diff --git a/src/Concerns/PerformsRestOperations.php b/src/Concerns/PerformsRestOperations.php index 40af10e..a24b7ff 100644 --- a/src/Concerns/PerformsRestOperations.php +++ b/src/Concerns/PerformsRestOperations.php @@ -140,7 +140,9 @@ public function destroy(DestroyRequest $request) foreach ($models as $model) { self::newResource()->authorizeTo('delete', $model); + } + foreach ($models as $model) { $resource->destroying($request, $model); $resource->performDelete($request, $model); @@ -177,7 +179,9 @@ public function restore(RestoreRequest $request) foreach ($models as $model) { self::newResource()->authorizeTo('restore', $model); + } + foreach ($models as $model) { $resource->restoring($request, $model); $resource->performRestore($request, $model); @@ -215,7 +219,9 @@ public function forceDelete(ForceDestroyRequest $request) foreach ($models as $model) { self::newResource()->authorizeTo('forceDelete', $model); + } + foreach ($models as $model) { $resource->forceDestroying($request, $model); $resource->performForceDelete($request, $model); diff --git a/tests/Feature/Controllers/DeleteOperationsTest.php b/tests/Feature/Controllers/DeleteOperationsTest.php index 3de5c97..cb577d1 100644 --- a/tests/Feature/Controllers/DeleteOperationsTest.php +++ b/tests/Feature/Controllers/DeleteOperationsTest.php @@ -10,6 +10,7 @@ use Lomkit\Rest\Tests\Support\Models\SoftDeletedModel; use Lomkit\Rest\Tests\Support\Policies\GreenPolicy; use Lomkit\Rest\Tests\Support\Policies\RedPolicy; +use Lomkit\Rest\Tests\Support\Policies\RedPolicyButForModel; use Lomkit\Rest\Tests\Support\Rest\Resources\ModelResource; use Lomkit\Rest\Tests\Support\Rest\Resources\SoftDeletedModelResource; @@ -33,6 +34,28 @@ public function test_deleting_a_non_authorized_model(): void $response->assertJson(['message' => 'This action is unauthorized.']); } + public function test_deleting_a_non_authorized_model_with_an_authorized_one(): void + { + $model = ModelFactory::new()->count(1)->createOne(); + $modelDeletable = ModelFactory::new()->count(1)->createOne(); + + RedPolicyButForModel::forModel($modelDeletable); + Gate::policy(Model::class, RedPolicyButForModel::class); + + $response = $this->delete( + '/api/models', + [ + 'resources' => [$model->getKey(), $modelDeletable->getKey()], + ], + ['Accept' => 'application/json'] + ); + + $response->assertStatus(403); + $response->assertJson(['message' => 'This action is unauthorized.']); + $this->assertDatabaseHas('models', $model->only('id')); + $this->assertDatabaseHas('models', $modelDeletable->only('id')); + } + public function test_deleting_a_model(): void { $model = ModelFactory::new()->count(1)->createOne(); diff --git a/tests/Feature/Controllers/ForceDeleteOperationsTest.php b/tests/Feature/Controllers/ForceDeleteOperationsTest.php index 80e8377..eeeb956 100644 --- a/tests/Feature/Controllers/ForceDeleteOperationsTest.php +++ b/tests/Feature/Controllers/ForceDeleteOperationsTest.php @@ -8,6 +8,7 @@ use Lomkit\Rest\Tests\Support\Models\SoftDeletedModel; use Lomkit\Rest\Tests\Support\Policies\GreenPolicy; use Lomkit\Rest\Tests\Support\Policies\RedPolicy; +use Lomkit\Rest\Tests\Support\Policies\RedPolicyButForModel; use Lomkit\Rest\Tests\Support\Rest\Resources\SoftDeletedModelResource; class ForceDeleteOperationsTest extends TestCase @@ -30,6 +31,28 @@ public function test_force_deleting_a_non_authorized_model(): void $response->assertJson(['message' => 'This action is unauthorized.']); } + public function test_force_deleting_a_non_authorized_model_with_an_authorized_one(): void + { + $model = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne(); + $modelForceDeletable = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne(); + + RedPolicyButForModel::forModel($modelForceDeletable); + Gate::policy(SoftDeletedModel::class, RedPolicyButForModel::class); + + $response = $this->delete( + '/api/soft-deleted-models/force', + [ + 'resources' => [$model->getKey(), $modelForceDeletable->getKey()], + ], + ['Accept' => 'application/json'] + ); + + $response->assertStatus(403); + $response->assertJson(['message' => 'This action is unauthorized.']); + $this->assertSoftDeleted($model); + $this->assertSoftDeleted($modelForceDeletable); + } + public function test_force_deleting_a_soft_deleted_model(): void { $softDeletedModel = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne(); diff --git a/tests/Feature/Controllers/RestoreOperationsTest.php b/tests/Feature/Controllers/RestoreOperationsTest.php index cb045fc..7a316b4 100644 --- a/tests/Feature/Controllers/RestoreOperationsTest.php +++ b/tests/Feature/Controllers/RestoreOperationsTest.php @@ -8,6 +8,7 @@ use Lomkit\Rest\Tests\Support\Models\SoftDeletedModel; use Lomkit\Rest\Tests\Support\Policies\GreenPolicy; use Lomkit\Rest\Tests\Support\Policies\RedPolicy; +use Lomkit\Rest\Tests\Support\Policies\RedPolicyButForModel; use Lomkit\Rest\Tests\Support\Rest\Resources\SoftDeletedModelResource; class RestoreOperationsTest extends TestCase @@ -30,6 +31,34 @@ public function test_restoring_a_non_authorized_model(): void $response->assertJson(['message' => 'This action is unauthorized.']); } + public function test_restoring_a_non_authorized_model_with_an_authorized_one(): void + { + $model = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne(); + $modelRestorable = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne(); + + RedPolicyButForModel::forModel($modelRestorable); + Gate::policy(SoftDeletedModel::class, RedPolicyButForModel::class); + + $response = $this->post( + '/api/soft-deleted-models/restore', + [ + 'resources' => [$model->getKey(), $modelRestorable->getKey()], + ], + ['Accept' => 'application/json'] + ); + + $response->assertStatus(403); + $response->assertJson(['message' => 'This action is unauthorized.']); + $this->assertNotEquals( + null, + $modelRestorable->fresh()->deleted_at, + ); + $this->assertNotEquals( + null, + $model->fresh()->deleted_at, + ); + } + public function test_restoring_a_soft_deleted_model(): void { $softDeletedModel = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne(); diff --git a/tests/Support/Policies/RedPolicyButForModel.php b/tests/Support/Policies/RedPolicyButForModel.php new file mode 100644 index 0000000..3f7a26d --- /dev/null +++ b/tests/Support/Policies/RedPolicyButForModel.php @@ -0,0 +1,107 @@ +is($model); + } + + /** + * Determine whether the user can create models. + * + * @param $user + * + * @return bool + */ + public function create($user) + { + return false; + } + + /** + * Determine whether the user can update the model. + * + * @param $user + * @param Model $model + * + * @return bool + */ + public function update($user, Model $model) + { + return static::$model->is($model); + } + + /** + * Determine whether the user can delete the model. + * + * @param $user + * @param Model $model + * + * @return bool + */ + public function delete($user, Model $model) + { + return static::$model->is($model); + } + + /** + * Determine whether the user can restore the model. + * + * @param $user + * @param Model $model + * + * @return bool + */ + public function restore($user, Model $model) + { + return static::$model->is($model); + } + + /** + * Determine whether the user can permanently delete the model. + * + * @param $user + * @param Model $model + * + * @return bool + */ + public function forceDelete($user, Model $model) + { + return static::$model->is($model); + } +}