Create common function for userIsFormOwner & rewrite protected form (#244)

* Create common function for userIsFormOwner & rewrite protected form

* fix testcase
This commit is contained in:
formsdev 2023-11-28 15:53:04 +05:30 committed by GitHub
parent 64e79f34f2
commit d65c1be9b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 39 additions and 34 deletions

View File

@ -80,6 +80,6 @@ class Kernel extends HttpKernel
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'pro-form' => \App\Http\Middleware\Form\ProForm::class,
'password-protected-form' => \App\Http\Middleware\Form\PasswordProtectedForm::class,
'protected-form' => \App\Http\Middleware\Form\ProtectedForm::class,
];
}

View File

@ -7,7 +7,7 @@ use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
class PasswordProtectedForm
class ProtectedForm
{
const PASSWORD_HEADER_NAME = 'form-password';
@ -20,26 +20,34 @@ class PasswordProtectedForm
*/
public function handle(Request $request, Closure $next)
{
if ($request->route('slug')) {
$form = Form::where('slug',$request->route('slug'))->firstOrFail();
$request->merge([
'form' => $form,
]);
$userIsFormOwner = Auth::check() && Auth::user()->workspaces()->find($form->workspace_id) !== null;
if (!$userIsFormOwner && $form->has_password) {
if($this->hasCorrectPassword($request, $form)){
return $next($request);
}
return response([
'status' => 'Unauthorized',
'message' => 'Form is password protected.',
], 403);
}
if (!$request->route('slug')) {
return $next($request);
}
$form = Form::where('slug',$request->route('slug'))->firstOrFail();
$request->merge([
'form' => $form,
]);
$userIsFormOwner = Auth::check() && Auth::user()->ownsForm($form);
if (!$userIsFormOwner && $this->isProtected($request, $form)) {
return response([
'status' => 'Unauthorized',
'message' => 'Form is protected.',
], 403);
}
return $next($request);
}
public static function isProtected(Request $request, Form $form)
{
if (!$form->has_password) {
return false;
}
return !self::hasCorrectPassword($request, $form);
}
public static function hasCorrectPassword(Request $request, Form $form)
{
return $request->headers->has(self::PASSWORD_HEADER_NAME) && $request->headers->get(self::PASSWORD_HEADER_NAME) == hash('sha256', $form->password);

View File

@ -2,7 +2,7 @@
namespace App\Http\Resources;
use App\Http\Middleware\Form\PasswordProtectedForm;
use App\Http\Middleware\Form\ProtectedForm;
use App\Http\Resources\UserResource;
use Illuminate\Http\Resources\Json\JsonResource;
use Illuminate\Support\Facades\Auth;
@ -20,8 +20,8 @@ class FormResource extends JsonResource
*/
public function toArray($request)
{
if(!$this->userIsFormOwner() && $this->doesMissPassword($request)){
return $this->getPasswordProtectedForm();
if(!$this->userIsFormOwner() && ProtectedForm::isProtected($request, $this->resource)){
return $this->getProtectedForm();
}
$ownerData = $this->userIsFormOwner() ? [
@ -96,14 +96,7 @@ class FormResource extends JsonResource
return $this;
}
private function doesMissPassword(Request $request)
{
if (!$this->has_password) return false;
return !PasswordProtectedForm::hasCorrectPassword($request, $this->resource);
}
private function getPasswordProtectedForm()
private function getProtectedForm()
{
return [
'id' => $this->id,
@ -131,8 +124,7 @@ class FormResource extends JsonResource
private function userIsFormOwner() {
return $this->extra?->userIsOwner ??
(
Auth::check()
&& Auth::user()->workspaces()->find($this->workspace_id) !== null
Auth::check() && Auth::user()->ownsForm($this->resource)
);
}

View File

@ -61,6 +61,11 @@ class User extends Authenticatable implements JWTSubject
protected $withCount = ['workspaces'];
public function ownsForm(Form $form)
{
return $this->workspaces()->find($form->workspace_id) !== null;
}
/**
* Get the profile photo URL attribute.
*

View File

@ -139,7 +139,7 @@ Route::group(['prefix' => 'appsumo'], function () {
* Public Forms related routes
*/
Route::prefix('forms')->name('forms.')->group(function () {
Route::middleware('password-protected-form')->group(function () {
Route::middleware('protected-form')->group(function () {
Route::post('{slug}/answer', [PublicFormController::class, 'answer'])->name('answer');
// Form content endpoints (user lists, relation lists etc.)

View File

@ -54,7 +54,7 @@ it('can not submit form without password for guest user', function () {
->assertStatus(403)
->assertJson([
'status' => 'Unauthorized',
'message' => 'Form is password protected.'
'message' => 'Form is protected.'
]);
});
@ -66,7 +66,7 @@ it('can not submit form with wrong password for guest user', function () {
->assertStatus(403)
->assertJson([
'status' => 'Unauthorized',
'message' => 'Form is password protected.'
'message' => 'Form is protected.'
]);
});