Skip to content

Commit

Permalink
Prevent users from being able to edit service requests of types if th…
Browse files Browse the repository at this point in the history 
…ey are not managers
  • Loading branch information
@ankit-canyon
ankit-canyon committed Oct 14, 2024
1 parent 5950bee commit a7f167f
Show file tree
Hide file tree
Showing 8 changed files with 251 additions and 25 deletions.
11 changes: 11 additions & 0 deletions ...rc/Filament/Resources/ContactResource/RelationManagers/ServiceRequestsRelationManager.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,17 @@ public function table(Table $table): Table
{
return $table
->recordTitleAttribute('id')
->modifyQueryUsing(function($query){
$query->when(! auth()->user()->hasRole('authorization.super_admin'), function (Builder $q) {
return $q->whereHas('priority.type.managers', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
})->orWhereHas('priority.type.auditors', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
})->whereHas('respondent', function (Builder $query) {
$query->where('respondent_id', $this->getOwnerRecord()->getKey());
});
});
})
->columns([
IdColumn::make(),
TextColumn::make('service_request_number')
Expand Down
9 changes: 8 additions & 1 deletion ...e-management/src/Filament/Resources/ServiceRequestResource/Pages/CreateServiceRequest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,14 @@ public function form(Form $form): Form
Grid::make()
->schema([
Select::make('type_id')
->options(ServiceRequestType::pluck('name', 'id'))
->options(ServiceRequestType::when(!auth()->user()->hasRole('authorization.super_admin'),function(Builder $query){
$query->whereHas('managers', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
})->orWhereHas('auditors', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
});
})
->pluck('name', 'id'))
->afterStateUpdated(fn (Set $set) => $set('priority_id', null))
->label('Type')
->required()
Expand Down
7 changes: 7 additions & 0 deletions ...ice-management/src/Filament/Resources/ServiceRequestResource/Pages/EditServiceRequest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,13 @@ public function form(Form $form): Form
fn (ServiceRequest $record) => ServiceRequestType::withTrashed()
->whereKey($record->priority?->type_id)
->orWhereNull('deleted_at')
->when(!auth()->user()->hasRole('authorization.super_admin'),function(Builder $query){
$query->whereHas('managers', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
})->orWhereHas('auditors', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
});
})
->orderBy('name')
->pluck('name', 'id')
)
Expand Down
37 changes: 29 additions & 8 deletions ...ce-management/src/Filament/Resources/ServiceRequestResource/Pages/ListServiceRequests.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@

namespace AidingApp\ServiceManagement\Filament\Resources\ServiceRequestResource\Pages;

use AidingApp\Assistant\Models\PromptType;
use Filament\Tables\Table;
use Filament\Actions\CreateAction;
use AidingApp\Contact\Models\Contact;
Expand All @@ -57,6 +58,7 @@
use AidingApp\ServiceManagement\Models\ServiceRequestPriority;
use AidingApp\ServiceManagement\Enums\SystemServiceRequestClassification;
use AidingApp\ServiceManagement\Filament\Resources\ServiceRequestResource;
use Filament\Notifications\Notification;

class ListServiceRequests extends ListRecords
{
Expand All @@ -75,13 +77,13 @@ public function table(Table $table): Table
],
'status',
])
->when(! auth()->user()->hasRole('authorization.super_admin'), function (Builder $q) {
return $q->whereHas('priority.type.managers', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
})->orWhereHas('priority.type.auditors', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
});
}))
->when(! auth()->user()->hasRole('authorization.super_admin'), function (Builder $q) {
return $q->whereHas('priority.type.managers', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
})->orWhereHas('priority.type.auditors', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
});
}))
->columns([
IdColumn::make(),
TextColumn::make('service_request_number')
Expand Down Expand Up @@ -146,7 +148,26 @@ public function table(Table $table): Table
])
->bulkActions([
BulkActionGroup::make([
DeleteBulkAction::make(),
DeleteBulkAction::make()
->action(function ($records) {
$deletedRecordsCount = ServiceRequest::query()
->whereKey($records)
->when(!auth()->user()->hasRole('authorization.super_admin'), function (Builder $q) {
return $q->whereHas('priority.type.managers', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
})->orWhereHas('priority.type.auditors', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
});
})
->delete();

Notification::make()
->title('Deleted ' . $deletedRecordsCount . ' prompt types')
->body(($deletedRecordsCount < $records->count()) ? ($records->count() - $deletedRecordsCount) . ' service requests were not deleted because you\'re not an auditor or manager of it.' : null)
->success()
->send();
})
->fetchSelectedRecords(false),
]),
])
->defaultSort('created_at', 'desc')
Expand Down
56 changes: 56 additions & 0 deletions app-modules/service-management/src/Policies/ServiceRequestPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,14 @@ public function view(Authenticatable $authenticatable, ServiceRequest $serviceRe

public function create(Authenticatable $authenticatable): Response
{
if (! auth()->user()->hasRole('authorization.super_admin')) {
$team = auth()->user()->teams()->first();

if (!$team?->managableServiceRequestTypes()->exists() && !$team?->auditableServiceRequestTypes()->exists()) {
return Response::deny("You don't have permission to view this service request because you're not an auditor or manager.");
}
}

return $authenticatable->canOrElse(
abilities: 'service_request.create',
denyResponse: 'You do not have permission to create service requests.'
Expand All @@ -112,6 +120,18 @@ public function update(Authenticatable $authenticatable, ServiceRequest $service
return Response::deny('Closed service request cannot be edited.');
}

if (! auth()->user()->hasRole('authorization.super_admin')) {
$team = auth()->user()->teams()->first();

if (! $serviceRequest?->priority?->type?->managers()->exists() && ! $serviceRequest?->priority?->type?->auditors()->exists()) {
return Response::deny("You don't have permission to update this service request because you're not an auditor or manager.");
}

if (! $serviceRequest?->priority?->type?->managers->contains('id', $team?->getKey()) && ! $serviceRequest?->priority?->type?->auditors->contains('id', $team?->getKey())) {
return Response::deny("You don't have permission to update this service request because you're not an auditor or manager.");
}
}

return $authenticatable->canOrElse(
abilities: ['service_request.*.update', "service_request.{$serviceRequest->id}.update"],
denyResponse: 'You do not have permission to update this service request.'
Expand All @@ -124,6 +144,18 @@ public function delete(Authenticatable $authenticatable, ServiceRequest $service
return Response::deny('You do not have permission to delete this service request.');
}

if (! auth()->user()->hasRole('authorization.super_admin')) {
$team = auth()->user()->teams()->first();

if (! $serviceRequest?->priority?->type?->managers()->exists() && ! $serviceRequest?->priority?->type?->auditors()->exists()) {
return Response::deny("You don't have permission to delete this service request because you're not an auditor or manager.");
}

if (! $serviceRequest?->priority?->type?->managers->contains('id', $team?->getKey()) && ! $serviceRequest?->priority?->type?->auditors->contains('id', $team?->getKey())) {
return Response::deny("You don't have permission to delete this service request because you're not an auditor or manager.");
}
}

return $authenticatable->canOrElse(
abilities: ['service_request.*.delete', "service_request.{$serviceRequest->id}.delete"],
denyResponse: 'You do not have permission to delete this service request.'
Expand All @@ -136,6 +168,18 @@ public function restore(Authenticatable $authenticatable, ServiceRequest $servic
return Response::deny('You do not have permission to restore this service request.');
}

if (! auth()->user()->hasRole('authorization.super_admin')) {
$team = auth()->user()->teams()->first();

if (! $serviceRequest?->priority?->type?->managers()->exists() && ! $serviceRequest?->priority?->type?->auditors()->exists()) {
return Response::deny("You don't have permission to restore this service request because you're not an auditor or manager.");
}

if (! $serviceRequest?->priority?->type?->managers->contains('id', $team?->getKey()) && ! $serviceRequest?->priority?->type?->auditors->contains('id', $team?->getKey())) {
return Response::deny("You don't have permission to restore this service request because you're not an auditor or manager.");
}
}

return $authenticatable->canOrElse(
abilities: ['service_request.*.restore', "service_request.{$serviceRequest->id}.restore"],
denyResponse: 'You do not have permission to restore this service request.'
Expand All @@ -148,6 +192,18 @@ public function forceDelete(Authenticatable $authenticatable, ServiceRequest $se
return Response::deny('You do not have permission to permanently delete this service request.');
}

if (! auth()->user()->hasRole('authorization.super_admin')) {
$team = auth()->user()->teams()->first();

if (! $serviceRequest?->priority?->type?->managers()->exists() && ! $serviceRequest?->priority?->type?->auditors()->exists()) {
return Response::deny("You don't have permission to permanently delete this service request because you're not an auditor or manager.");
}

if (! $serviceRequest?->priority?->type?->managers->contains('id', $team?->getKey()) && ! $serviceRequest?->priority?->type?->auditors->contains('id', $team?->getKey())) {
return Response::deny("You don't have permission to permanently delete service request because you're not an auditor or manager.");
}
}

return $authenticatable->canOrElse(
abilities: ['service_request.*.force-delete', "service_request.{$serviceRequest->id}.force-delete"],
denyResponse: 'You do not have permission to permanently delete this service request.'
Expand Down
61 changes: 61 additions & 0 deletions app-modules/service-management/tests/ServiceRequest/CreateServiceRequestTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,8 @@
use AidingApp\ServiceManagement\Filament\Resources\ServiceRequestResource;
use AidingApp\ServiceManagement\Tests\RequestFactories\CreateServiceRequestRequestFactory;
use AidingApp\ServiceManagement\Filament\Resources\ServiceRequestResource\Pages\CreateServiceRequest;
use AidingApp\ServiceManagement\Models\ServiceRequestType;
use AidingApp\Team\Models\Team;

test('A successful action on the CreateServiceRequest page', function () {
asSuperAdmin()
Expand Down Expand Up @@ -141,14 +143,25 @@
test('CreateServiceRequest is gated with proper access control', function () {
$user = User::factory()->licensed(LicenseType::cases())->create();

$team = Team::factory()->create();

$user->teams()->attach($team);

$user->refresh();

actingAs($user)
->get(
ServiceRequestResource::getUrl('create')
)->assertForbidden();


livewire(CreateServiceRequest::class)
->assertForbidden();

$serviceRequestType = ServiceRequestType::factory()->create();

$serviceRequestType->auditors()->attach($team);

$user->givePermissionTo('service_request.view-any');
$user->givePermissionTo('service_request.create');

Expand Down Expand Up @@ -201,6 +214,12 @@

$user = User::factory()->licensed(LicenseType::cases())->create();

$team = Team::factory()->create();

$user->teams()->attach($team);

$user->refresh();

actingAs($user)
->get(
ServiceRequestResource::getUrl('create')
Expand All @@ -216,6 +235,10 @@

$settings->save();

$serviceRequestType = ServiceRequestType::factory()->create();

$serviceRequestType->auditors()->attach($team);

actingAs($user)
->get(
ServiceRequestResource::getUrl('create')
Expand All @@ -239,3 +262,41 @@

expect($serviceRequest->division->id)->toEqual($request['division_id']);
});

test('cannot create service requests if user is not an auditor or manager of the service request type',function(){

$settings = app(LicenseSettings::class);

$settings->data->addons->serviceManagement = false;

$settings->save();

$user = User::factory()->licensed(LicenseType::cases())->create();

$team = Team::factory()->create();

$user->teams()->attach($team);

$user->refresh();

actingAs($user)
->get(
ServiceRequestResource::getUrl('create')
)->assertForbidden();

$user->givePermissionTo('service_request.view-any');
$user->givePermissionTo('service_request.create');

$settings->data->addons->serviceManagement = true;

$settings->save();

livewire(CreateServiceRequest::class)
->assertForbidden();

actingAs($user)
->get(
ServiceRequestResource::getUrl('create')
)->assertForbidden();

});
Loading

0 comments on commit a7f167f

Please sign in to comment.