Update project policy for user role authorization

app/Policies/Projects/ProjectPolicy.php

@@ -25,8 +25,8 @@ class ProjectPolicy
      */
     public function view(User $user, Project $project)
     {
-        // User can only view the project if he is the project's agency owner.
-        return true;
+        return $user->hasRole('admin')
+            || ($user->hasRole('worker') && $user->projects->contains($project->id));
     }
 
     /**
@@ -39,7 +39,6 @@ class ProjectPolicy
      */
     public function create(User $user, Project $project)
     {
-        // User can create a project if they owns an agency.
         return $user->hasRole('admin');
     }
 

tests/Unit/Policies/ProjectPolicyTest.php

@@ -2,29 +2,24 @@
 
 namespace Tests\Unit\Policies;
 
+use App\Entities\Projects\Job;
 use App\Entities\Projects\Project;
 use Tests\TestCase as TestCase;
 
 class ProjectPolicyTest extends TestCase
 {
     /** @test */
-    public function an_admin_can_create_project()
+    public function only_admin_can_create_project()
     {
         $admin = $this->createUser('admin');
-
-        $this->assertTrue($admin->can('create', new Project()));
-    }
-
-    /** @test */
-    public function a_worker_cannot_create_project()
-    {
         $worker = $this->createUser('worker');
 
+        $this->assertTrue($admin->can('create', new Project()));
         $this->assertFalse($worker->can('create', new Project()));
     }
 
     /** @test */
-    public function an_admin_can_view_project()
+    public function an_admin_can_view_all_project_detail()
     {
         $admin = $this->createUser('admin');
         $project = factory(Project::class)->create();
@@ -33,38 +28,42 @@ class ProjectPolicyTest extends TestCase
     }
 
     /** @test */
-    public function an_admin_can_update_project()
+    public function a_worker_can_only_view_the_project_in_which_they_are_involved()
     {
-        $admin = $this->createUser('admin');
+        $worker = $this->createUser('worker');
         $project = factory(Project::class)->create();
 
-        $this->assertTrue($admin->can('update', $project));
-    }
+        // Worker cannot view the project
+        $this->assertFalse($worker->can('view', $project));
 
-    /** @test */
-    public function a_worker_cannot_update_project()
-    {
-        $worker = $this->createUser('worker');
-        $project = factory(Project::class)->create();
+        // Assign a job to worker on the project
+        factory(Job::class)->create([
+            'project_id' => $project->id,
+            'worker_id'  => $worker->id,
+        ]);
 
-        $this->assertFalse($worker->can('update', $project));
+        // Worker can view the project after assignment
+        $this->assertTrue($worker->fresh()->can('view', $project));
     }
 
     /** @test */
-    public function an_admin_can_delete_project()
+    public function only_admin_can_update_project()
     {
         $admin = $this->createUser('admin');
-        $project = factory(Project::class)->create();
+        $worker = $this->createUser('worker');
 
-        $this->assertTrue($admin->can('delete', $project));
+        $this->assertTrue($admin->can('update', new Project()));
+        $this->assertFalse($worker->can('update', new Project()));
     }
 
     /** @test */
-    public function a_worker_cannot_delete_project()
+    public function only_admin_can_delete_project()
     {
+        $admin = $this->createUser('admin');
         $worker = $this->createUser('worker');
         $project = factory(Project::class)->create();
 
+        $this->assertTrue($admin->can('delete', $project));
         $this->assertFalse($worker->can('delete', $project));
     }
 }