Merge remote-tracking branch 'origin/develop'

app/Http/Controllers/Api/LocationsController.php

@@ -253,8 +253,12 @@ class LocationsController extends Controller
      */
     public function selectlist(Request $request)
     {
-
+        // If a user is in the process of editing their profile, as determined by the referrer,
-        $this->authorize('view.selectlists');
+        // then we check that they have permission to edit their own location.
+        // Otherwise, we do our normal check that they can view select lists.
+        $request->headers->get('referer') === route('profile')
+            ? $this->authorize('self.edit_location')
+            : $this->authorize('view.selectlists');
 
         $locations = Location::select([
             'locations.id',

database/factories/UserFactory.php

@@ -424,4 +424,12 @@ class UserFactory extends Factory
         });
     }
 
+    public function canEditOwnLocation()
+    {
+        return $this->state(function () {
+            return [
+                'permissions' => '{"self.edit_location":"1"}',
+            ];
+        });
+    }
 }

tests/Feature/Api/Locations/LocationsForSelectListTest.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace Tests\Feature\Api\Locations;
+
+use App\Models\Location;
+use App\Models\User;
+use Illuminate\Testing\Fluent\AssertableJson;
+use Tests\Support\InteractsWithSettings;
+use Tests\TestCase;
+
+class LocationsForSelectListTest extends TestCase
+{
+    use InteractsWithSettings;
+
+    public function testGettingLocationListRequiresProperPermission()
+    {
+        $this->actingAsForApi(User::factory()->create())
+            ->getJson(route('api.locations.selectlist'))
+            ->assertForbidden();
+    }
+
+    public function testLocationsReturned()
+    {
+        Location::factory()->create();
+
+        // see the where the "view.selectlists" is defined in the AuthServiceProvider
+        // for info on why "createUsers()" is used here.
+        $this->actingAsForApi(User::factory()->createUsers()->create())
+            ->getJson(route('api.locations.selectlist'))
+            ->assertOk()
+            ->assertJsonStructure([
+                'results',
+                'pagination',
+                'total_count',
+                'page',
+                'page_count',
+            ])
+            ->assertJson(fn(AssertableJson $json) => $json->has('results', 1)->etc());
+    }
+
+    public function testLocationsAreReturnedWhenUserIsUpdatingTheirProfileAndHasPermissionToUpdateLocation()
+    {
+        $this->actingAsForApi(User::factory()->canEditOwnLocation()->create())
+            ->withHeader('referer', route('profile'))
+            ->getJson(route('api.locations.selectlist'))
+            ->assertOk();
+    }
+}