Skip to content

Commit

Permalink
[AIDAPP-301] Prevent users from viewing service requests of types tha…
Browse files Browse the repository at this point in the history 
…t they are not managers or auditors of (#277)

* Prevent users from viewing service requests of types that they are not managers or auditors of

* removed pysh file

* Resolve suggestions

* chore: fix code style

---------

Co-authored-by: ankit-canyon <ankit-canyon@users.noreply.github.com>
  • Loading branch information
@ankit-canyon
ankit-canyon and ankit-canyon authored Oct 15, 2024
1 parent a08e9ae commit f51ed2c
Show file tree
Hide file tree
Showing 4 changed files with 214 additions and 21 deletions.
9 changes: 8 additions & 1 deletion ...ce-management/src/Filament/Resources/ServiceRequestResource/Pages/ListServiceRequests.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,14 @@ public function table(Table $table): Table
'sla',
],
'status',
]))
])
->when(! auth()->user()->hasRole('authorization.super_admin'), function (Builder $q) {
return $q->whereHas('priority.type.managers', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
})->orWhereHas('priority.type.auditors', function (Builder $query): void {
$query->where('teams.id', auth()->user()->teams()->first()?->getKey());
});
}))
->columns([
IdColumn::make(),
TextColumn::make('service_request_number')
Expand Down
12 changes: 12 additions & 0 deletions app-modules/service-management/src/Policies/ServiceRequestPolicy.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,18 @@ public function view(Authenticatable $authenticatable, ServiceRequest $serviceRe
return Response::deny('You do not have permission to view this service request.');
}

if (! auth()->user()->hasRole('authorization.super_admin')) {
$team = auth()->user()->teams()->first();

if (! $serviceRequest?->priority?->type?->managers()->exists() && ! $serviceRequest?->priority?->type?->auditors()->exists()) {
return Response::deny("You don't have permission to view this service request because you're not an auditor or manager.");
}

if (! $serviceRequest?->priority?->type?->managers->contains('id', $team?->getKey()) && ! $serviceRequest?->priority?->type?->auditors->contains('id', $team?->getKey())) {
return Response::deny("You don't have permission to view this service request because you're not an auditor or manager.");
}
}

return $authenticatable->canOrElse(
abilities: ['service_request.*.view', "service_request.{$serviceRequest->id}.view"],
denyResponse: 'You do not have permission to view this service request.'
Expand Down
87 changes: 87 additions & 0 deletions app-modules/service-management/tests/ServiceRequest/ListServiceRequestsTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
*/

use App\Models\User;
use AidingApp\Team\Models\Team;

use function Tests\asSuperAdmin;

Expand All @@ -46,6 +47,8 @@
use AidingApp\Contact\Models\Contact;
use AidingApp\Contact\Models\Organization;
use AidingApp\ServiceManagement\Models\ServiceRequest;
use AidingApp\ServiceManagement\Models\ServiceRequestType;
use AidingApp\ServiceManagement\Models\ServiceRequestPriority;
use AidingApp\ServiceManagement\Models\ServiceRequestAssignment;
use AidingApp\ServiceManagement\Filament\Resources\ServiceRequestResource;
use AidingApp\ServiceManagement\Filament\Resources\ServiceRequestResource\Pages\ListServiceRequests;
Expand Down Expand Up @@ -164,3 +167,87 @@
)
->assertCanNotSeeTableRecords($serviceRequestsNotInOrganization);
});

test('service requests only visible to service request type managers', function () {
$settings = app(LicenseSettings::class);

$settings->data->addons->serviceManagement = true;

$settings->save();

$user = User::factory()->licensed([Contact::getLicenseType()])->create();

$user->givePermissionTo('service_request.view-any');

$team = Team::factory()->create();

$user->teams()->attach($team);

$user->refresh();

actingAs($user);

$serviceRequests = ServiceRequest::factory()
->count(3)
->create();

$serviceRequestType = ServiceRequestType::factory()->create();

$serviceRequestType->managers()->attach($team);

$serviceRequestsWithManager = ServiceRequest::factory()->state([
'priority_id' => ServiceRequestPriority::factory()->create([
'type_id' => $serviceRequestType->getKey(),
])->getKey(),
])
->count(3)
->create();

livewire(ListServiceRequests::class)
->assertCanSeeTableRecords(
$serviceRequestsWithManager
)
->assertCanNotSeeTableRecords($serviceRequests);
});

test('service requests only visible to service request type auditors', function () {
$settings = app(LicenseSettings::class);

$settings->data->addons->serviceManagement = true;

$settings->save();

$user = User::factory()->licensed([Contact::getLicenseType()])->create();

$user->givePermissionTo('service_request.view-any');

$team = Team::factory()->create();

$user->teams()->attach($team);

$user->refresh();

actingAs($user);

$serviceRequests = ServiceRequest::factory()
->count(3)
->create();

$serviceRequestType = ServiceRequestType::factory()->create();

$serviceRequestType->auditors()->attach($team);

$serviceRequestsWithAuditors = ServiceRequest::factory()->state([
'priority_id' => ServiceRequestPriority::factory()->create([
'type_id' => $serviceRequestType->getKey(),
])->getKey(),
])
->count(3)
->create();

livewire(ListServiceRequests::class)
->assertCanSeeTableRecords(
$serviceRequestsWithAuditors
)
->assertCanNotSeeTableRecords($serviceRequests);
});
127 changes: 107 additions & 20 deletions app-modules/service-management/tests/ServiceRequest/ViewServiceRequestTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@
*/

use App\Models\User;
use AidingApp\Team\Models\Team;

use function Tests\asSuperAdmin;

Expand All @@ -43,9 +44,12 @@
use function Pest\Laravel\actingAs;
use function Pest\Livewire\livewire;

use AidingApp\Contact\Models\Contact;
use AidingApp\Authorization\Enums\LicenseType;
use AidingApp\ServiceManagement\Models\ServiceRequest;
use AidingApp\ServiceManagement\Models\ServiceRequestType;
use AidingApp\ServiceManagement\Models\ServiceRequestStatus;
use AidingApp\ServiceManagement\Models\ServiceRequestPriority;
use AidingApp\ServiceManagement\Enums\SystemServiceRequestClassification;
use AidingApp\ServiceManagement\Filament\Resources\ServiceRequestResource;
use AidingApp\ServiceManagement\Filament\Resources\ServiceRequestResource\Pages\ManageAssignments;
Expand Down Expand Up @@ -89,15 +93,7 @@

$serviceRequest = ServiceRequest::factory()->create();

actingAs($user)
->get(
ServiceRequestResource::getUrl('view', [
'record' => $serviceRequest,
])
)->assertForbidden();

$user->givePermissionTo('service_request.view-any');
$user->givePermissionTo('service_request.*.view');
asSuperAdmin($user);

actingAs($user)
->get(
Expand All @@ -116,12 +112,9 @@

$user = User::factory()->licensed(LicenseType::cases())->create();

$user->givePermissionTo('service_request.view-any');
$user->givePermissionTo('service_request.*.view');

$serviceRequest = ServiceRequest::factory()->create();

actingAs($user)
asSuperAdmin($user)
->get(
ServiceRequestResource::getUrl('view', [
'record' => $serviceRequest,
Expand All @@ -143,17 +136,12 @@
test('service request lock icon is shown when status classification closed', function (string $pages) {
$user = User::factory()->licensed(LicenseType::cases())->create();

$user->givePermissionTo('service_request.view-any');
$user->givePermissionTo('service_request.*.view');
$user->givePermissionTo('service_request_assignment.view-any');
$user->givePermissionTo('service_request_update.view-any');

actingAs($user);
asSuperAdmin($user);

$serviceRequest = ServiceRequest::factory([
'status_id' => ServiceRequestStatus::factory()->create([
'classification' => SystemServiceRequestClassification::Closed,
])->id,
])->getKey(),
])->create();

livewire($pages, [
Expand All @@ -166,3 +154,102 @@
ManageAssignments::class,
ManageServiceRequestUpdate::class,
]);

test('service requests not authorized if user is not an auditor or manager of the service request type', function () {
$settings = app(LicenseSettings::class);

$settings->data->addons->serviceManagement = true;

$settings->save();

$user = User::factory()->licensed([Contact::getLicenseType()])->create();

$user->givePermissionTo('service_request.view-any');
$user->givePermissionTo('service_request.*.view');

$user->refresh();

actingAs($user);

$serviceRequest = ServiceRequest::factory()
->create();

livewire(ViewServiceRequest::class, [
'record' => $serviceRequest->getRouteKey(),
])
->assertForbidden();
});

test('view service request page visible if the user is an auditor of the service request type', function () {
$settings = app(LicenseSettings::class);

$settings->data->addons->serviceManagement = true;

$settings->save();

$user = User::factory()->licensed([Contact::getLicenseType()])->create();

$user->givePermissionTo('service_request.view-any');
$user->givePermissionTo('service_request.*.view');

$team = Team::factory()->create();

$user->teams()->attach($team);

$user->refresh();

actingAs($user);

$serviceRequestType = ServiceRequestType::factory()->create();

$serviceRequestType->auditors()->attach($team);

$serviceRequestsWithAuditor = ServiceRequest::factory()->state([
'priority_id' => ServiceRequestPriority::factory()->create([
'type_id' => $serviceRequestType->getKey(),
])->getKey(),
])
->create();

livewire(ViewServiceRequest::class, [
'record' => $serviceRequestsWithAuditor->getRouteKey(),
])
->assertSuccessful();
});

test('view service request page visible if the user is a manager of the service request type', function () {
$settings = app(LicenseSettings::class);

$settings->data->addons->serviceManagement = true;

$settings->save();

$user = User::factory()->licensed([Contact::getLicenseType()])->create();

$user->givePermissionTo('service_request.view-any');
$user->givePermissionTo('service_request.*.view');

$team = Team::factory()->create();

$user->teams()->attach($team);

$user->refresh();

actingAs($user);

$serviceRequestType = ServiceRequestType::factory()->create();

$serviceRequestType->managers()->attach($team);

$serviceRequestsWithManager = ServiceRequest::factory()->state([
'priority_id' => ServiceRequestPriority::factory()->create([
'type_id' => $serviceRequestType->getKey(),
])->getKey(),
])
->create();

livewire(ViewServiceRequest::class, [
'record' => $serviceRequestsWithManager->getRouteKey(),
])
->assertSuccessful();
});

0 comments on commit f51ed2c

Please sign in to comment.