From 417f9c21e42a179cf23890c62fdc11008b24c50b Mon Sep 17 00:00:00 2001
From: Marcus Moore <contact@marcusmoore.io>
Date: Tue, 10 Oct 2023 17:51:29 -0700
Subject: [PATCH] Fix the storing of group permissions when creating via API

---
 app/Http/Controllers/Api/GroupsController.php |  2 +-
 tests/Feature/Api/Groups/GroupStoreTest.php   | 41 +++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 tests/Feature/Api/Groups/GroupStoreTest.php

diff --git a/app/Http/Controllers/Api/GroupsController.php b/app/Http/Controllers/Api/GroupsController.php
index 7cc5d2d756..6dc7e83dd6 100644
--- a/app/Http/Controllers/Api/GroupsController.php
+++ b/app/Http/Controllers/Api/GroupsController.php
@@ -63,7 +63,7 @@ class GroupsController extends Controller
         $group = new Group;
 
         $group->name = $request->input('name');
-        $group->permissions = $request->input('permissions'); // Todo - some JSON validation stuff here
+        $group->permissions = json_encode($request->input('permissions')); // Todo - some JSON validation stuff here
 
         if ($group->save()) {
             return response()->json(Helper::formatStandardApiResponse('success', $group, trans('admin/groups/message.create.success')));
diff --git a/tests/Feature/Api/Groups/GroupStoreTest.php b/tests/Feature/Api/Groups/GroupStoreTest.php
new file mode 100644
index 0000000000..9ffba51913
--- /dev/null
+++ b/tests/Feature/Api/Groups/GroupStoreTest.php
@@ -0,0 +1,41 @@
+<?php
+
+namespace Tests\Feature\Api\Groups;
+
+use App\Models\Group;
+use App\Models\User;
+use Tests\Support\InteractsWithSettings;
+use Tests\TestCase;
+
+class GroupStoreTest extends TestCase
+{
+    use InteractsWithSettings;
+
+    public function testStoringGroupRequiresSuperAdminPermission()
+    {
+        $this->actingAsForApi(User::factory()->create())
+            ->postJson(route('api.groups.store'))
+            ->assertForbidden();
+    }
+
+    public function testCanStoreGroup()
+    {
+        $this->actingAsForApi(User::factory()->superuser()->create())
+            ->postJson(route('api.groups.store'), [
+                'name' => 'My Awesome Group',
+                'permissions' => [
+                    'admin' => '1',
+                    'import' => '1',
+                    'reports.view' => '0',
+                ],
+            ])
+            ->assertOk();
+
+        $group = Group::where('name', 'My Awesome Group')->first();
+
+        $this->assertNotNull($group);
+        $this->assertEquals('1', $group->decodePermissions()['admin']);
+        $this->assertEquals('1', $group->decodePermissions()['import']);
+        $this->assertEquals('0', $group->decodePermissions()['reports.view']);
+    }
+}