TextRepository gains findByUser; JsonTextRepository and the
fake implement filtering by stored userId. TextController
splits the list endpoint into getMyTexts (own) and
getAllTexts (admin), and getText now requires the session
user, returning 403 to non-owners while admins bypass.
add failing tests for getMyTexts (own-only), getAllTexts
(admin), getText 403 for non-owner, and admin bypass on
getText. existing test_get_one_text updated to pass the
session user via the new request signature.
Text now requires a User on construction. seed a user in
each test setUp that creates a Text directly or through the
fake repository so the suite remains green.
cover that the created Text carries the supplied User, that
the controller persists the user from the session attribute,
and that any userId in the request body is ignored.
include the user when rebuilding Text instances in find and
getAll, preserving the rule that lookup methods return new
instances rather than stored references.
Forcing every call site to be explicit about admin status and
password eliminates a class of bugs where an unintended
isAdmin=false or empty passwordHash could silently slip through.
The CreateUserTest case that asserted the isAdmin default is
dropped since the default no longer exists.
Add a trivial prefix-based PasswordHasher fake and inject it into the
three test files that exercise CreateUser or AuthenticateUser. Drops
the full phpunit suite from ~7.4s to ~30ms (about 224x) without
losing coverage: the round-trip through hash/verify still validates
that CreateUser stores something other than the plaintext and that
AuthenticateUser only succeeds on a matching hash.
CreateUserTest is also refactored to use a setUp method, matching
the pattern already used in AuthenticateUserTest and AuthControllerTest.
