Update job policy object for user authorization

8 years ago · 022bcddef9
2 changed files with 22 additions and 25 deletions
--- a/app/Policies/Projects/JobPolicy.php
+++ b/app/Policies/Projects/JobPolicy.php
@ -25,8 +25,8 @@ class JobPolicy
     */
    public function view(User $user, Job $job)
    {
-        // User can only view the job if he is the job's agency owner.
-        return true;
+        return $user->hasRole('admin')
+            || ($user->hasRole('worker') && $job->worker_id == $user->id);
    }

    /**
@ -39,7 +39,6 @@ class JobPolicy
     */
    public function create(User $user, Job $job)
    {
-        // User can create a job if they owns an agency.
        return $user->hasRole('admin');
    }

@ -53,8 +52,7 @@ class JobPolicy
     */
    public function update(User $user, Job $job)
    {
-        return $user->hasRole('admin')
-            || ($user->hasRole('worker') && $job->worker_id == $user->id);
+        return $user->hasRole('admin');
    }

    /**
--- a/tests/Unit/Policies/JobPolicyTest.php
+++ b/tests/Unit/Policies/JobPolicyTest.php
@ -33,42 +33,41 @@ class JobPolicyTest extends TestCase
    }

    /** @test */
-    public function an_admin_can_update_job()
+    public function a_worker_only_can_view_jobs_that_has_been_assigned_to_them()
    {
-        $admin = $this->createUser('admin');
+        $worker = $this->createUser('worker');
        $job = factory(Job::class)->create();

-        $this->assertTrue($admin->can('update', $job));
-    }
-
-    /** @test */
-    public function a_worker_can_only_update_job_that_assigned_to_them()
-    {
-        $assignedWorker = $this->createUser('worker');
-        $job = factory(Job::class)->create(['worker_id' => $assignedWorker->id]);
-
-        $this->assertTrue($assignedWorker->can('update', $job));
+        // Worker cannot view the job
+        $this->assertFalse($worker->can('view', $job));

-        $otherWorker = $this->createUser('worker');
+        // Assign the job to the worker
+        $job->worker_id = $worker->id;
+        $job->save();

-        $this->assertFalse($otherWorker->can('update', $job));
+        // Worker can view the job
+        $this->assertTrue($worker->can('view', $job));
    }

    /** @test */
-    public function an_admin_can_delete_job()
+    public function only_admin_can_update_job()
    {
        $admin = $this->createUser('admin');
-        $job = factory(Job::class)->create();
+        $worker = $this->createUser('worker');
+        $job = factory(Job::class)->create(['worker_id' => $worker->id]);

-        $this->assertTrue($admin->can('delete', $job));
+        $this->assertTrue($admin->can('update', $job));
+        $this->assertFalse($worker->can('update', $job));
    }

    /** @test */
-    public function a_worker_cannot_delete_job()
+    public function only_admin_can_delete_job()
    {
+        $admin = $this->createUser('admin');
        $worker = $this->createUser('worker');
-        $job = factory(Job::class)->create();
+        $job = factory(Job::class)->create(['worker_id' => $worker->id]);

-        $this->assertFalse($worker->can('delete', $job));
+        $this->assertTrue($admin->can('update', $job));
+        $this->assertFalse($worker->can('update', $job));
    }
 }