Merge pull request #11 from Lomkit/feature/no-authorization

GautierDele · web-flow · commit 0c73df69fb98 · 2023-08-13T19:13:37.000+02:00
Feature/disable authorization
diff --git a/README.md b/README.md
@@ -92,5 +92,4 @@ TODO
 - Custom directives (Filters / sorting)
 - Actions / Metrics
 - Automatic documentation with extension possible
-- Add the possibility to disable authorization
 - Refactor the response class
diff --git a/config/rest.php b/config/rest.php
@@ -25,4 +25,18 @@
             'authorized_to_force_delete' => 'authorized_to_force_delete',
         ]
     ],
+
+    /*
+|--------------------------------------------------------------------------
+| Rest Authorizations
+|--------------------------------------------------------------------------
+|
+| This is the feature that automatically binds to policies to validate incoming requests.
+| Laravel Rest Api will validate each models searched / mutated / deleted to avoid leaks in your API.
+|
+*/
+
+    'authorizations' => [
+        'enabled' => true
+    ],
 ];
diff --git a/src/Concerns/Authorizable.php b/src/Concerns/Authorizable.php
@@ -18,7 +18,9 @@ trait Authorizable
      */
     public function authorizeTo($ability, $model)
     {
-        Gate::authorize($ability, $model);
+        if ($this->isAuthorizingEnabled()) {
+            Gate::authorize($ability, $model);
+        }
     }
 
     /**
@@ -30,6 +32,9 @@ public function authorizeTo($ability, $model)
      */
     public function authorizedTo($ability, $model)
     {
-        return Gate::check($ability, $model);
+        if ($this->isAuthorizingEnabled()) {
+            return Gate::check($ability, $model);
+        }
+        return true;
     }
 }
diff --git a/src/Concerns/PerformsRestOperations.php b/src/Concerns/PerformsRestOperations.php
@@ -55,7 +55,7 @@ public function destroy(DestroyRequest $request) {
             ->get();
 
         foreach ($models as $model) {
-            $this->authorizeTo('delete', $model);
+            self::newResource()->authorizeTo('delete', $model);
 
             $resource->performDelete($request, $model);
         }
@@ -76,7 +76,7 @@ public function restore(RestoreRequest $request) {
             ->get();
 
         foreach ($models as $model) {
-            $this->authorizeTo('restore', $model);
+            self::newResource()->authorizeTo('restore', $model);
 
             $resource->performRestore($request, $model);
         }
@@ -97,7 +97,7 @@ public function forceDelete(ForceDestroyRequest $request) {
             ->get();
 
         foreach ($models as $model) {
-            $this->authorizeTo('forceDelete', $model);
+            self::newResource()->authorizeTo('forceDelete', $model);
 
             $resource->performForceDelete($request, $model);
         }
diff --git a/src/Concerns/Resource/DisableAuthorizations.php b/src/Concerns/Resource/DisableAuthorizations.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace Lomkit\Rest\Concerns\Resource;
+
+trait DisableAuthorizations
+{
+    public function isAuthorizingEnabled() : bool {
+        return false;
+    }
+}
diff --git a/src/Http/Controllers/Controller.php b/src/Http/Controllers/Controller.php
@@ -4,6 +4,7 @@
 
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Facades\Gate;
 use Lomkit\Rest\Concerns\Authorizable;
 use Lomkit\Rest\Concerns\PerformsModelOperations;
 use Lomkit\Rest\Concerns\PerformsRestOperations;
@@ -15,8 +16,7 @@
 
 abstract class Controller extends \Illuminate\Routing\Controller
 {
-    use PerformsRestOperations,
-        Authorizable;
+    use PerformsRestOperations;
 
     /**
      * The resource the entry corresponds to.
@@ -39,4 +39,6 @@ public static function newResource(): Resource
 
         return new $resource;
     }
+
+    //@TODO: are controllers useless in a certain way ??
 }
diff --git a/src/Http/Resource.php b/src/Http/Resource.php
@@ -3,6 +3,7 @@
 namespace Lomkit\Rest\Http;
 
 use Illuminate\Database\Eloquent\Model;
+use Lomkit\Rest\Concerns\Authorizable;
 use Lomkit\Rest\Concerns\PerformsModelOperations;
 use Lomkit\Rest\Concerns\PerformsQueries;
 use Lomkit\Rest\Concerns\Resource\ConfiguresRestParameters;
@@ -18,7 +19,8 @@ class Resource
         Relationable,
         Paginable,
         Rulable,
-        ConfiguresRestParameters;
+        ConfiguresRestParameters,
+        Authorizable;
 
     /**
      * The model the entry corresponds to.
@@ -69,4 +71,8 @@ public function defaultOrderBy(RestRequest $request) {
     public function isAutomaticGatingEnabled() : bool {
         return config('rest.automatic_gates.enabled');
     }
+
+    public function isAuthorizingEnabled() : bool {
+        return config('rest.authorizations.enabled');
+    }
 }
diff --git a/src/Query/Builder.php b/src/Query/Builder.php
@@ -6,26 +6,20 @@
 use Illuminate\Support\Str;
 use Illuminate\Support\Traits\Conditionable;
 use Illuminate\Support\Traits\Tappable;
-use Lomkit\Rest\Concerns\Authorizable;
 use Lomkit\Rest\Contracts\QueryBuilder;
 use Lomkit\Rest\Http\Controllers\Controller;
 use Lomkit\Rest\Http\Requests\RestRequest;
 use Lomkit\Rest\Http\Resource;
 use Lomkit\Rest\Query\Traits\PerformMutation;
 use Lomkit\Rest\Query\Traits\PerformSearch;
-use Lomkit\Rest\Relations\BelongsTo;
-use Lomkit\Rest\Relations\BelongsToMany;
-use Lomkit\Rest\Relations\HasMany;
-use Lomkit\Rest\Relations\HasOne;
 use RuntimeException;
 
 class Builder implements QueryBuilder
 {
     use Tappable,
         Conditionable,
         PerformSearch,
-        PerformMutation,
-        Authorizable;
+        PerformMutation;
 
     /**
      * Construct a new query builder for a resource.
diff --git a/src/Query/Traits/PerformMutation.php b/src/Query/Traits/PerformMutation.php
@@ -41,7 +41,7 @@ public function applyMutation(array $mutation = [], $attributes = []) {
         if ($mutation['operation'] === 'create') {
             $model = $this->resource::newModel();
 
-            $this->authorizeTo('create', $model);
+            $this->resource->authorizeTo('create', $model);
 
             return $this->mutateModel(
                 $model,
@@ -53,7 +53,7 @@ public function applyMutation(array $mutation = [], $attributes = []) {
         if ($mutation['operation'] === 'update') {
             $model = $this->resource::newModel()::find($mutation['key']);
 
-            $this->authorizeTo('update', $model);
+            $this->resource->authorizeTo('update', $model);
 
             return $this->mutateModel(
                 $model,
diff --git a/src/Query/Traits/PerformSearch.php b/src/Query/Traits/PerformSearch.php
@@ -11,7 +11,7 @@
 trait PerformSearch
 {
     public function search(array $parameters = []) {
-        $this->authorizeTo('viewAny', $this->resource::$model);
+        $this->resource->authorizeTo('viewAny', $this->resource::$model);
 
         $this->resource->searchQuery(app()->make(RestRequest::class), $this->queryBuilder);
 
diff --git a/tests/Feature/Controllers/AutomaticGatingTest.php b/tests/Feature/Controllers/AutomaticGatingTest.php
@@ -71,6 +71,30 @@ public function test_searching_automatic_gated_resource(): void
         );
     }
 
+    public function test_searching_automatic_gated_resource_with_global_config_disabled(): void
+    {
+        $model = ModelFactory::new()
+            ->create();
+
+        Gate::policy(Model::class, GreenPolicy::class);
+
+        config(['rest.automatic_gates.enabled' => false]);
+
+        $response = $this->post(
+            '/api/automatic-gating/search',
+            [
+
+            ],
+            ['Accept' => 'application/json']
+        );
+
+        $this->assertResourcePaginated(
+            $response,
+            [$model],
+            new AutomaticGatingResource
+        );
+    }
+
     public function test_searching_automatic_gated_resource_with_create_policy(): void
     {
         $model = ModelFactory::new()
diff --git a/tests/Feature/Controllers/NoAuthorizationTest.php b/tests/Feature/Controllers/NoAuthorizationTest.php
@@ -0,0 +1,128 @@
+<?php
+
+namespace Lomkit\Rest\Tests\Feature\Controllers;
+
+use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\Gate;
+use Lomkit\Rest\Http\Requests\RestRequest;
+use Lomkit\Rest\Tests\Feature\TestCase;
+use Lomkit\Rest\Tests\Support\Database\Factories\BelongsToManyRelationFactory;
+use Lomkit\Rest\Tests\Support\Database\Factories\BelongsToRelationFactory;
+use Lomkit\Rest\Tests\Support\Database\Factories\HasManyRelationFactory;
+use Lomkit\Rest\Tests\Support\Database\Factories\HasOneRelationFactory;
+use Lomkit\Rest\Tests\Support\Database\Factories\ModelFactory;
+use Lomkit\Rest\Tests\Support\Database\Factories\SoftDeletedModelFactory;
+use Lomkit\Rest\Tests\Support\Models\BelongsToManyRelation;
+use Lomkit\Rest\Tests\Support\Models\BelongsToRelation;
+use Lomkit\Rest\Tests\Support\Models\Model;
+use Lomkit\Rest\Tests\Support\Models\SoftDeletedModel;
+use Lomkit\Rest\Tests\Support\Policies\CreatePolicy;
+use Lomkit\Rest\Tests\Support\Policies\DeletePolicy;
+use Lomkit\Rest\Tests\Support\Policies\ForceDeletePolicy;
+use Lomkit\Rest\Tests\Support\Policies\GreenPolicy;
+use Lomkit\Rest\Tests\Support\Policies\RedPolicy;
+use Lomkit\Rest\Tests\Support\Policies\RestorePolicy;
+use Lomkit\Rest\Tests\Support\Policies\UpdatePolicy;
+use Lomkit\Rest\Tests\Support\Policies\ViewPolicy;
+use Lomkit\Rest\Tests\Support\Rest\Resources\AutomaticGatingResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\BelongsToManyResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\BelongsToResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\HasManyResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\HasOneResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\ModelResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\NoAuthorizationResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\NoExposedFieldsResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\SoftDeletedModelResource;
+
+class NoAuthorizationTest extends TestCase
+{
+    public function test_searching_with_global_authorization_disabled(): void
+    {
+        $model = ModelFactory::new()
+            ->create();
+
+        Gate::policy(Model::class, RedPolicy::class);
+
+        config(['rest.authorizations.enabled' => false]);
+
+        $response = $this->post(
+            '/api/models/search',
+            [
+
+            ],
+            ['Accept' => 'application/json']
+        );
+
+        $this->assertResourcePaginated(
+            $response,
+            [$model],
+            new ModelResource
+        );
+    }
+
+    public function test_searching_with_no_authorizations(): void
+    {
+        $model = ModelFactory::new()
+            ->create();
+
+        Gate::policy(Model::class, RedPolicy::class);
+
+        $response = $this->post(
+            '/api/no-authorization/search',
+            [],
+            ['Accept' => 'application/json']
+        );
+
+        $this->assertResourcePaginated(
+            $response,
+            [$model],
+            new NoAuthorizationResource
+        );
+    }
+
+    public function test_mutating_with_no_authorizations(): void
+    {
+        $modelToCreate = ModelFactory::new()->makeOne();
+
+        Gate::policy(Model::class, RedPolicy::class);
+
+        $response = $this->post(
+            '/api/no-authorization/mutate',
+            [
+                'mutate' => [
+                    [
+                        'operation' => 'create',
+                        'attributes' => [
+                            'name' => $modelToCreate->name,
+                            'number' => $modelToCreate->number
+                        ]
+                    ],
+                ],
+            ],
+            ['Accept' => 'application/json']
+        );
+
+        $this->assertMutatedResponse(
+            $response,
+            [$modelToCreate],
+        );
+    }
+
+    public function test_deleting_with_no_authorizations(): void
+    {
+        $model = ModelFactory::new()->count(1)->createOne();
+
+        Gate::policy(Model::class, RedPolicy::class);
+
+        $response = $this->delete(
+            '/api/no-authorization',
+            [
+                'resources' => [$model->getKey()]
+            ],
+            ['Accept' => 'application/json']
+        );
+
+        $this->assertResourceModel($response, [$model], new ModelResource);
+        $this->assertDatabaseMissing('models', $model->only('id'));
+    }
+}
diff --git a/tests/Support/Http/Controllers/NoAuthorizationController.php b/tests/Support/Http/Controllers/NoAuthorizationController.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Lomkit\Rest\Tests\Support\Http\Controllers;
+
+use Lomkit\Rest\Http\Controllers\Controller;
+use Lomkit\Rest\Tests\Support\Rest\Resources\AutomaticGatingResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\NoAuthorizationResource;
+use Lomkit\Rest\Tests\Support\Rest\Resources\NoExposedFieldsResource;
+
+class NoAuthorizationController extends Controller
+{
+    public static $resource = NoAuthorizationResource::class;
+}
diff --git a/tests/Support/Rest/Resources/NoAuthorizationResource.php b/tests/Support/Rest/Resources/NoAuthorizationResource.php
diff --git a/tests/Support/Routes/api.php b/tests/Support/Routes/api.php

Original file line number	Diff line number	Diff line change
`@@ -18,7 +18,9 @@ trait Authorizable`
`18`	`18`	`*/`
`19`	`19`	`public function authorizeTo($ability, $model)`
`20`	`20`	`{`
`21`		`- Gate::authorize($ability, $model);`
	`21`	`+ if ($this->isAuthorizingEnabled()) {`
	`22`	`+ Gate::authorize($ability, $model);`
	`23`	`+ }`
`22`	`24`	`}`
`23`	`25`
`24`	`26`	`/**`
`@@ -30,6 +32,9 @@ public function authorizeTo($ability, $model)`
`30`	`32`	`*/`
`31`	`33`	`public function authorizedTo($ability, $model)`
`32`	`34`	`{`
`33`		`- return Gate::check($ability, $model);`
	`35`	`+ if ($this->isAuthorizingEnabled()) {`
	`36`	`+ return Gate::check($ability, $model);`
	`37`	`+ }`
	`38`	`+ return true;`
`34`	`39`	`}`
`35`	`40`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,7 +55,7 @@ public function destroy(DestroyRequest $request) {`
`55`	`55`	`->get();`
`56`	`56`
`57`	`57`	`foreach ($models as $model) {`
`58`		`- $this->authorizeTo('delete', $model);`
	`58`	`+ self::newResource()->authorizeTo('delete', $model);`
`59`	`59`
`60`	`60`	`$resource->performDelete($request, $model);`
`61`	`61`	`}`
`@@ -76,7 +76,7 @@ public function restore(RestoreRequest $request) {`
`76`	`76`	`->get();`
`77`	`77`
`78`	`78`	`foreach ($models as $model) {`
`79`		`- $this->authorizeTo('restore', $model);`
	`79`	`+ self::newResource()->authorizeTo('restore', $model);`
`80`	`80`
`81`	`81`	`$resource->performRestore($request, $model);`
`82`	`82`	`}`
`@@ -97,7 +97,7 @@ public function forceDelete(ForceDestroyRequest $request) {`
`97`	`97`	`->get();`
`98`	`98`
`99`	`99`	`foreach ($models as $model) {`
`100`		`- $this->authorizeTo('forceDelete', $model);`
	`100`	`+ self::newResource()->authorizeTo('forceDelete', $model);`
`101`	`101`
`102`	`102`	`$resource->performForceDelete($request, $model);`
`103`	`103`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`
`5`	`5`	`use Illuminate\Database\Eloquent\Builder;`
`6`	`6`	`use Illuminate\Database\Eloquent\Model;`
	`7`	`+use Illuminate\Support\Facades\Gate;`
`7`	`8`	`use Lomkit\Rest\Concerns\Authorizable;`
`8`	`9`	`use Lomkit\Rest\Concerns\PerformsModelOperations;`
`9`	`10`	`use Lomkit\Rest\Concerns\PerformsRestOperations;`
`@@ -15,8 +16,7 @@`
`15`	`16`
`16`	`17`	`abstract class Controller extends \Illuminate\Routing\Controller`
`17`	`18`	`{`
`18`		`- use PerformsRestOperations,`
`19`		`- Authorizable;`
	`19`	`+ use PerformsRestOperations;`
`20`	`20`
`21`	`21`	`/**`
`22`	`22`	`* The resource the entry corresponds to.`
`@@ -39,4 +39,6 @@ public static function newResource(): Resource`
`39`	`39`
`40`	`40`	`return new $resource;`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ //@TODO: are controllers useless in a certain way ??`
`42`	`44`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`trait PerformSearch`
`12`	`12`	`{`
`13`	`13`	`public function search(array $parameters = []) {`
`14`		`- $this->authorizeTo('viewAny', $this->resource::$model);`
	`14`	`+ $this->resource->authorizeTo('viewAny', $this->resource::$model);`
`15`	`15`
`16`	`16`	`$this->resource->searchQuery(app()->make(RestRequest::class), $this->queryBuilder);`
`17`	`17`