From 97ac43e153bcb91d2e64c63cb6cd3536f586dd32 Mon Sep 17 00:00:00 2001
From: Michal <mwargan@gmail.com>
Date: Sat, 13 Apr 2024 15:23:57 +0000
Subject: [PATCH] fix: issue where map owner authed via API key could not
 publish markers on own map

---
 app/Policies/MarkerPolicy.php |  6 +++---
 tests/Unit/MarkerTest.php     | 31 +++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/app/Policies/MarkerPolicy.php b/app/Policies/MarkerPolicy.php
index b8aed2a..17ceb43 100644
--- a/app/Policies/MarkerPolicy.php
+++ b/app/Policies/MarkerPolicy.php
@@ -55,12 +55,12 @@ public function create(?User $user, Map $map, $token = null)
         if ($map->users_can_create_markers == 'yes') {
             return true;
         }
-        if ($map->users_can_create_markers == 'only_logged_in') {
-            return $user && $user->hasVerifiedEmail() && $user->can('create markers');
-        }
         if ($user && $map->user_id == $user->id) {
             return true;
         }
+        if ($map->users_can_create_markers == 'only_logged_in') {
+            return $user && $user->hasVerifiedEmail() && $user->can('create markers');
+        }
         // If the user is a member of the map and has the `can_create_markers` permission, they can create markers
         if ($user && $map->users->contains($user) && $map->users->find($user->id)->pivot->can_create_markers) {
             return true;
diff --git a/tests/Unit/MarkerTest.php b/tests/Unit/MarkerTest.php
index 32f4962..67a12bc 100644
--- a/tests/Unit/MarkerTest.php
+++ b/tests/Unit/MarkerTest.php
@@ -224,6 +224,37 @@ public function testCreateMarkerOnPrivateMapWithPermission()
         $response->assertStatus(201);
     }
 
+    /**
+     * Test creating a marker on an unlisted map whre only_logged_in users can create markers, as the map owner.
+     *
+     * @return void
+     */
+    public function testCreateMarkerOnUnlistedMapWithPermission()
+    {
+        $mapOwner = User::factory()->create([
+            'email_verified_at' => now(),
+        ]);
+
+        $mapOwner->givePermissionTo('create markers');
+
+        $map = new \App\Models\Map();
+        $map->privacy = 'unlisted';
+        $map->users_can_create_markers = 'only_logged_in';
+        $map->user_id = $mapOwner->id;
+        $map->save();
+
+        $this->actingAs($mapOwner, 'api');
+
+        $marker = Marker::factory()->make();
+        $marker['category_name'] = 'Test Category';
+        $marker['lat'] = 40.139;
+        $marker['lng'] = 44.139;
+
+        $response = $this->postJson('/api/maps/' . $map->uuid . '/markers', $marker->toArray());
+
+        $response->assertStatus(201);
+    }
+
     /**
      * An invited user without the `can_create_markers` permission should not be able to create a marker on a private map
      *