补齐平台订单详情页商家套餐回链测试

2026-03-20 09:13:56 +08:00
parent 294c5f681b
commit 9b46699ed7
1 changed files with 58 additions and 0 deletions
--- a/tests/Feature/AdminPlatformOrderShowMerchantPlanLinksContainBackTest.php
+++ b/tests/Feature/AdminPlatformOrderShowMerchantPlanLinksContainBackTest.php
@@ -75,4 +75,62 @@ class AdminPlatformOrderShowMerchantPlanLinksContainBackTest extends TestCase
        $res->assertSee($expectedMerchantUrl, false);
        $res->assertSee($expectedPlanUrl, false);
    }
+
+    public function test_show_page_merchant_and_plan_links_should_still_use_order_show_self_back_when_outer_back_is_unsafe(): void
+    {
+        $this->loginAsPlatformAdmin();
+
+        $merchant = Merchant::query()->firstOrFail();
+
+        $plan = Plan::query()->create([
+            'code' => 'po_show_merchant_plan_unsafe_back_test',
+            'name' => '平台订单详情商家/套餐 unsafe back 链接测试套餐',
+            'billing_cycle' => 'monthly',
+            'price' => 10,
+            'list_price' => 10,
+            'status' => 'active',
+            'sort' => 10,
+            'published_at' => now(),
+        ]);
+
+        $order = PlatformOrder::query()->create([
+            'merchant_id' => $merchant->id,
+            'plan_id' => $plan->id,
+            'order_no' => 'PO_SHOW_MERCHANT_PLAN_BACK_0002',
+            'order_type' => 'new_purchase',
+            'status' => 'pending',
+            'payment_status' => 'unpaid',
+            'plan_name' => $plan->name,
+            'billing_cycle' => $plan->billing_cycle,
+            'period_months' => 1,
+            'quantity' => 1,
+            'payable_amount' => 10,
+            'paid_amount' => 0,
+            'placed_at' => now(),
+            'meta' => [],
+        ]);
+
+        $unsafeBack = '/admin/platform-orders?' . Arr::query([
+            'status' => 'pending',
+            'back' => '/admin',
+        ]);
+
+        $res = $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode($unsafeBack));
+        $res->assertOk();
+
+        $expectedMerchantUrl = '/admin/platform-orders?' . Arr::query([
+            'merchant_id' => $merchant->id,
+            'back' => '/admin/platform-orders/' . $order->id,
+        ]);
+
+        $expectedPlanUrl = '/admin/platform-orders?' . Arr::query([
+            'plan_id' => $plan->id,
+            'back' => '/admin/platform-orders/' . $order->id,
+        ]);
+
+        $res->assertSee($expectedMerchantUrl, false);
+        $res->assertSee($expectedPlanUrl, false);
+        $res->assertDontSee('back=' . $unsafeBack, false);
+        $res->assertDontSee('back%3D', false);
+    }
 }