Create common function for userIsFormOwner & rewrite protected form (#244)

* Create common function for userIsFormOwner & rewrite protected form

* fix testcase
This commit is contained in:
formsdev 2023-11-28 15:53:04 +05:30 committed by GitHub
parent 64e79f34f2
commit d65c1be9b5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 39 additions and 34 deletions

View File

@ -80,6 +80,6 @@ class Kernel extends HttpKernel
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class, 'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'pro-form' => \App\Http\Middleware\Form\ProForm::class, 'pro-form' => \App\Http\Middleware\Form\ProForm::class,
'password-protected-form' => \App\Http\Middleware\Form\PasswordProtectedForm::class, 'protected-form' => \App\Http\Middleware\Form\ProtectedForm::class,
]; ];
} }

View File

@ -7,7 +7,7 @@ use Closure;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Auth;
class PasswordProtectedForm class ProtectedForm
{ {
const PASSWORD_HEADER_NAME = 'form-password'; const PASSWORD_HEADER_NAME = 'form-password';
@ -20,24 +20,32 @@ class PasswordProtectedForm
*/ */
public function handle(Request $request, Closure $next) public function handle(Request $request, Closure $next)
{ {
if ($request->route('slug')) { if (!$request->route('slug')) {
return $next($request);
}
$form = Form::where('slug',$request->route('slug'))->firstOrFail(); $form = Form::where('slug',$request->route('slug'))->firstOrFail();
$request->merge([ $request->merge([
'form' => $form, 'form' => $form,
]); ]);
$userIsFormOwner = Auth::check() && Auth::user()->workspaces()->find($form->workspace_id) !== null; $userIsFormOwner = Auth::check() && Auth::user()->ownsForm($form);
if (!$userIsFormOwner && $form->has_password) { if (!$userIsFormOwner && $this->isProtected($request, $form)) {
if($this->hasCorrectPassword($request, $form)){ return response([
'status' => 'Unauthorized',
'message' => 'Form is protected.',
], 403);
}
return $next($request); return $next($request);
} }
return response([ public static function isProtected(Request $request, Form $form)
'status' => 'Unauthorized', {
'message' => 'Form is password protected.', if (!$form->has_password) {
], 403); return false;
} }
}
return $next($request); return !self::hasCorrectPassword($request, $form);
} }
public static function hasCorrectPassword(Request $request, Form $form) public static function hasCorrectPassword(Request $request, Form $form)

View File

@ -2,7 +2,7 @@
namespace App\Http\Resources; namespace App\Http\Resources;
use App\Http\Middleware\Form\PasswordProtectedForm; use App\Http\Middleware\Form\ProtectedForm;
use App\Http\Resources\UserResource; use App\Http\Resources\UserResource;
use Illuminate\Http\Resources\Json\JsonResource; use Illuminate\Http\Resources\Json\JsonResource;
use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Auth;
@ -20,8 +20,8 @@ class FormResource extends JsonResource
*/ */
public function toArray($request) public function toArray($request)
{ {
if(!$this->userIsFormOwner() && $this->doesMissPassword($request)){ if(!$this->userIsFormOwner() && ProtectedForm::isProtected($request, $this->resource)){
return $this->getPasswordProtectedForm(); return $this->getProtectedForm();
} }
$ownerData = $this->userIsFormOwner() ? [ $ownerData = $this->userIsFormOwner() ? [
@ -96,14 +96,7 @@ class FormResource extends JsonResource
return $this; return $this;
} }
private function doesMissPassword(Request $request) private function getProtectedForm()
{
if (!$this->has_password) return false;
return !PasswordProtectedForm::hasCorrectPassword($request, $this->resource);
}
private function getPasswordProtectedForm()
{ {
return [ return [
'id' => $this->id, 'id' => $this->id,
@ -131,8 +124,7 @@ class FormResource extends JsonResource
private function userIsFormOwner() { private function userIsFormOwner() {
return $this->extra?->userIsOwner ?? return $this->extra?->userIsOwner ??
( (
Auth::check() Auth::check() && Auth::user()->ownsForm($this->resource)
&& Auth::user()->workspaces()->find($this->workspace_id) !== null
); );
} }

View File

@ -61,6 +61,11 @@ class User extends Authenticatable implements JWTSubject
protected $withCount = ['workspaces']; protected $withCount = ['workspaces'];
public function ownsForm(Form $form)
{
return $this->workspaces()->find($form->workspace_id) !== null;
}
/** /**
* Get the profile photo URL attribute. * Get the profile photo URL attribute.
* *

View File

@ -139,7 +139,7 @@ Route::group(['prefix' => 'appsumo'], function () {
* Public Forms related routes * Public Forms related routes
*/ */
Route::prefix('forms')->name('forms.')->group(function () { Route::prefix('forms')->name('forms.')->group(function () {
Route::middleware('password-protected-form')->group(function () { Route::middleware('protected-form')->group(function () {
Route::post('{slug}/answer', [PublicFormController::class, 'answer'])->name('answer'); Route::post('{slug}/answer', [PublicFormController::class, 'answer'])->name('answer');
// Form content endpoints (user lists, relation lists etc.) // Form content endpoints (user lists, relation lists etc.)

View File

@ -54,7 +54,7 @@ it('can not submit form without password for guest user', function () {
->assertStatus(403) ->assertStatus(403)
->assertJson([ ->assertJson([
'status' => 'Unauthorized', 'status' => 'Unauthorized',
'message' => 'Form is password protected.' 'message' => 'Form is protected.'
]); ]);
}); });
@ -66,7 +66,7 @@ it('can not submit form with wrong password for guest user', function () {
->assertStatus(403) ->assertStatus(403)
->assertJson([ ->assertJson([
'status' => 'Unauthorized', 'status' => 'Unauthorized',
'message' => 'Form is password protected.' 'message' => 'Form is protected.'
]); ]);
}); });