Merge remote-tracking branch 'origin/develop'

This commit is contained in:
snipe 2023-07-18 13:27:05 +01:00
commit bc91181917
3 changed files with 62 additions and 2 deletions

View file

@ -253,8 +253,12 @@ class LocationsController extends Controller
*/
public function selectlist(Request $request)
{
$this->authorize('view.selectlists');
// If a user is in the process of editing their profile, as determined by the referrer,
// then we check that they have permission to edit their own location.
// Otherwise, we do our normal check that they can view select lists.
$request->headers->get('referer') === route('profile')
? $this->authorize('self.edit_location')
: $this->authorize('view.selectlists');
$locations = Location::select([
'locations.id',

View file

@ -424,4 +424,12 @@ class UserFactory extends Factory
});
}
public function canEditOwnLocation()
{
return $this->state(function () {
return [
'permissions' => '{"self.edit_location":"1"}',
];
});
}
}

View file

@ -0,0 +1,48 @@
<?php
namespace Tests\Feature\Api\Locations;
use App\Models\Location;
use App\Models\User;
use Illuminate\Testing\Fluent\AssertableJson;
use Tests\Support\InteractsWithSettings;
use Tests\TestCase;
class LocationsForSelectListTest extends TestCase
{
use InteractsWithSettings;
public function testGettingLocationListRequiresProperPermission()
{
$this->actingAsForApi(User::factory()->create())
->getJson(route('api.locations.selectlist'))
->assertForbidden();
}
public function testLocationsReturned()
{
Location::factory()->create();
// see the where the "view.selectlists" is defined in the AuthServiceProvider
// for info on why "createUsers()" is used here.
$this->actingAsForApi(User::factory()->createUsers()->create())
->getJson(route('api.locations.selectlist'))
->assertOk()
->assertJsonStructure([
'results',
'pagination',
'total_count',
'page',
'page_count',
])
->assertJson(fn(AssertableJson $json) => $json->has('results', 1)->etc());
}
public function testLocationsAreReturnedWhenUserIsUpdatingTheirProfileAndHasPermissionToUpdateLocation()
{
$this->actingAsForApi(User::factory()->canEditOwnLocation()->create())
->withHeader('referer', route('profile'))
->getJson(route('api.locations.selectlist'))
->assertOk();
}
}