🐛 destructive operations gates (#184)

GautierDele · web-flow · commit acf80505b75e · 2025-08-02T21:07:10.000+02:00
diff --git a/src/Concerns/PerformsRestOperations.php b/src/Concerns/PerformsRestOperations.php
@@ -140,7 +140,9 @@ public function destroy(DestroyRequest $request)
 
         foreach ($models as $model) {
             self::newResource()->authorizeTo('delete', $model);
+        }
 
+        foreach ($models as $model) {
             $resource->destroying($request, $model);
 
             $resource->performDelete($request, $model);
@@ -177,7 +179,9 @@ public function restore(RestoreRequest $request)
 
         foreach ($models as $model) {
             self::newResource()->authorizeTo('restore', $model);
+        }
 
+        foreach ($models as $model) {
             $resource->restoring($request, $model);
 
             $resource->performRestore($request, $model);
@@ -215,7 +219,9 @@ public function forceDelete(ForceDestroyRequest $request)
 
         foreach ($models as $model) {
             self::newResource()->authorizeTo('forceDelete', $model);
+        }
 
+        foreach ($models as $model) {
             $resource->forceDestroying($request, $model);
 
             $resource->performForceDelete($request, $model);
diff --git a/tests/Feature/Controllers/DeleteOperationsTest.php b/tests/Feature/Controllers/DeleteOperationsTest.php
@@ -10,6 +10,7 @@
 use Lomkit\Rest\Tests\Support\Models\SoftDeletedModel;
 use Lomkit\Rest\Tests\Support\Policies\GreenPolicy;
 use Lomkit\Rest\Tests\Support\Policies\RedPolicy;
+use Lomkit\Rest\Tests\Support\Policies\RedPolicyButForModel;
 use Lomkit\Rest\Tests\Support\Rest\Resources\ModelResource;
 use Lomkit\Rest\Tests\Support\Rest\Resources\SoftDeletedModelResource;
 
@@ -33,6 +34,28 @@ public function test_deleting_a_non_authorized_model(): void
         $response->assertJson(['message' => 'This action is unauthorized.']);
     }
 
+    public function test_deleting_a_non_authorized_model_with_an_authorized_one(): void
+    {
+        $model = ModelFactory::new()->count(1)->createOne();
+        $modelDeletable = ModelFactory::new()->count(1)->createOne();
+
+        RedPolicyButForModel::forModel($modelDeletable);
+        Gate::policy(Model::class, RedPolicyButForModel::class);
+
+        $response = $this->delete(
+            '/api/models',
+            [
+                'resources' => [$model->getKey(), $modelDeletable->getKey()],
+            ],
+            ['Accept' => 'application/json']
+        );
+
+        $response->assertStatus(403);
+        $response->assertJson(['message' => 'This action is unauthorized.']);
+        $this->assertDatabaseHas('models', $model->only('id'));
+        $this->assertDatabaseHas('models', $modelDeletable->only('id'));
+    }
+
     public function test_deleting_a_model(): void
     {
         $model = ModelFactory::new()->count(1)->createOne();
diff --git a/tests/Feature/Controllers/ForceDeleteOperationsTest.php b/tests/Feature/Controllers/ForceDeleteOperationsTest.php
@@ -8,6 +8,7 @@
 use Lomkit\Rest\Tests\Support\Models\SoftDeletedModel;
 use Lomkit\Rest\Tests\Support\Policies\GreenPolicy;
 use Lomkit\Rest\Tests\Support\Policies\RedPolicy;
+use Lomkit\Rest\Tests\Support\Policies\RedPolicyButForModel;
 use Lomkit\Rest\Tests\Support\Rest\Resources\SoftDeletedModelResource;
 
 class ForceDeleteOperationsTest extends TestCase
@@ -30,6 +31,28 @@ public function test_force_deleting_a_non_authorized_model(): void
         $response->assertJson(['message' => 'This action is unauthorized.']);
     }
 
+    public function test_force_deleting_a_non_authorized_model_with_an_authorized_one(): void
+    {
+        $model = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne();
+        $modelForceDeletable = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne();
+
+        RedPolicyButForModel::forModel($modelForceDeletable);
+        Gate::policy(SoftDeletedModel::class, RedPolicyButForModel::class);
+
+        $response = $this->delete(
+            '/api/soft-deleted-models/force',
+            [
+                'resources' => [$model->getKey(), $modelForceDeletable->getKey()],
+            ],
+            ['Accept' => 'application/json']
+        );
+
+        $response->assertStatus(403);
+        $response->assertJson(['message' => 'This action is unauthorized.']);
+        $this->assertSoftDeleted($model);
+        $this->assertSoftDeleted($modelForceDeletable);
+    }
+
     public function test_force_deleting_a_soft_deleted_model(): void
     {
         $softDeletedModel = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne();
diff --git a/tests/Feature/Controllers/RestoreOperationsTest.php b/tests/Feature/Controllers/RestoreOperationsTest.php
@@ -8,6 +8,7 @@
 use Lomkit\Rest\Tests\Support\Models\SoftDeletedModel;
 use Lomkit\Rest\Tests\Support\Policies\GreenPolicy;
 use Lomkit\Rest\Tests\Support\Policies\RedPolicy;
+use Lomkit\Rest\Tests\Support\Policies\RedPolicyButForModel;
 use Lomkit\Rest\Tests\Support\Rest\Resources\SoftDeletedModelResource;
 
 class RestoreOperationsTest extends TestCase
@@ -30,6 +31,34 @@ public function test_restoring_a_non_authorized_model(): void
         $response->assertJson(['message' => 'This action is unauthorized.']);
     }
 
+    public function test_restoring_a_non_authorized_model_with_an_authorized_one(): void
+    {
+        $model = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne();
+        $modelRestorable = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne();
+
+        RedPolicyButForModel::forModel($modelRestorable);
+        Gate::policy(SoftDeletedModel::class, RedPolicyButForModel::class);
+
+        $response = $this->post(
+            '/api/soft-deleted-models/restore',
+            [
+                'resources' => [$model->getKey(), $modelRestorable->getKey()],
+            ],
+            ['Accept' => 'application/json']
+        );
+
+        $response->assertStatus(403);
+        $response->assertJson(['message' => 'This action is unauthorized.']);
+        $this->assertNotEquals(
+            null,
+            $modelRestorable->fresh()->deleted_at,
+        );
+        $this->assertNotEquals(
+            null,
+            $model->fresh()->deleted_at,
+        );
+    }
+
     public function test_restoring_a_soft_deleted_model(): void
     {
         $softDeletedModel = SoftDeletedModelFactory::new()->count(1)->trashed()->createOne();
diff --git a/tests/Support/Policies/RedPolicyButForModel.php b/tests/Support/Policies/RedPolicyButForModel.php
@@ -0,0 +1,107 @@
+<?php
+
+namespace Lomkit\Rest\Tests\Support\Policies;
+
+use Illuminate\Auth\Access\HandlesAuthorization;
+use Illuminate\Database\Eloquent\Model;
+
+class RedPolicyButForModel
+{
+    use HandlesAuthorization;
+
+    public static Model $model;
+
+    public static function forModel(Model $model)
+    {
+        static::$model = $model;
+    }
+
+    /**
+     * Determine whether the user can view the list of models.
+     *
+     * @param $user
+     *
+     * @return bool
+     */
+    public function viewAny($user)
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     *
+     * @param       $user
+     * @param Model $model
+     *
+     * @return bool
+     */
+    public function view($user, Model $model)
+    {
+        return static::$model->is($model);
+    }
+
+    /**
+     * Determine whether the user can create models.
+     *
+     * @param $user
+     *
+     * @return bool
+     */
+    public function create($user)
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     *
+     * @param       $user
+     * @param Model $model
+     *
+     * @return bool
+     */
+    public function update($user, Model $model)
+    {
+        return static::$model->is($model);
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     *
+     * @param       $user
+     * @param Model $model
+     *
+     * @return bool
+     */
+    public function delete($user, Model $model)
+    {
+        return static::$model->is($model);
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     *
+     * @param       $user
+     * @param Model $model
+     *
+     * @return bool
+     */
+    public function restore($user, Model $model)
+    {
+        return static::$model->is($model);
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     *
+     * @param       $user
+     * @param Model $model
+     *
+     * @return bool
+     */
+    public function forceDelete($user, Model $model)
+    {
+        return static::$model->is($model);
+    }
+}
