span>:
</blockquote>
<pre class="json"><code id="execution-response-content-POSTapi-auth-logout"
data-empty-response-text="<Empty response>" style="max-height: 400px;"></code></pre>
</span>
<span id="execution-error-POSTapi-auth-logout" hidden>
<blockquote>Request failed with error:</blockquote>
<pre><code id="execution-error-message-POSTapi-auth-logout">
Tip: Check that you&#039;re properly connected to the network.
If you&#039;re a maintainer of ths API, verify that your API is running and you&#039;ve enabled CORS.
You can check the Dev Tools console for debugging information.</code></pre>
</span>
<form id="form-POSTapi-auth-logout" data-method="POST"
data-path="api/auth/logout"
data-authed="1"
data-hasfiles="0"
data-isarraybody="0"
autocomplete="off"
onsubmit="event.preventDefault(); executeTryOut('POSTapi-auth-logout', this);">
<h3>
Request&nbsp;&nbsp;&nbsp;
<button type="button"
style="background-color: #8fbcd4; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-tryout-POSTapi-auth-logout"
onclick="tryItOut('POSTapi-auth-logout');">Try it out
</button>
<button type="button"
style="background-color: #c97a7e; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-canceltryout-POSTapi-auth-logout"
onclick="cancelTryOut('POSTapi-auth-logout');" hidden>Cancel 🛑
</button>&nbsp;&nbsp;
<button type="submit"
style="background-color: #6ac174; padding: 5px 10px; border-radius: 5px; border-width: thin;"
id="btn-executetryout-POSTapi-auth-logout"
data-initial-text="Send Request 💥"
data-loading-text="⏱ Sending..."
hidden>Send Request 💥
</button>
</h3>
<p>
<small class="badge badge-black">POST</small>
<b><code>api/auth/logout</code></b>
</p>
<h4 class="fancy-heading-panel"><b>Headers</b></h4>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Authorization</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Authorization" class="auth-value" data-endpoint="POSTapi-auth-logout"
value="Bearer Bearer {token}"
data-component="header">
<br>
<p>Example: <code>Bearer Bearer {token}</code></p>
</div>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Content-Type</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Content-Type" data-endpoint="POSTapi-auth-logout"
value="application/json"
data-component="header">
<br>
<p>Example: <code>application/json</code></p>
</div>
<div style="padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>Accept</code></b>&nbsp;&nbsp;
&nbsp;
&nbsp;
&nbsp;
<input type="text" style="display: none"
name="Accept" data-endpoint="POSTapi-auth-logout"
value="application/json"
data-component="header">
<br>
<p>Example: <code>application/json</code></p>
</div>
<h4 class="fancy-heading-panel"><b>Body Parameters</b></h4>
<div style=" padding-left: 28px; clear: unset;">
<b style="line-height: 2;"><code>refresh_token</code></b>&nbsp;&nbsp;
<small>string</small>&nbsp;
<i>optional</i> &nbsp;
&nbsp;
<input type="text" style="display: none"
name="refresh_token" data-endpoint="POSTapi-auth-logout"
value="abc123def456"
data-component="body">
<br>
<p>Optional refresh token to invalidate immediately. Example: <code>abc123def456</code></p>
</div>
</form>
</div>
<div class="dark-box">

4
backend/routes/api.php
View File

@@ -1,6 +1,7 @@
<?php
use App\Http\Controllers\Api\AuthController;
use App\Http\Controllers\Api\TeamMemberController;
use App\Http\Middleware\JwtAuth;
use Illuminate\Support\Facades\Route;
@@ -28,4 +29,7 @@ Route::middleware(JwtAuth::class)->group(function () {
'role' => $request->user()->role,
]);
});
// Team Members
Route::apiResource('team-members', TeamMemberController::class);
});

238
backend/tests/Feature/TeamMember/TeamMemberTest.php Normal file
View File

@@ -0,0 +1,238 @@
<?php
namespace Tests\Feature\TeamMember;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
use App\Models\User;
use App\Models\TeamMember;
use App\Models\Role;
use App\Models\Allocation;
use App\Models\Project;
class TeamMemberTest extends TestCase
{
use RefreshDatabase;
protected function setUp(): void
{
parent::setUp();
}
protected function loginAsManager()
{
$user = User::factory()->create([
'email' => 'manager@example.com',
'password' => bcrypt('password123'),
'role' => 'manager',
'active' => true,
]);
$response = $this->postJson('/api/auth/login', [
'email' => 'manager@example.com',
'password' => 'password123',
]);
return $response->json('access_token');
}
// 2.1.9 API test: POST /api/team-members creates member
public function test_post_team_members_creates_member()
{
$token = $this->loginAsManager();
$role = Role::factory()->create(['name' => 'Backend Developer']);
$response = $this->withHeader('Authorization', "Bearer {$token}")
->postJson('/api/team-members', [
'name' => 'John Doe',
'role_id' => $role->id,
'hourly_rate' => 150.00,
'active' => true,
]);
$response->assertStatus(201);
$response->assertJson([
'name' => 'John Doe',
'role_id' => $role->id,
'hourly_rate' => '150.00',
'active' => true,
]);
$this->assertDatabaseHas('team_members', [
'name' => 'John Doe',
'role_id' => $role->id,
'active' => true,
]);
}
// 2.1.10 API test: Validate hourly_rate > 0
public function test_validate_hourly_rate_must_be_greater_than_zero()
{
$token = $this->loginAsManager();
$role = Role::factory()->create(['name' => 'Backend Developer']);
// Test with zero
$response = $this->withHeader('Authorization', "Bearer {$token}")
->postJson('/api/team-members', [
'name' => 'John Doe',
'role_id' => $role->id,
'hourly_rate' => 0,
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors(['hourly_rate']);
// Test with negative
$response = $this->withHeader('Authorization', "Bearer {$token}")
->postJson('/api/team-members', [
'name' => 'John Doe',
'role_id' => $role->id,
'hourly_rate' => -50,
]);
$response->assertStatus(422);
$response->assertJsonValidationErrors(['hourly_rate']);
$response->assertJsonFragment([
'hourly_rate' => ['Hourly rate must be greater than 0'],
]);
}
// 2.1.11 API test: Validate required fields
public function test_validate_required_fields()
{
$token = $this->loginAsManager();
$response = $this->withHeader('Authorization', "Bearer {$token}")
->postJson('/api/team-members', []);
$response->assertStatus(422);
$response->assertJsonValidationErrors(['name', 'role_id', 'hourly_rate']);
}
// 2.1.12 API test: GET /api/team-members returns all members
public function test_get_team_members_returns_all_members()
{
$token = $this->loginAsManager();
$role = Role::factory()->create();
// Create active and inactive team members
TeamMember::factory()->count(2)->create(['role_id' => $role->id, 'active' => true]);
TeamMember::factory()->create(['role_id' => $role->id, 'active' => false]);
$response = $this->withHeader('Authorization', "Bearer {$token}")
->getJson('/api/team-members');
$response->assertStatus(200);
$response->assertJsonCount(3);
}
// 2.1.13 API test: Filter by active status
public function test_filter_by_active_status()
{
$token = $this->loginAsManager();
$role = Role::factory()->create();
// Create active and inactive team members
TeamMember::factory()->count(2)->create(['role_id' => $role->id, 'active' => true]);
TeamMember::factory()->create(['role_id' => $role->id, 'active' => false]);
// Get only active
$response = $this->withHeader('Authorization', "Bearer {$token}")
->getJson('/api/team-members?active=true');
$response->assertStatus(200);
$response->assertJsonCount(2);
// Get only inactive
$response = $this->withHeader('Authorization', "Bearer {$token}")
->getJson('/api/team-members?active=false');
$response->assertStatus(200);
$response->assertJsonCount(1);
}
// 2.1.14 API test: PUT /api/team-members/{id} updates member
public function test_put_team_members_updates_member()
{
$token = $this->loginAsManager();
$role = Role::factory()->create();
$teamMember = TeamMember::factory()->create([
'role_id' => $role->id,
'hourly_rate' => 150.00,
]);
$response = $this->withHeader('Authorization', "Bearer {$token}")
->putJson("/api/team-members/{$teamMember->id}", [
'hourly_rate' => 175.00,
]);
$response->assertStatus(200);
$response->assertJson([
'id' => $teamMember->id,
'hourly_rate' => '175.00',
]);
$this->assertDatabaseHas('team_members', [
'id' => $teamMember->id,
'hourly_rate' => '175.00',
]);
}
// 2.1.15 API test: Deactivate sets active=false
public function test_deactivate_sets_active_to_false()
{
$token = $this->loginAsManager();
$role = Role::factory()->create();
$teamMember = TeamMember::factory()->create([
'role_id' => $role->id,
'active' => true,
]);
$response = $this->withHeader('Authorization', "Bearer {$token}")
->putJson("/api/team-members/{$teamMember->id}", [
'active' => false,
]);
$response->assertStatus(200);
$response->assertJson([
'id' => $teamMember->id,
'active' => false,
]);
$this->assertDatabaseHas('team_members', [
'id' => $teamMember->id,
'active' => false,
]);
}
// 2.1.16 API test: DELETE rejected if allocations exist
public function test_delete_rejected_if_allocations_exist()
{
$token = $this->loginAsManager();
$role = Role::factory()->create();
$teamMember = TeamMember::factory()->create(['role_id' => $role->id]);
$project = Project::factory()->create();
// Create an allocation for the team member
Allocation::factory()->create([
'team_member_id' => $teamMember->id,
'project_id' => $project->id,
'month' => '2024-01',
'allocated_hours' => 40,
]);
$response = $this->withHeader('Authorization', "Bearer {$token}")
->deleteJson("/api/team-members/{$teamMember->id}");
$response->assertStatus(422);
$response->assertJson([
'message' => 'Cannot delete team member with active allocations',
'suggestion' => 'Consider deactivating the team member instead',
]);
// Verify the team member still exists
$this->assertDatabaseHas('team_members', [
'id' => $teamMember->id,
]);
}
}

78
backend/tests/Unit/Models/TeamMemberConstraintTest.php Normal file
View File

@@ -0,0 +1,78 @@
<?php
namespace Tests\Unit\Models;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
use App\Models\TeamMember;
use App\Models\Allocation;
use App\Models\Actual;
use App\Models\Project;
use App\Models\Role;
class TeamMemberConstraintTest extends TestCase
{
use RefreshDatabase;
// 2.1.19 Unit test: Cannot delete with allocations constraint
public function test_cannot_delete_team_member_with_allocations()
{
$role = Role::factory()->create();
$teamMember = TeamMember::factory()->create(['role_id' => $role->id]);
$project = Project::factory()->create();
// Create an allocation for the team member
Allocation::factory()->create([
'team_member_id' => $teamMember->id,
'project_id' => $project->id,
'month' => '2024-01',
'allocated_hours' => 40,
]);
// Verify allocation exists
$this->assertTrue($teamMember->fresh()->allocations()->exists());
// Attempt to delete should be prevented by controller logic
// This test documents the constraint behavior
$this->assertTrue($teamMember->allocations()->exists());
}
public function test_cannot_delete_team_member_with_actuals()
{
$role = Role::factory()->create();
$teamMember = TeamMember::factory()->create(['role_id' => $role->id]);
$project = Project::factory()->create();
// Create an actual for the team member
Actual::factory()->create([
'team_member_id' => $teamMember->id,
'project_id' => $project->id,
'month' => '2024-01',
'hours_logged' => 40,
]);
// Verify actual exists
$this->assertTrue($teamMember->fresh()->actuals()->exists());
// This test documents the constraint behavior
$this->assertTrue($teamMember->actuals()->exists());
}
public function test_can_delete_team_member_without_allocations_or_actuals()
{
$role = Role::factory()->create();
$teamMember = TeamMember::factory()->create(['role_id' => $role->id]);
// Verify no allocations or actuals
$this->assertFalse($teamMember->allocations()->exists());
$this->assertFalse($teamMember->actuals()->exists());
// Delete should succeed
$teamMemberId = $teamMember->id;
$teamMember->delete();
$this->assertDatabaseMissing('team_members', [
'id' => $teamMemberId,
]);
}
}

46
backend/tests/Unit/Models/TeamMemberModelTest.php Normal file
View File

@@ -0,0 +1,46 @@
<?php
namespace Tests\Unit\Models;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
use App\Models\TeamMember;
use App\Models\Role;
class TeamMemberModelTest extends TestCase
{
use RefreshDatabase;
// 2.1.17 Unit test: TeamMember model validation
public function test_team_member_model_validation()
{
$role = Role::factory()->create();
// Test valid team member
$teamMember = TeamMember::factory()->create([
'role_id' => $role->id,
'name' => 'John Doe',
'hourly_rate' => 150.00,
'active' => true,
]);
$this->assertInstanceOf(TeamMember::class, $teamMember);
$this->assertEquals('John Doe', $teamMember->name);
$this->assertEquals('150.00', $teamMember->hourly_rate);
$this->assertTrue($teamMember->active);
$this->assertEquals($role->id, $teamMember->role_id);
// Test casts
$this->assertIsBool($teamMember->active);
$this->assertIsString($teamMember->hourly_rate);
}
public function test_team_member_has_role_relationship()
{
$role = Role::factory()->create(['name' => 'Backend Developer']);
$teamMember = TeamMember::factory()->create(['role_id' => $role->id]);
$this->assertInstanceOf(Role::class, $teamMember->role);
$this->assertEquals('Backend Developer', $teamMember->role->name);
}
}

45
backend/tests/Unit/Policies/TeamMemberPolicyTest.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
namespace Tests\Unit\Policies;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
use App\Models\User;
use App\Models\TeamMember;
use App\Models\Role;
use Illuminate\Support\Facades\Gate;
class TeamMemberPolicyTest extends TestCase
{
use RefreshDatabase;
// 2.1.18 Unit test: TeamMemberPolicy authorization
public function test_team_member_policy_authorization()
{
$superuser = User::factory()->create(['role' => 'superuser']);
$manager = User::factory()->create(['role' => 'manager']);
$developer = User::factory()->create(['role' => 'developer']);
$teamMember = TeamMember::factory()->create();
// Superuser can perform all actions
$this->actingAs($superuser);
$this->assertTrue(Gate::allows('viewAny', TeamMember::class));
$this->assertTrue(Gate::allows('view', $teamMember));
$this->assertTrue(Gate::allows('create', TeamMember::class));
$this->assertTrue(Gate::allows('update', $teamMember));
$this->assertTrue(Gate::allows('delete', $teamMember));
// Manager can perform all actions
$this->actingAs($manager);
$this->assertTrue(Gate::allows('viewAny', TeamMember::class));
$this->assertTrue(Gate::allows('view', $teamMember));
$this->assertTrue(Gate::allows('create', TeamMember::class));
$this->assertTrue(Gate::allows('update', $teamMember));
$this->assertTrue(Gate::allows('delete', $teamMember));
// Developer can only view
$this->actingAs($developer);
$this->assertTrue(Gate::allows('viewAny', TeamMember::class));
$this->assertTrue(Gate::allows('view', $teamMember));
}
}