Add tests for events, event series, locations, organizations, personal access tokens, user roles; fix ability check for creating user roles and restriction to own personal access tokens

patrickrobrecht · patrickrobrecht · commit 00528c3b9d7c · 2024-10-14T23:32:10.000+02:00
diff --git a/app/Http/Controllers/UserRoleController.php b/app/Http/Controllers/UserRoleController.php
@@ -4,7 +4,6 @@
 
 use App\Http\Requests\Filters\UserRoleFilterRequest;
 use App\Http\Requests\UserRoleRequest;
-use App\Models\User;
 use App\Models\UserRole;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Support\Facades\Session;
@@ -29,7 +28,7 @@ public function index(UserRoleFilterRequest $request): View
 
     public function create(): View
     {
-        $this->authorize('create', User::class);
+        $this->authorize('create', UserRole::class);
 
         return view('user_roles.user_role_form');
     }
diff --git a/app/Models/PersonalAccessToken.php b/app/Models/PersonalAccessToken.php
@@ -3,6 +3,7 @@
 namespace App\Models;
 
 use Carbon\Carbon;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Laravel\Sanctum\HasApiTokens;
 use Laravel\Sanctum\NewAccessToken;
 use Laravel\Sanctum\PersonalAccessToken as SanctumPersonalAccessToken;
@@ -18,6 +19,8 @@
  */
 class PersonalAccessToken extends SanctumPersonalAccessToken
 {
+    use HasFactory;
+
     public function fillAndSave(array $validatedData): bool
     {
         $this->fill($validatedData);
diff --git a/app/Models/UserRole.php b/app/Models/UserRole.php
@@ -9,6 +9,7 @@
 use App\Options\FilterValue;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Eloquent\Relations\BelongsToMany;
 use Spatie\QueryBuilder\AllowedFilter;
@@ -26,6 +27,7 @@ class UserRole extends Model
 {
     use BuildsQueryFromRequest;
     use FiltersByRelationExistence;
+    use HasFactory;
 
     protected $casts = [
         'abilities' => 'json',
diff --git a/app/Policies/PersonalAccessTokenPolicy.php b/app/Policies/PersonalAccessTokenPolicy.php
@@ -34,10 +34,7 @@ public function viewOwn(User $user): Response
      */
     public function view(User $user, PersonalAccessToken $personalAccessToken): Response
     {
-        return $this->response(
-            $user->is($personalAccessToken->tokenable)
-            && $user->hasAbility(Ability::ManagePersonalAccessTokens)
-        );
+        return $this->update($user, $personalAccessToken);
     }
 
     /**
@@ -53,15 +50,18 @@ public function create(User $user): Response
      */
     public function update(User $user, PersonalAccessToken $personalAccessToken): Response
     {
-        return $this->requireAbility($user, Ability::ManagePersonalAccessTokens);
+        return $this->response(
+            $user->is($personalAccessToken->tokenable)
+            && $user->hasAbility(Ability::ManagePersonalAccessTokens)
+        );
     }
 
     /**
      * Determine whether the user can delete the model.
      */
     public function delete(User $user, PersonalAccessToken $personalAccessToken): Response
     {
-        return $this->requireAbility($user, Ability::ManagePersonalAccessTokens);
+        return $this->update($user, $personalAccessToken);
     }
 
     /**
@@ -77,6 +77,6 @@ public function restore(User $user, PersonalAccessToken $personalAccessToken): R
      */
     public function forceDelete(User $user, PersonalAccessToken $personalAccessToken): Response
     {
-        return $this->requireAbility($user, Ability::ManagePersonalAccessTokens);
+        return $this->update($user, $personalAccessToken);
     }
 }
diff --git a/database/factories/EventFactory.php b/database/factories/EventFactory.php
@@ -34,4 +34,11 @@ public function definition(): array
             'website_url' => fake()->optional()->url(),
         ];
     }
+
+    public function visibility(Visibility $visibility): static
+    {
+        return $this->state(fn (array $attributes) => [
+            'visibility' => $visibility,
+        ]);
+    }
 }
diff --git a/database/factories/EventSeriesFactory.php b/database/factories/EventSeriesFactory.php
@@ -27,4 +27,11 @@ public function definition(): array
             'visibility' => fake()->randomElement(Visibility::values()),
         ];
     }
+
+    public function visibility(Visibility $visibility): static
+    {
+        return $this->state(fn (array $attributes) => [
+            'visibility' => $visibility,
+        ]);
+    }
 }
diff --git a/database/factories/PersonalAccessTokenFactory.php b/database/factories/PersonalAccessTokenFactory.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Database\Factories;
+
+use App\Models\PersonalAccessToken;
+use App\Options\Ability;
+use Illuminate\Database\Eloquent\Factories\Factory;
+
+/**
+ * @extends Factory<PersonalAccessToken>
+ */
+class PersonalAccessTokenFactory extends Factory
+{
+    protected $model = PersonalAccessToken::class;
+
+    public function definition(): array
+    {
+        return [
+            'name' => $this->faker->word(),
+            'token' => $this->faker->sha256(),
+            'abilities' => $this->faker->randomElements(Ability::cases(), $this->faker->numberBetween(1, count(Ability::cases()))),
+        ];
+    }
+}
diff --git a/database/factories/UserRoleFactory.php b/database/factories/UserRoleFactory.php
@@ -0,0 +1,26 @@
+<?php
+
+namespace Database\Factories;
+
+use App\Models\UserRole;
+use App\Options\Ability;
+use Illuminate\Database\Eloquent\Factories\Factory;
+
+/**
+ * @extends Factory<UserRole>
+ */
+class UserRoleFactory extends Factory
+{
+    /**
+     * Define the model's default state.
+     *
+     * @return array<string, mixed>
+     */
+    public function definition(): array
+    {
+        return [
+            'name' => fake()->unique()->words(3, true),
+            'abilities' => fake()->randomElements(Ability::cases(), $this->faker->numberBetween(1, count(Ability::cases()))),
+        ];
+    }
+}
diff --git a/routes/web.php b/routes/web.php
@@ -101,7 +101,7 @@
 
     Route::model('organization', Organization::class);
     Route::resource('organizations', OrganizationController::class)
-        ->only(['index', 'create', 'store', 'edit', 'update']);
+        ->only(['index', 'create', 'store', 'show', 'edit', 'update']);
     Route::prefix('organizations/{organization}')->group(function () {
         Route::post('documents', [DocumentController::class, 'storeForOrganization'])
             ->name('organizations.documents.store');
@@ -138,8 +138,6 @@
     ->only(['show']);
 Route::resource('event-series', EventSeriesController::class)
     ->only(['show']);
-Route::resource('organizations', OrganizationController::class)
-    ->only(['show']);
 
 Route::model('booking_option', BookingOption::class);
 Route::resource('events/{event:slug}/booking-options', BookingOptionController::class)
diff --git a/tests/Feature/Http/EventControllerTest.php b/tests/Feature/Http/EventControllerTest.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace Tests\Feature\Http;
+
+use App\Http\Controllers\EventController;
+use App\Models\Event;
+use App\Models\Location;
+use App\Options\Ability;
+use App\Options\Visibility;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\DataProvider;
+use Tests\TestCase;
+use Tests\Traits\ChecksVisibility;
+
+#[CoversClass(EventController::class)]
+class EventControllerTest extends TestCase
+{
+    use ChecksVisibility;
+    use RefreshDatabase;
+
+    public function testEventsCanBeListedWithCorrectAbility(): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility('/events', Ability::ViewEvents);
+    }
+
+    public function testPublicEventIsAccessibleByEveryone(): void
+    {
+        $publicEvent = $this->createRandomEvent(Visibility::Public);
+        $route = "/events/{$publicEvent->slug}";
+
+        $this->assertRouteAccessibleAsGuest($route);
+        $this->assertRouteAccessibleWithAbility($route, Ability::ViewEvents);
+        $this->assertRouteAccessibleWithAbility($route, Ability::ViewPrivateEvents);
+    }
+
+    public function testPrivateEventIsOnlyAccessibleWithCorrectAbility(): void
+    {
+        $privateEvent = $this->createRandomEvent(Visibility::Private);
+        $route = "/events/{$privateEvent->slug}";
+
+        $this->assertRouteForbiddenAsGuest($route);
+        $this->assertRouteNotAccessibleWithoutAbility($route, Ability::ViewPrivateEvents);
+        $this->assertRouteAccessibleWithAbility($route, Ability::ViewPrivateEvents);
+    }
+
+    public function testCreateEventFormIsOnlyAccessibleWithCorrectAbility(): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility('/events/create', Ability::CreateEvents);
+    }
+
+    #[DataProvider('visibilityProvider')]
+    public function testEditEventFormIsAccessibleOnlyWithCorrectAbility(Visibility $visibility): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility("/events/{$this->createRandomEvent($visibility)->slug}/edit", Ability::EditEvents);
+    }
+
+    private function createRandomEvent(Visibility $visibility): Event
+    {
+        return Event::factory()
+            ->for(Location::factory()->create())
+            ->visibility($visibility)
+            ->create();
+    }
+}
diff --git a/tests/Feature/Http/EventSeriesControllerTest.php b/tests/Feature/Http/EventSeriesControllerTest.php
@@ -0,0 +1,70 @@
+<?php
+
+namespace Tests\Feature\Http;
+
+use App\Http\Controllers\EventSeriesController;
+use App\Models\Event;
+use App\Models\EventSeries;
+use App\Models\Location;
+use App\Options\Ability;
+use App\Options\Visibility;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use PHPUnit\Framework\Attributes\CoversClass;
+use PHPUnit\Framework\Attributes\DataProvider;
+use Tests\TestCase;
+use Tests\Traits\ChecksVisibility;
+
+#[CoversClass(EventSeriesController::class)]
+class EventSeriesControllerTest extends TestCase
+{
+    use ChecksVisibility;
+    use RefreshDatabase;
+
+    public function testEventSeriesCanBeListedWithCorrectAbility(): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility('/event-series', Ability::ViewEventSeries);
+    }
+
+    public function testPublicEventSeriesIsAccessibleByEveryone(): void
+    {
+        $publicEventSeries = $this->createRandomEventSeries(Visibility::Public);
+        $route = "/event-series/{$publicEventSeries->slug}";
+
+        $this->assertRouteAccessibleAsGuest($route);
+        $this->assertRouteAccessibleWithAbility($route, Ability::ViewEventSeries);
+        $this->assertRouteAccessibleWithAbility($route, Ability::ViewPrivateEventSeries);
+    }
+
+    public function testPrivateEventSeriesIsOnlyAccessibleWithCorrectAbility(): void
+    {
+        $privateEvent = $this->createRandomEventSeries(Visibility::Private);
+        $route = "/event-series/{$privateEvent->slug}";
+
+        $this->assertRouteForbiddenAsGuest($route);
+        $this->assertRouteNotAccessibleWithoutAbility($route, Ability::ViewPrivateEventSeries);
+        $this->assertRouteAccessibleWithAbility($route, Ability::ViewPrivateEventSeries);
+    }
+
+    public function testCreateEventSeriesFormIsOnlyAccessibleWithCorrectAbility(): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility('/event-series/create', Ability::CreateEventSeries);
+    }
+
+    #[DataProvider('visibilityProvider')]
+    public function testEditEventSeriesFormIsAccessibleOnlyWithCorrectAbility(Visibility $visibility): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility("/event-series/{$this->createRandomEventSeries($visibility)->slug}/edit", Ability::EditEventSeries);
+    }
+
+    private function createRandomEventSeries(Visibility $visibility): EventSeries
+    {
+        return EventSeries::factory()
+            ->has(
+                Event::factory()
+                    ->for(Location::factory()->create())
+                    ->count(fake()->numberBetween(1, 5))
+            )
+            ->visibility($visibility)
+            ->create();
+    }
+}
diff --git a/tests/Feature/Http/LocationControllerTest.php b/tests/Feature/Http/LocationControllerTest.php
@@ -0,0 +1,36 @@
+<?php
+
+namespace Http;
+
+use App\Http\Controllers\LocationController;
+use App\Models\Location;
+use App\Options\Ability;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use PHPUnit\Framework\Attributes\CoversClass;
+use Tests\TestCase;
+
+#[CoversClass(LocationController::class)]
+class LocationControllerTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function testLocationsCanBeListedWithCorrectAbility(): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility('/locations', Ability::ViewLocations);
+    }
+
+    public function testCreateLocationFormIsOnlyAccessibleWithCorrectAbility(): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility('/locations/create', Ability::CreateLocations);
+    }
+
+    public function testEditLocationFormIsAccessibleOnlyWithCorrectAbility(): void
+    {
+        $this->assertRouteOnlyAccessibleOnlyWithAbility("/locations/{$this->createRandomLocation()->id}/edit", Ability::EditLocations);
+    }
+
+    private function createRandomLocation(): Location
+    {
+        return Location::factory()->create();
+    }
+}
diff --git a/tests/Feature/Http/OrganizationControllerTest.php b/tests/Feature/Http/OrganizationControllerTest.php
diff --git a/tests/Feature/Http/PersonalAccessTokenControllerTest.php b/tests/Feature/Http/PersonalAccessTokenControllerTest.php
diff --git a/tests/Feature/Http/UserRoleControllerTest.php b/tests/Feature/Http/UserRoleControllerTest.php
diff --git a/tests/Traits/ActsAsUser.php b/tests/Traits/ActsAsUser.php
diff --git a/tests/Traits/ChecksVisibility.php b/tests/Traits/ChecksVisibility.php

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,6 @@`
`4`	`4`
`5`	`5`	`use App\Http\Requests\Filters\UserRoleFilterRequest;`
`6`	`6`	`use App\Http\Requests\UserRoleRequest;`
`7`		`-use App\Models\User;`
`8`	`7`	`use App\Models\UserRole;`
`9`	`8`	`use Illuminate\Http\RedirectResponse;`
`10`	`9`	`use Illuminate\Support\Facades\Session;`
`@@ -29,7 +28,7 @@ public function index(UserRoleFilterRequest $request): View`
`29`	`28`
`30`	`29`	`public function create(): View`
`31`	`30`	`{`
`32`		`- $this->authorize('create', User::class);`
	`31`	`+ $this->authorize('create', UserRole::class);`
`33`	`32`
`34`	`33`	`return view('user_roles.user_role_form');`
`35`	`34`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,10 +34,7 @@ public function viewOwn(User $user): Response`
`34`	`34`	`*/`
`35`	`35`	`public function view(User $user, PersonalAccessToken $personalAccessToken): Response`
`36`	`36`	`{`
`37`		`- return $this->response(`
`38`		`- $user->is($personalAccessToken->tokenable)`
`39`		`- && $user->hasAbility(Ability::ManagePersonalAccessTokens)`
`40`		`- );`
	`37`	`+ return $this->update($user, $personalAccessToken);`
`41`	`38`	`}`
`42`	`39`
`43`	`40`	`/**`
`@@ -53,15 +50,18 @@ public function create(User $user): Response`
`53`	`50`	`*/`
`54`	`51`	`public function update(User $user, PersonalAccessToken $personalAccessToken): Response`
`55`	`52`	`{`
`56`		`- return $this->requireAbility($user, Ability::ManagePersonalAccessTokens);`
	`53`	`+ return $this->response(`
	`54`	`+ $user->is($personalAccessToken->tokenable)`
	`55`	`+ && $user->hasAbility(Ability::ManagePersonalAccessTokens)`
	`56`	`+ );`
`57`	`57`	`}`
`58`	`58`
`59`	`59`	`/**`
`60`	`60`	`* Determine whether the user can delete the model.`
`61`	`61`	`*/`
`62`	`62`	`public function delete(User $user, PersonalAccessToken $personalAccessToken): Response`
`63`	`63`	`{`
`64`		`- return $this->requireAbility($user, Ability::ManagePersonalAccessTokens);`
	`64`	`+ return $this->update($user, $personalAccessToken);`
`65`	`65`	`}`
`66`	`66`
`67`	`67`	`/**`
`@@ -77,6 +77,6 @@ public function restore(User $user, PersonalAccessToken $personalAccessToken): R`
`77`	`77`	`*/`
`78`	`78`	`public function forceDelete(User $user, PersonalAccessToken $personalAccessToken): Response`
`79`	`79`	`{`
`80`		`- return $this->requireAbility($user, Ability::ManagePersonalAccessTokens);`
	`80`	`+ return $this->update($user, $personalAccessToken);`
`81`	`81`	`}`
`82`	`82`	`}`
Original file line number	Diff line number	Diff line change
`@@ -34,4 +34,11 @@ public function definition(): array`
`34`	`34`	`'website_url' => fake()->optional()->url(),`
`35`	`35`	`];`
`36`	`36`	`}`
	`37`	`+`
	`38`	`+ public function visibility(Visibility $visibility): static`
	`39`	`+ {`
	`40`	`+ return $this->state(fn (array $attributes) => [`
	`41`	`+ 'visibility' => $visibility,`
	`42`	`+ ]);`
	`43`	`+ }`
`37`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -27,4 +27,11 @@ public function definition(): array`
`27`	`27`	`'visibility' => fake()->randomElement(Visibility::values()),`
`28`	`28`	`];`
`29`	`29`	`}`
	`30`	`+`
	`31`	`+ public function visibility(Visibility $visibility): static`
	`32`	`+ {`
	`33`	`+ return $this->state(fn (array $attributes) => [`
	`34`	`+ 'visibility' => $visibility,`
	`35`	`+ ]);`
	`36`	`+ }`
`30`	`37`	`}`