updates on permissions for property update

robuedi · robuedi · commit 5d90ce9698fb · 2025-01-12T12:25:36.000+02:00
diff --git a/app/Http/Controllers/Api/v1/PropertyController.php b/app/Http/Controllers/Api/v1/PropertyController.php
@@ -11,14 +11,15 @@
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 use Spatie\QueryBuilder\QueryBuilder;
-use App\Services\Properties\PropertyRepositoryService;
+use App\Repositories\PropertyRepository;
+use Illuminate\Support\Facades\Gate;
 
 class PropertyController extends Controller
 {
     public function __construct()
     {
         //the user needs to be logged in for these methods to be accessed
-        $this->middleware('auth:api')->only('store');
+        $this->middleware('auth:api')->only('store', 'update');
     }
 
     /**
@@ -102,10 +103,11 @@ public function index(GenericListingRequest $request)
      *
      * `slug` field is set automatically using the `name` field when the status is set to <b>active</b> (value 1). Once set it can't be changed.
      */
-    public function store(StorePropertyRequest $request, PropertyRepositoryService $propertyRepositoryService)
+    public function store(StorePropertyRequest $request, PropertyRepository $propertyRepository)
     {
         //store the new property
-        $property = $propertyRepositoryService->authUserRequestCreateProperty();
+        Gate::authorize('create', Property::class);
+        $property = $propertyRepository->authUserCreateRequestProperty();
 
         return response()
             ->json(['data' => [
@@ -181,10 +183,13 @@ public function show(Request $request, int $property)
 
     /**
      * Update a property
+     * 
+     * @throws \Illuminate\Auth\Access\AuthorizationException|\Illuminate\Auth\Access\AuthenticationException
      */
-    public function update(UpdatePropertyRequest $request, Property $property)
+    public function update(UpdatePropertyRequest $request, Property $property, PropertyRepository $propertyRepository)
     {
-        $property->update($request->only('name', 'status_id'));
+        Gate::authorize('update', $property);
+        $propertyRepository->updateRequestProperty(property: $property);
 
         return response([])->setStatusCode(Response::HTTP_NO_CONTENT);
     }
diff --git a/app/Repositories/PropertyRepository.php b/app/Repositories/PropertyRepository.php
@@ -22,4 +22,14 @@ public function setSlugProperty(Property &$property)
             return;
         }
     }
+
+    public function authUserCreateRequestProperty() : Property
+    {
+        return Property::create([...request()->only('name', 'status_id'), ...['owner_id' => auth()->user()->id]]);
+    }
+
+    public function updateRequestProperty(Property $property) : void
+    {
+        $property->update(request()->only('name', 'status_id'));
+    }
 }
diff --git a/app/Services/Properties/PropertyRepositoryService.php b/app/Services/Properties/PropertyRepositoryService.php
diff --git a/bootstrap/providers.php b/bootstrap/providers.php
@@ -2,4 +2,6 @@
 
 return [
     App\Providers\AppServiceProvider::class,
+    App\Providers\AuthServiceProvider::class,
+    App\Providers\AuthorizationServiceProvider::class,
 ];
diff --git a/tests/Feature/Api/v1/PropertiesControllerTest.php b/tests/Feature/Api/v1/PropertiesControllerTest.php
@@ -249,7 +249,34 @@
     ]);
 });
 
-it('updates a property', function (): void {
+it('requires to be authenticated to try to update a property', function (): void {
+    //make a property
+    $property = Property::factory()->create();
+
+    // send request to update
+    $response = $this->putJson(route('api.v1.properties.update', $property->id), [
+        'name' => 'Moon Villa',
+        'status_id' => PropertyStatus::Inactive->value,
+    ]);
+
+    $response->assertUnauthorized();
+});
+
+it('requires to be autorized to update a property', function (): void {
+    //make a property
+    $property = Property::factory()->create();
+
+    // send request to update
+    $anotherUser = User::factory()->create();
+    $response = $this->actingAs($anotherUser)->putJson(route('api.v1.properties.update', $property->id), [
+        'name' => 'Moon Villa',
+        'status_id' => PropertyStatus::Inactive->value,
+    ]);
+
+    $response->assertForbidden();
+});
+
+it('updates a property with only the allowed fields', function (): void {
     $user = User::factory()->create();
     $propertyData = [
         'name' => 'Sea Villa',
@@ -261,7 +288,7 @@
 
     // send request to update
     $failUser = User::factory()->create();
-    $response = $this->putJson(route('api.v1.properties.update', $property->id), [
+    $response = $this->actingAs($user)->putJson(route('api.v1.properties.update', $property->id), [
         'id' => '5',
         'name' => 'Moon Villa',
         'owner_id' => $failUser->id,
@@ -282,7 +309,7 @@
 it('returns 404 for update on a non-existing property', function (): void {
 
     $user = User::factory()->create();
-    $response = $this->putJson(route('api.v1.properties.update', 1), [
+    $response = $this->actingAs($user)->putJson(route('api.v1.properties.update', 1), [
         'name' => 'Moon Villa',
         'owner_id' => $user->id,
         'status_id' => PropertyStatus::Inactive->value,

Original file line number	Diff line number	Diff line change
`@@ -22,4 +22,14 @@ public function setSlugProperty(Property &$property)`
`22`	`22`	`return;`
`23`	`23`	`}`
`24`	`24`	`}`
	`25`	`+`
	`26`	`+ public function authUserCreateRequestProperty() : Property`
	`27`	`+ {`
	`28`	`+ return Property::create([...request()->only('name', 'status_id'), ...['owner_id' => auth()->user()->id]]);`
	`29`	`+ }`
	`30`	`+`
	`31`	`+ public function updateRequestProperty(Property $property) : void`
	`32`	`+ {`
	`33`	`+ $property->update(request()->only('name', 'status_id'));`
	`34`	`+ }`
`25`	`35`	`}`