Added more testcases to check task proper access control

canyongbs · Dec 25, 2024 · c719311 · c719311
1 parent cd32e84
commit c719311
Showing 1 changed file with 134 additions and 1 deletion.
diff --git a/app-modules/task/tests/EditTaskTest.php b/app-modules/task/tests/EditTaskTest.php
@@ -100,4 +100,137 @@
         ->assertHasNoFormErrors();
 
     // TODO: Check for changes
-})->only();
+});
+
+test('A user without proper permissions and that is not associated to the Task cannot access', function () {
+    $user = User::factory()->licensed(LicenseType::cases())->create();
+
+    $task = Task::factory()->create();
+
+    actingAs($user)
+        ->get(
+            TaskResource::getUrl('edit', [
+                'record' => $task,
+            ])
+        )->assertForbidden();
+
+    livewire(EditTask::class, [
+        'record' => $task->getRouteKey(),
+    ])
+        ->assertForbidden();
+});
+
+test('A User with proper permissions and that is not associated to the Task cannot access', function () {
+    $user = User::factory()->licensed(LicenseType::cases())->create();
+
+    $task = Task::factory()->create();
+
+    $user->givePermissionTo('task.view-any');
+    $user->givePermissionTo('task.*.update');
+
+    actingAs($user)
+        ->get(
+            TaskResource::getUrl('edit', [
+                'record' => $task,
+            ])
+        )->assertForbidden();
+
+    livewire(EditTask::class, [
+        'record' => $task->getRouteKey(),
+    ])
+        ->assertForbidden();
+});
+
+test('A User without proper permissions that is the assigned user cannot access', function () {
+    $user = User::factory()->licensed(LicenseType::cases())->create();
+
+    $task = Task::factory()->create();
+
+    $task->assignedTo()->associate($user)->save();
+
+    $task->refresh();
+
+    actingAs($user)
+        ->get(
+            TaskResource::getUrl('edit', [
+                'record' => $task,
+            ])
+        )->assertForbidden();
+
+    livewire(EditTask::class, [
+        'record' => $task->getRouteKey(),
+    ])
+        ->assertForbidden();
+});
+
+test('A User without proper permissions that is the created by user cannot access', function () {
+    $user = User::factory()->licensed(LicenseType::cases())->create();
+
+    $task = Task::factory()->create();
+
+    $task->createdBy()->associate($user)->save();
+
+    $task->refresh();
+
+    actingAs($user)
+        ->get(
+            TaskResource::getUrl('edit', [
+                'record' => $task,
+            ])
+        )->assertForbidden();
+
+    livewire(EditTask::class, [
+        'record' => $task->getRouteKey(),
+    ])
+        ->assertForbidden();
+});
+
+test('A User with proper permissions that is the assigned user can access', function () {
+    $user = User::factory()->licensed(LicenseType::cases())->create();
+
+    $task = Task::factory()->create();
+
+    $user->givePermissionTo('task.view-any');
+    $user->givePermissionTo('task.*.update');
+
+    $task->assignedTo()->associate($user)->save();
+
+    $task->refresh();
+
+    actingAs($user)
+        ->get(
+            TaskResource::getUrl('edit', [
+                'record' => $task,
+            ])
+        )->assertSuccessful();
+
+    livewire(EditTask::class, [
+        'record' => $task->getRouteKey(),
+    ])
+        ->assertSuccessful();
+});
+
+test('A User with proper permissions that is the created by user can access.', function () {
+    $user = User::factory()->licensed(LicenseType::cases())->create();
+
+    $task = Task::factory()->create();
+
+    $user->givePermissionTo('task.view-any');
+    $user->givePermissionTo('task.*.update');
+
+    $task->createdBy()->associate($user)->save();
+
+    $task->refresh();
+
+    actingAs($user)
+        ->get(
+            TaskResource::getUrl('edit', [
+                'record' => $task,
+            ])
+        )->assertSuccessful();
+
+    livewire(EditTask::class, [
+        'record' => $task->getRouteKey(),
+    ])
+        ->assertSuccessful();
+});