saasshop/tests/Feature/AdminPlatformOrderShowBackLinkTest.php

<?php

namespace Tests\Feature;

use App\Models\Merchant;
use App\Models\Plan;
use App\Models\PlatformOrder;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;

class AdminPlatformOrderShowBackLinkTest extends TestCase
{
    use RefreshDatabase;

    protected function loginAsPlatformAdmin(): void
    {
        $this->seed();

        $this->post('/admin/login', [
            'email' => 'platform.admin@demo.local',
            'password' => 'Platform@123456',
        ])->assertRedirect('/admin');
    }

    public function test_show_page_renders_safe_back_link_when_back_query_present(): void
    {
        $this->loginAsPlatformAdmin();

        $merchant = Merchant::query()->firstOrFail();
        $plan = Plan::query()->create([
            'code' => 'po_show_back_link_plan',
            'name' => '平台订单详情返回链接测试套餐',
            'billing_cycle' => 'monthly',
            'price' => 10,
            'list_price' => 10,
            'status' => 'active',
            'sort' => 10,
            'published_at' => now(),
        ]);

        $order = PlatformOrder::query()->create([
            'merchant_id' => $merchant->id,
            'plan_id' => $plan->id,
            'order_no' => 'PO_SHOW_BACK_0001',
            'order_type' => 'new_purchase',
            'status' => 'pending',
            'payment_status' => 'unpaid',
            'plan_name' => $plan->name,
            'billing_cycle' => $plan->billing_cycle,
            'period_months' => 1,
            'quantity' => 1,
            'payable_amount' => 10,
            'paid_amount' => 0,
            'placed_at' => now(),
            'meta' => [],
        ]);

        $back = '/admin/platform-orders?status=pending';
        $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode($back))
            ->assertOk()
            ->assertSee('返回上一页（保留上下文）')
            ->assertSee($back, false);
    }

    public function test_show_page_does_not_render_back_link_when_back_is_not_relative_path(): void
    {
        $this->loginAsPlatformAdmin();

        $merchant = Merchant::query()->firstOrFail();
        $plan = Plan::query()->create([
            'code' => 'po_show_back_link_plan2',
            'name' => '平台订单详情返回链接测试套餐2',
            'billing_cycle' => 'monthly',
            'price' => 10,
            'list_price' => 10,
            'status' => 'active',
            'sort' => 10,
            'published_at' => now(),
        ]);

        $order = PlatformOrder::query()->create([
            'merchant_id' => $merchant->id,
            'plan_id' => $plan->id,
            'order_no' => 'PO_SHOW_BACK_0002',
            'order_type' => 'new_purchase',
            'status' => 'pending',
            'payment_status' => 'unpaid',
            'plan_name' => $plan->name,
            'billing_cycle' => $plan->billing_cycle,
            'period_months' => 1,
            'quantity' => 1,
            'payable_amount' => 10,
            'paid_amount' => 0,
            'placed_at' => now(),
            'meta' => [],
        ]);

        $this->get('/admin/platform-orders/' . $order->id . '?back=https://evil.example.com')
            ->assertOk()
            ->assertDontSee('返回上一页（保留上下文）');

        // 协议相对 URL 也应被拒绝
        $this->get('/admin/platform-orders/' . $order->id . '?back=' . urlencode('//evil.example.com/a'))
            ->assertOk()
            ->assertDontSee('返回上一页（保留上下文）');
    }
}