Update authorization checks for job actions

8 years ago · dd93db2269
3 changed files with 27 additions and 27 deletions
--- a/app/Http/Controllers/JobsController.php
+++ b/app/Http/Controllers/JobsController.php
@ -31,6 +31,8 @@ class JobsController extends Controller

    public function show(Request $request, Job $job)
    {
+        $this->authorize('view', $job);
+
        $editableTask = null;

        if ($request->get('action') == 'task_edit' && $request->has('task_id')) {
@ -44,34 +46,33 @@ class JobsController extends Controller
        return view('jobs.show', compact('job', 'editableTask'));
    }

-    public function edit($jobId)
+    public function edit(Job $job)
    {
-        $job = $this->repo->requireById($jobId);
+        $this->authorize('view', $job);
+
        $workers = $this->repo->getWorkersList();

        return view('jobs.edit', compact('job', 'workers'));
    }

-    public function update(UpdateRequest $req, $jobId)
+    public function update(UpdateRequest $request, Job $job)
    {
-        $job = $this->repo->update($req->except(['_method', '_token']), $jobId);
+        $job = $this->repo->update($request->except(['_method', '_token']), $job->id);
        flash()->success(trans('job.updated'));

-        return redirect()->route('jobs.show', $job->id);
+        return redirect()->route('jobs.show', $job);
    }

-    public function delete($jobId)
+    public function delete(Job $job)
    {
-        $job = $this->repo->requireById($jobId);
-
        return view('jobs.delete', compact('job'));
    }

-    public function destroy(DeleteRequest $req, $jobId)
+    public function destroy(DeleteRequest $request, Job $job)
    {
-        $job = $this->repo->requireById($jobId);
        $projectId = $job->project_id;
-        if ($jobId == $req->get('job_id')) {
+
+        if ($job->id == $request->get('job_id')) {
            $job->tasks()->delete();
            $job->delete();
            flash()->success(trans('job.deleted'));
@ -82,10 +83,10 @@ class JobsController extends Controller
        return redirect()->route('projects.jobs.index', $projectId);
    }

-    public function tasksReorder(Request $req, $jobId)
+    public function tasksReorder(Request $request, Job $job)
    {
        if ($req->ajax()) {
-            $data = $this->repo->tasksReorder($req->get('postData'));
+            $data = $this->repo->tasksReorder($request->get('postData'));

            return 'oke';
        }
--- a/resources/views/jobs/show.blade.php
+++ b/resources/views/jobs/show.blade.php
@ -7,8 +7,12 @@

 <h1 class="page-header">
    <div class="pull-right">
-        {!! html_link_to_route('projects.jobs.create', trans('job.create'), [$job->project_id], ['class' => 'btn btn-success','icon' => 'plus']) !!}
-        {!! link_to_route('jobs.edit', trans('job.edit'), [$job->id], ['class' => 'btn btn-warning']) !!}
+        @can('create', $job)
+            {!! html_link_to_route('projects.jobs.create', trans('job.create'), [$job->project_id], ['class' => 'btn btn-success','icon' => 'plus']) !!}
+        @endcan
+        @can('update', $job)
+            {!! link_to_route('jobs.edit', trans('job.edit'), [$job->id], ['class' => 'btn btn-warning']) !!}
+        @endcan
        {!! link_to_route('projects.jobs.index', trans('job.back_to_index'), [$job->project_id, '#' . $job->id], ['class' => 'btn btn-default']) !!}
    </div>
    {{ $job->name }} <small>{{ trans('job.detail') }}</small>
--- a/tests/Feature/ManageJobsTest.php
+++ b/tests/Feature/ManageJobsTest.php
@ -86,32 +86,27 @@ class ManageJobsTest extends TestCase
    /** @test */
    public function admin_can_delete_a_job()
    {
-        $user = $this->adminUserSigningIn();
-        $customer = factory(Customer::class)->create();
-        $project = factory(Project::class)->create(['customer_id' => $customer->id]);
-        $job = factory(Job::class)->create(['project_id' => $project->id]);
+        $this->adminUserSigningIn();
+
+        $job = factory(Job::class)->create();
        $tasks = factory(Task::class, 2)->create(['job_id' => $job->id]);

        $this->seeInDatabase('jobs', [
-            'name'       => $job->name,
-            'price'      => $job->price,
-            'project_id' => $project->id,
+            'id' => $job->id,
        ]);

-        $this->visit(route('jobs.show', $job->id));
+        $this->visit(route('jobs.show', $job));

        $this->click(trans('app.edit'));
        $this->click(trans('job.delete'));
        $this->press(trans('app.delete_confirm_button'));

-        $this->seePageIs(route('projects.jobs.index', $project->id));
+        $this->seePageIs(route('projects.jobs.index', $job->project_id));

        $this->see(trans('job.deleted'));

        $this->notSeeInDatabase('jobs', [
-            'name'       => $job->name,
-            'price'      => $job->price,
-            'project_id' => $project->id,
+            'id' => $job->id,
        ]);

        $this->notSeeInDatabase('tasks', [