Skip to content

Commit

Permalink
feat(user): add user permissions and tests (#78)
Browse files Browse the repository at this point in the history 
Introduce user permissions to the `UserController` with corresponding
tests. Define permissions for each controller function as follows:
- `index()`: `list-users`
- `store()`: `create-users`
- `show()`:
  - For viewing own user: `show-users`
  - For viewing all users: `list-users`
- `update()`:
  - For updating all users: `update-users`
  - For updating own user: `update-users-self`
- `destroy()`: `delete-users`

This update ensures that user controller functions are now restricted
and accessible based on the specified permissions. The associated tests
validate the correct implementation of these permissions.

Signed-off-by: Valentin Sickert <[email protected]>
  • Loading branch information
@Lapotor
Lapotor authored Dec 14, 2023
1 parent d460257 commit a1aa608
Show file tree
Hide file tree
Showing 4 changed files with 625 additions and 16 deletions.
36 changes: 36 additions & 0 deletions app/Http/Controllers/UserController.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,36 @@

namespace App\Http\Controllers;

use App\Http\Responses\ApiErrorResponse;
use App\Http\Responses\ApiSuccessResponse;
use App\Models\User;
use App\Permissions\UsersPermissions;
use Illuminate\Http\Request;
use Illuminate\Http\Response;

class UserController extends Controller
{

/**
* UserController constructor.
*/
public function __construct()
{
/**
* Permissions:
* - index: list-users
* - store: create-users
* - show: show-users || list-users
* - update-users || update-users-self
* - destroy: delete-users
*/
$this->middleware('permission:'.UsersPermissions::CAN_LIST_USERS)->only('index');
$this->middleware('permission:'.UsersPermissions::CAN_LIST_USERS.'|'.UsersPermissions::CAN_SHOW_USERS)->only('show');
$this->middleware('permission:'.UsersPermissions::CAN_CREATE_USERS)->only('store');
$this->middleware('permission:'.UsersPermissions::CAN_UPDATE_USERS.'|'.UsersPermissions::CAN_UPDATE_USERS_SELF)->only('update');
$this->middleware('permission:'.UsersPermissions::CAN_DELETE_USERS)->only('destroy');
}

/**
* Display a listing of the resource.
*/
Expand Down Expand Up @@ -42,6 +65,12 @@ public function store(Request $request)
*/
public function show(User $user)
{
/** @var User $authUser */
$authUser = auth()->user();

if(!$authUser->checkPermissionTo(UsersPermissions::CAN_LIST_USERS) && !$authUser->is($user)) {
return new ApiErrorResponse("You can only view your own user.", status: Response::HTTP_FORBIDDEN);
}
return new ApiSuccessResponse($user);
}

Expand All @@ -56,6 +85,13 @@ public function update(Request $request, User $user)
'password' => 'sometimes|required|min:8|confirmed',
]);

/** @var User $authUser */
$authUser = auth()->user();

if($authUser->checkPermissionTo(UsersPermissions::CAN_UPDATE_USERS_SELF) && !$authUser->is($user)) {
return new ApiErrorResponse("You can only update your own user.", status: Response::HTTP_FORBIDDEN);
}

$user->update($validated);

return new ApiSuccessResponse($user);
Expand Down
29 changes: 29 additions & 0 deletions app/Permissions/UsersPermissions.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
<?php

namespace App\Permissions;

/**
* Class UsersPermissions
*
* This class defines the permissions related to users.
*/
class UsersPermissions
{
/** Permission for listing and view all users. */
public const CAN_LIST_USERS = 'list-users';

/** Permission for showing users itself. */
public const CAN_SHOW_USERS = 'show-users';

/** Permission for creating users. */
public const CAN_CREATE_USERS = 'create-users';

/** Permission for updating users. */
public const CAN_UPDATE_USERS = 'update-users';

/** Permission for updating users itself. */
public const CAN_UPDATE_USERS_SELF = 'update-users-self';

/** Permission for deleting users. */
public const CAN_DELETE_USERS = 'delete-users';
}
71 changes: 71 additions & 0 deletions database/migrations/2023_12_13_214743_add_user_permissions.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
<?php

use App\Permissions\UsersPermissions;
use Carbon\Carbon;
use Illuminate\Database\Migrations\Migration;
use Illuminate\Support\Facades\DB;

return new class extends Migration
{
/**
* Run the migrations.
*/
public function up(): void
{
DB::table('permissions')->insert(
[
[
'name' => UsersPermissions::CAN_LIST_USERS,
'guard_name' => 'web',
'created_at' => Carbon::now(),
'updated_at' => Carbon::now(),
],
[
'name' => UsersPermissions::CAN_SHOW_USERS,
'guard_name' => 'web',
'created_at' => Carbon::now(),
'updated_at' => Carbon::now(),
],
[
'name' => UsersPermissions::CAN_CREATE_USERS,
'guard_name' => 'web',
'created_at' => Carbon::now(),
'updated_at' => Carbon::now(),
],
[
'name' => UsersPermissions::CAN_UPDATE_USERS,
'guard_name' => 'web',
'created_at' => Carbon::now(),
'updated_at' => Carbon::now(),
],
[
'name' => UsersPermissions::CAN_UPDATE_USERS_SELF,
'guard_name' => 'web',
'created_at' => Carbon::now(),
'updated_at' => Carbon::now(),
],
[
'name' => UsersPermissions::CAN_DELETE_USERS,
'guard_name' => 'web',
'created_at' => Carbon::now(),
'updated_at' => Carbon::now(),
]
]
);
}

/**
* Reverse the migrations.
*/
public function down(): void
{
DB::table('permissions')->whereIn('name', [
UsersPermissions::CAN_LIST_USERS,
UsersPermissions::CAN_SHOW_USERS,
UsersPermissions::CAN_CREATE_USERS,
UsersPermissions::CAN_UPDATE_USERS,
UsersPermissions::CAN_UPDATE_USERS_SELF,
UsersPermissions::CAN_DELETE_USERS,
])->delete();
}
};
Loading

0 comments on commit a1aa608

Please sign in to comment.