diff --git a/src/Http/Controllers/Api/StorageRequestFileController.php b/src/Http/Controllers/Api/StorageRequestFileController.php index bfa66e1..a391060 100644 --- a/src/Http/Controllers/Api/StorageRequestFileController.php +++ b/src/Http/Controllers/Api/StorageRequestFileController.php @@ -133,7 +133,7 @@ public function store(StoreStorageRequestFile $request) */ public function show(Request $request, $id) { - if (!$request->user()->can('sudo')) { + if (!$request->user()->can('review')) { abort(Response::HTTP_NOT_FOUND); } diff --git a/src/Http/Requests/RejectStorageRequest.php b/src/Http/Requests/RejectStorageRequest.php index 0c3d3e4..0fee074 100644 --- a/src/Http/Requests/RejectStorageRequest.php +++ b/src/Http/Requests/RejectStorageRequest.php @@ -24,7 +24,7 @@ public function authorize() $this->storageRequest = StorageRequest::whereNull('expires_at') ->findOrFail($this->route('id')); - return $this->user()->can('destroy', $this->storageRequest); + return $this->user()->can('reject', $this->storageRequest); } /** diff --git a/src/Http/routes.php b/src/Http/routes.php index 444b622..5de7aca 100644 --- a/src/Http/routes.php +++ b/src/Http/routes.php @@ -23,7 +23,7 @@ $router->delete('storage-requests/{id}/directories', 'StorageRequestDirectoryController@destroy'); $router->group([ - 'middleware' => ['can:sudo'], + 'middleware' => ['can:review'], ], function ($router) { $router->post('storage-requests/{id}/approve', 'StorageRequestController@approve'); $router->post('storage-requests/{id}/reject', 'StorageRequestController@reject'); diff --git a/src/Policies/StorageRequestPolicy.php b/src/Policies/StorageRequestPolicy.php index a4d2adb..442e589 100644 --- a/src/Policies/StorageRequestPolicy.php +++ b/src/Policies/StorageRequestPolicy.php @@ -74,7 +74,7 @@ public function update(User $user, StorageRequest $request) } /** - * Determine if the given user can update the expiration date of the storage request. + * Determine if the given user can approve the storage request. * * @param User $user * @param StorageRequest $request @@ -83,8 +83,21 @@ public function update(User $user, StorageRequest $request) */ public function approve(User $user, StorageRequest $request) { - // Only global admins can do this. - return false; + // Only global admins and reviewers can do this. + return $user->canReview; + } + + /** + * Determine if the given user can reject the storage request. + * + * @param User $user + * @param StorageRequest $request + * + * @return bool + */ + public function reject(User $user, StorageRequest $request) + { + return $this->approve($user, $request); } /** diff --git a/tests/Http/Controllers/Api/StorageRequestControllerTest.php b/tests/Http/Controllers/Api/StorageRequestControllerTest.php index 90f4688..9f82bf6 100644 --- a/tests/Http/Controllers/Api/StorageRequestControllerTest.php +++ b/tests/Http/Controllers/Api/StorageRequestControllerTest.php @@ -194,7 +194,7 @@ public function testApprove() $this->be($request->user); $this->postJson("/api/v1/storage-requests/{$id}/approve")->assertStatus(403); - $this->beGlobalAdmin(); + $this->beGlobalReviewer(); $this->postJson("/api/v1/storage-requests/{$id}/approve")->assertStatus(200); $this->assertNotNull($request->fresh()->expires_at); @@ -208,7 +208,7 @@ public function testApproveEmpty() $request = StorageRequest::factory()->create(); $id = $request->id; - $this->beGlobalAdmin(); + $this->beGlobalReviewer(); $this->postJson("/api/v1/storage-requests/{$id}/approve")->assertStatus(422); } @@ -223,7 +223,7 @@ public function testApproveAlreadyApproved() ]); $id = $request->id; - $this->beGlobalAdmin(); + $this->beGlobalReviewer(); $this->postJson("/api/v1/storage-requests/{$id}/approve")->assertStatus(404); } @@ -244,7 +244,7 @@ public function testReject() $this->be($request->user); $this->postJson("/api/v1/storage-requests/{$id}/reject")->assertStatus(403); - $this->beGlobalAdmin(); + $this->beGlobalReviewer(); // Needs a reason $this->postJson("/api/v1/storage-requests/{$id}/reject")->assertStatus(422); @@ -271,7 +271,7 @@ public function testRejectAlreadyApproved() ]); $id = $request->id; - $this->beGlobalAdmin(); + $this->beGlobalReviewer(); $this->postJson("/api/v1/storage-requests/{$id}/reject")->assertStatus(404); } diff --git a/tests/Http/Controllers/Api/StorageRequestFileControllerTest.php b/tests/Http/Controllers/Api/StorageRequestFileControllerTest.php index 0d90cf3..aec3081 100644 --- a/tests/Http/Controllers/Api/StorageRequestFileControllerTest.php +++ b/tests/Http/Controllers/Api/StorageRequestFileControllerTest.php @@ -706,7 +706,7 @@ public function testShow() { $this->be($request->user); $this->get("/api/v1/storage-request-files/{$file->id}")->assertStatus(404); - $this->beGlobalAdmin(); + $this->beGlobalReviewer(); $this->get("/api/v1/storage-request-files/{$file->id}")->assertStatus(200); $this->get("/api/v1/storage-request-files/{$file2->id}")->assertStatus(404); } @@ -728,7 +728,7 @@ public function testShowApproved() { }); $disk->put("user-{$request->user_id}/a.jpg", 'abc'); - $this->beGlobalAdmin(); + $this->beGlobalReviewer(); $this->get("/api/v1/storage-request-files/{$file->id}")->assertStatus(200); } @@ -741,7 +741,7 @@ public function testShowPublic() { 'path' => 'a.jpg', ]); - $this->beGlobalAdmin(); + $this->beGlobalReviewer(); $this->get("/api/v1/storage-request-files/{$file->id}") ->assertRedirect('myurl'); } diff --git a/tests/Policies/StorageRequestPolicyTest.php b/tests/Policies/StorageRequestPolicyTest.php index 43067ac..075ba4c 100644 --- a/tests/Policies/StorageRequestPolicyTest.php +++ b/tests/Policies/StorageRequestPolicyTest.php @@ -22,6 +22,7 @@ public function testCreate() $this->assertTrue($this->editor()->can('create', StorageRequest::class)); $this->assertTrue($this->expert()->can('create', StorageRequest::class)); $this->assertTrue($this->admin()->can('create', StorageRequest::class)); + $this->assertTrue($this->globalReviewer()->can('create', StorageRequest::class)); $this->assertTrue($this->globalAdmin()->can('create', StorageRequest::class)); } @@ -34,6 +35,7 @@ public function testCreateMaintenanceMode() $this->assertFalse($this->editor()->can('create', StorageRequest::class)); $this->assertFalse($this->expert()->can('create', StorageRequest::class)); $this->assertFalse($this->admin()->can('create', StorageRequest::class)); + $this->assertFalse($this->globalReviewer()->can('create', StorageRequest::class)); $this->assertTrue($this->globalAdmin()->can('create', StorageRequest::class)); } @@ -45,6 +47,7 @@ public function testAccess() $this->assertTrue($this->editor()->can('access', $this->request)); $this->assertFalse($this->expert()->can('access', $this->request)); $this->assertFalse($this->admin()->can('access', $this->request)); + $this->assertFalse($this->globalReviewer()->can('access', $this->request)); $this->assertTrue($this->globalAdmin()->can('access', $this->request)); } @@ -56,6 +59,7 @@ public function testUpdate() $this->assertTrue($this->editor()->can('update', $this->request)); $this->assertFalse($this->expert()->can('update', $this->request)); $this->assertFalse($this->admin()->can('update', $this->request)); + $this->assertFalse($this->globalReviewer()->can('update', $this->request)); $this->assertFalse($this->globalAdmin()->can('update', $this->request)); } @@ -68,6 +72,7 @@ public function testUpdateMaintenanceMode() $this->assertFalse($this->editor()->can('update', $this->request)); $this->assertFalse($this->expert()->can('update', $this->request)); $this->assertFalse($this->admin()->can('update', $this->request)); + $this->assertFalse($this->globalReviewer()->can('update', $this->request)); $this->assertFalse($this->globalAdmin()->can('update', $this->request)); } @@ -86,9 +91,22 @@ public function testApprove() $this->assertFalse($this->editor()->can('approve', $this->request)); $this->assertFalse($this->expert()->can('approve', $this->request)); $this->assertFalse($this->admin()->can('approve', $this->request)); + $this->assertTrue($this->globalReviewer()->can('approve', $this->request)); $this->assertTrue($this->globalAdmin()->can('approve', $this->request)); } + public function testReject() + { + $this->assertFalse($this->globalGuest()->can('reject', $this->request)); + $this->assertFalse($this->user()->can('reject', $this->request)); + $this->assertFalse($this->guest()->can('reject', $this->request)); + $this->assertFalse($this->editor()->can('reject', $this->request)); + $this->assertFalse($this->expert()->can('reject', $this->request)); + $this->assertFalse($this->admin()->can('reject', $this->request)); + $this->assertTrue($this->globalReviewer()->can('reject', $this->request)); + $this->assertTrue($this->globalAdmin()->can('reject', $this->request)); + } + public function testDestroy() { $this->assertFalse($this->globalGuest()->can('destroy', $this->request)); @@ -97,6 +115,7 @@ public function testDestroy() $this->assertTrue($this->editor()->can('destroy', $this->request)); $this->assertFalse($this->expert()->can('destroy', $this->request)); $this->assertFalse($this->admin()->can('destroy', $this->request)); + $this->assertFalse($this->globalReviewer()->can('destroy', $this->request)); $this->assertTrue($this->globalAdmin()->can('destroy', $this->request)); } }