daan/ledgerrz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Restrict ledger creation exclusively to dynamic owners and fix route matching conflicts
Some checks failed
linter / quality (push) Failing after 1m0s
Details
tests / ci (8.3) (push) Failing after 47s
Details
tests / ci (8.4) (push) Failing after 1m5s
Details
tests / ci (8.5) (push) Failing after 1m4s
Details

Browse Source
This commit is contained in:
Daan Meijer 2026-06-17 00:29:40 +02:00
parent d01091d5a6
commit ae6a4304f9
3 changed files with 59 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Http/Requests/StoreLedgerRequest.php
View File

@ -14,7 +14,7 @@ class StoreLedgerRequest extends FormRequest
{
$dynamic = $this->route('dynamic');
return $dynamic && $this->user()->can('view', $dynamic);
return $dynamic && $this->user()->can('update', $dynamic);
}
/**

2
routes/web.php
View File

@ -16,8 +16,8 @@ Route::middleware(['auth', 'verified'])->group(function () {
Route::get('/dynamics/{dynamic}/settings', [DynamicController::class, 'edit'])->name('dynamics.edit');
Route::patch('/dynamics/{dynamic}/settings', [DynamicController::class, 'update'])->name('dynamics.update');
Route::resource('dynamics.ledgers', LedgerController::class)->scoped()->except(['create']);
Route::get('/dynamics/{dynamic}/ledgers/create', [LedgerController::class, 'create'])->name('dynamics.ledgers.create');
Route::resource('dynamics.ledgers', LedgerController::class)->scoped()->except(['create']);
Route::resource('dynamics.ledgers.mutations', MutationController::class)->scoped();

57
tests/Feature/LedgerTest.php Normal file
View File

@ -0,0 +1,57 @@
<?php
use App\Models\User;
use App\Models\Dynamic;
use App\Models\Ledger;
test('dynamic owners can view ledger creation form and create ledgers', function () {
$owner = User::factory()->create();
$dynamic = Dynamic::factory()->create();
$dynamic->participants()->attach($owner->id, ['role' => 'owner']);
$this->actingAs($owner);
// Can view form
$this->get(route('dynamics.ledgers.create', $dynamic->id))->assertOk();
// Can store ledger
$response = $this->post(route('dynamics.ledgers.store', $dynamic->id), [
'name' => 'Chores Ledger',
'rules' => 'Do the tasks.',
'alignment' => 'positive',
]);
$response->assertSessionHasNoErrors();
$response->assertRedirect(route('dynamics.show', $dynamic->id));
$this->assertDatabaseHas('ledgers', [
'dynamic_id' => $dynamic->id,
'name' => 'Chores Ledger',
'alignment' => 'positive',
]);
});
test('non-owners cannot view ledger creation form or store ledgers', function () {
$owner = User::factory()->create();
$participant = User::factory()->create();
$dynamic = Dynamic::factory()->create();
$dynamic->participants()->attach($owner->id, ['role' => 'owner']);
$dynamic->participants()->attach($participant->id, ['role' => 'participant']);
$this->actingAs($participant);
// Cannot view form
$this->get(route('dynamics.ledgers.create', $dynamic->id))->assertStatus(403);
// Cannot store ledger
$response = $this->post(route('dynamics.ledgers.store', $dynamic->id), [
'name' => 'Illegal Ledger',
'rules' => 'This should fail.',
'alignment' => 'positive',
]);
$response->assertStatus(403);
$this->assertDatabaseMissing('ledgers', [
'name' => 'Illegal Ledger',
]);
});