Merge remote-tracking branch 'origin/develop'

2024-11-11 16:14:18 -08:00 · 2023-07-18 13:27:05 +01:00 · 2023-07-18 13:27:05 +01:00 · bc91181917
parent 92e7e79faf 18e2ec4dad
commit bc91181917
3 changed files with 62 additions and 2 deletions
--- a/app/Http/Controllers/Api/LocationsController.php
+++ b/app/Http/Controllers/Api/LocationsController.php
@ -253,8 +253,12 @@ class LocationsController extends Controller
     */
    public function selectlist(Request $request)
    {
-
-        $this->authorize('view.selectlists');
+        // If a user is in the process of editing their profile, as determined by the referrer,
+        // then we check that they have permission to edit their own location.
+        // Otherwise, we do our normal check that they can view select lists.
+        $request->headers->get('referer') === route('profile')
+            ? $this->authorize('self.edit_location')
+            : $this->authorize('view.selectlists');

        $locations = Location::select([
            'locations.id',
--- a/database/factories/UserFactory.php
+++ b/database/factories/UserFactory.php
@ -424,4 +424,12 @@ class UserFactory extends Factory
        });
    }

+    public function canEditOwnLocation()
+    {
+        return $this->state(function () {
+            return [
+                'permissions' => '{"self.edit_location":"1"}',
+            ];
+        });
+    }
 }
--- a/tests/Feature/Api/Locations/LocationsForSelectListTest.php
+++ b/tests/Feature/Api/Locations/LocationsForSelectListTest.php
@ -0,0 +1,48 @@
+<?php
+
+namespace Tests\Feature\Api\Locations;
+
+use App\Models\Location;
+use App\Models\User;
+use Illuminate\Testing\Fluent\AssertableJson;
+use Tests\Support\InteractsWithSettings;
+use Tests\TestCase;
+
+class LocationsForSelectListTest extends TestCase
+{
+    use InteractsWithSettings;
+
+    public function testGettingLocationListRequiresProperPermission()
+    {
+        $this->actingAsForApi(User::factory()->create())
+            ->getJson(route('api.locations.selectlist'))
+            ->assertForbidden();
+    }
+
+    public function testLocationsReturned()
+    {
+        Location::factory()->create();
+
+        // see the where the "view.selectlists" is defined in the AuthServiceProvider
+        // for info on why "createUsers()" is used here.
+        $this->actingAsForApi(User::factory()->createUsers()->create())
+            ->getJson(route('api.locations.selectlist'))
+            ->assertOk()
+            ->assertJsonStructure([
+                'results',
+                'pagination',
+                'total_count',
+                'page',
+                'page_count',
+            ])
+            ->assertJson(fn(AssertableJson $json) => $json->has('results', 1)->etc());
+    }
+
+    public function testLocationsAreReturnedWhenUserIsUpdatingTheirProfileAndHasPermissionToUpdateLocation()
+    {
+        $this->actingAsForApi(User::factory()->canEditOwnLocation()->create())
+            ->withHeader('referer', route('profile'))
+            ->getJson(route('api.locations.selectlist'))
+            ->assertOk();
+    }
+}