🐛 could delete unexisting resource

GautierDele · GautierDele · commit 43d66a9c8f6d · 2025-09-18T16:12:14.000+02:00
diff --git a/src/Http/Requests/DestroyRequest.php b/src/Http/Requests/DestroyRequest.php
@@ -2,6 +2,7 @@
 
 namespace Lomkit\Rest\Http\Requests;
 
+use Illuminate\Validation\Rule;
 use Lomkit\Rest\Http\Resource;
 
 class DestroyRequest extends RestRequest
@@ -32,10 +33,15 @@ public function rules()
      */
     public function destroyRules(Resource $resource)
     {
+        $model = $resource::newModel();
+
         return [
             'resources' => [
                 'required', 'array',
             ],
+            'resources.*' => [
+                Rule::exists($model->getTable(), $model->getKeyName())
+            ]
         ];
     }
 }
diff --git a/tests/Feature/Controllers/DeleteOperationsTest.php b/tests/Feature/Controllers/DeleteOperationsTest.php
@@ -56,6 +56,28 @@ public function test_deleting_a_non_authorized_model_with_an_authorized_one(): v
         $this->assertDatabaseHas('models', $modelDeletable->only('id'));
     }
 
+    public function test_deleting_a_not_existing_model(): void
+    {
+        $model = ModelFactory::new()->count(1)->createOne();
+
+        Gate::policy(Model::class, GreenPolicy::class);
+
+        $response = $this->delete(
+            '/api/models',
+            [
+                'resources' => [
+                    'undefined-id',
+                    $model->getKey()
+                ],
+            ],
+            ['Accept' => 'application/json']
+        );
+
+        $response->assertStatus(422);
+        $response->assertExactJsonStructure(['message', 'errors' => ['resources.0']]);
+        $this->assertDatabaseHas('models', $model->only('id'));
+    }
+
     public function test_deleting_a_model(): void
     {
         $model = ModelFactory::new()->count(1)->createOne();
