From 7c0e3011ed88a6e94d644d83fe48860cbe6eaeb5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=90=9D=E5=8D=9C?= <dev@saasshop.local>
Date: Fri, 20 Mar 2026 10:35:19 +0800
Subject: [PATCH] =?UTF-8?q?=E8=A1=A5=E9=BD=90=E5=A5=97=E9=A4=90=E8=AF=A6?=
 =?UTF-8?q?=E6=83=85=E9=A1=B5=E6=B2=BB=E7=90=86=E5=85=A5=E5=8F=A3=E5=9B=9E?=
 =?UTF-8?q?=E9=93=BE=E6=B5=8B=E8=AF=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 tests/Feature/AdminPlanShowTest.php | 88 +++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

diff --git a/tests/Feature/AdminPlanShowTest.php b/tests/Feature/AdminPlanShowTest.php
index e097687..ed659fe 100644
--- a/tests/Feature/AdminPlanShowTest.php
+++ b/tests/Feature/AdminPlanShowTest.php
@@ -277,4 +277,92 @@ class AdminPlanShowTest extends TestCase
         $res->assertSee($expectedCreateOrderUrl, false);
         $res->assertDontSee('back=' . $safeBack, false);
     }
+
+    public function test_plan_show_platform_order_governance_links_should_use_self_back_when_outer_back_is_unsafe(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $plan = Plan::query()->create([
+            'code' => 'plan_show_governance_unsafe_back_test',
+            'name' => '套餐详情治理入口 unsafe back 测试套餐',
+            'billing_cycle' => 'monthly',
+            'price' => 76,
+            'list_price' => 96,
+            'status' => 'active',
+            'sort' => 10,
+        ]);
+
+        $unsafeBack = '/admin/plans?status=active&back=/admin/platform-orders';
+
+        $res = $this->get('/admin/plans/' . $plan->id . '?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        $planShowSelf = '/admin/plans/' . $plan->id;
+
+        $expectedOrdersUrl = '/admin/platform-orders?' . Arr::query([
+            'plan_id' => $plan->id,
+            'back' => $planShowSelf,
+        ]);
+        $expectedPaidNoReceiptUrl = '/admin/platform-orders?' . Arr::query([
+            'plan_id' => $plan->id,
+            'payment_status' => 'paid',
+            'receipt_status' => 'none',
+            'back' => $planShowSelf,
+        ]);
+        $expectedRenewalMissingUrl = '/admin/platform-orders?' . Arr::query([
+            'plan_id' => $plan->id,
+            'renewal_missing_subscription' => '1',
+            'back' => $planShowSelf,
+        ]);
+
+        $res->assertSee($expectedOrdersUrl, false);
+        $res->assertSee($expectedPaidNoReceiptUrl, false);
+        $res->assertSee($expectedRenewalMissingUrl, false);
+        $res->assertDontSee('back=' . $unsafeBack, false);
+        $res->assertDontSee('back%3D', false);
+    }
+
+    public function test_plan_show_subscription_governance_links_should_use_self_back_when_outer_back_is_unsafe(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $plan = Plan::query()->create([
+            'code' => 'plan_show_subscription_governance_unsafe_back_test',
+            'name' => '套餐详情订阅治理入口 unsafe back 测试套餐',
+            'billing_cycle' => 'monthly',
+            'price' => 86,
+            'list_price' => 106,
+            'status' => 'active',
+            'sort' => 10,
+        ]);
+
+        $unsafeBack = '/admin/plans?status=active&back=/admin/site-subscriptions';
+
+        $res = $this->get('/admin/plans/' . $plan->id . '?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        $planShowSelf = '/admin/plans/' . $plan->id;
+
+        $expectedSubscriptionsUrl = '/admin/site-subscriptions?' . Arr::query([
+            'plan_id' => $plan->id,
+            'back' => $planShowSelf,
+        ]);
+        $expectedActivatedSubscriptionsUrl = '/admin/site-subscriptions?' . Arr::query([
+            'plan_id' => $plan->id,
+            'status' => 'activated',
+            'back' => $planShowSelf,
+        ]);
+        $expectedExpiringSubscriptionsUrl = '/admin/site-subscriptions?' . Arr::query([
+            'plan_id' => $plan->id,
+            'expiry' => 'expiring_7d',
+            'back' => $planShowSelf,
+        ]);
+
+        $res->assertSee($expectedSubscriptionsUrl, false);
+        $res->assertSee($expectedActivatedSubscriptionsUrl, false);
+        $res->assertSee($expectedExpiringSubscriptionsUrl, false);
+        $res->assertDontSee('back=' . $unsafeBack, false);
+        $res->assertDontSee('back%3D', false);
+    }
 }
+