Update project policy for user role authorization

8 years ago · 7eab331323
2 changed files with 24 additions and 26 deletions
--- a/app/Policies/Projects/ProjectPolicy.php
+++ b/app/Policies/Projects/ProjectPolicy.php
@ -25,8 +25,8 @@ class ProjectPolicy
     */
    public function view(User $user, Project $project)
    {
        // User can only view the project if he is the project's agency owner.
        return true;
        return $user->hasRole('admin')
            || ($user->hasRole('worker') && $user->projects->contains($project->id));
    }
    /**
@ -39,7 +39,6 @@ class ProjectPolicy
     */
    public function create(User $user, Project $project)
    {
        // User can create a project if they owns an agency.
        return $user->hasRole('admin');
    }
--- a/tests/Unit/Policies/ProjectPolicyTest.php
+++ b/tests/Unit/Policies/ProjectPolicyTest.php
@ -2,29 +2,24 @@
 namespace Tests\Unit\Policies;
 use App\Entities\Projects\Job;
 use App\Entities\Projects\Project;
 use Tests\TestCase as TestCase;
 class ProjectPolicyTest extends TestCase
 {
    /** @test */
    public function an_admin_can_create_project()
    public function only_admin_can_create_project()
    {
        $admin = $this->createUser('admin');
        $this->assertTrue($admin->can('create', new Project()));
    }
    /** @test */
    public function a_worker_cannot_create_project()
    {
        $worker = $this->createUser('worker');
        $this->assertTrue($admin->can('create', new Project()));
        $this->assertFalse($worker->can('create', new Project()));
    }
    /** @test */
    public function an_admin_can_view_project()
    public function an_admin_can_view_all_project_detail()
    {
        $admin = $this->createUser('admin');
        $project = factory(Project::class)->create();
@ -33,38 +28,42 @@ class ProjectPolicyTest extends TestCase
    }
    /** @test */
    public function an_admin_can_update_project()
    public function a_worker_can_only_view_the_project_in_which_they_are_involved()
    {
        $admin = $this->createUser('admin');
        $worker = $this->createUser('worker');
        $project = factory(Project::class)->create();
        $this->assertTrue($admin->can('update', $project));
    }
        // Worker cannot view the project
        $this->assertFalse($worker->can('view', $project));
    /** @test */
    public function a_worker_cannot_update_project()
    {
        $worker = $this->createUser('worker');
        $project = factory(Project::class)->create();
        // Assign a job to worker on the project
        factory(Job::class)->create([
            'project_id' => $project->id,
            'worker_id'  => $worker->id,
        ]);
        $this->assertFalse($worker->can('update', $project));
        // Worker can view the project after assignment
        $this->assertTrue($worker->fresh()->can('view', $project));
    }
    /** @test */
    public function an_admin_can_delete_project()
    public function only_admin_can_update_project()
    {
        $admin = $this->createUser('admin');
        $project = factory(Project::class)->create();
        $worker = $this->createUser('worker');
        $this->assertTrue($admin->can('delete', $project));
        $this->assertTrue($admin->can('update', new Project()));
        $this->assertFalse($worker->can('update', new Project()));
    }
    /** @test */
    public function a_worker_cannot_delete_project()
    public function only_admin_can_delete_project()
    {
        $admin = $this->createUser('admin');
        $worker = $this->createUser('worker');
        $project = factory(Project::class)->create();
        $this->assertTrue($admin->can('delete', $project));
        $this->assertFalse($worker->can('delete', $project));
    }
 }