feat(user): add user permissions and tests (#78)

Introduce user permissions to the `UserController` with corresponding
tests. Define permissions for each controller function as follows:
- `index()`: `list-users`
- `store()`: `create-users`
- `show()`:
  - For viewing own user: `show-users`
  - For viewing all users: `list-users`
- `update()`:
  - For updating all users: `update-users`
  - For updating own user: `update-users-self`
- `destroy()`: `delete-users`

This update ensures that user controller functions are now restricted
and accessible based on the specified permissions. The associated tests
validate the correct implementation of these permissions.

Signed-off-by: Valentin Sickert <[email protected]>

Author: Lapotor

app/Http/Controllers/UserController.php

@@ -2,13 +2,36 @@
 
 namespace App\Http\Controllers;
 
+use App\Http\Responses\ApiErrorResponse;
 use App\Http\Responses\ApiSuccessResponse;
 use App\Models\User;
+use App\Permissions\UsersPermissions;
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 
 class UserController extends Controller
 {
+
+    /**
+     * UserController constructor.
+     */
+    public function __construct()
+    {
+        /**
+         * Permissions:
+         * - index: list-users
+         * - store: create-users
+         * - show: show-users || list-users
+         * - update-users || update-users-self
+         * - destroy: delete-users
+         */
+        $this->middleware('permission:'.UsersPermissions::CAN_LIST_USERS)->only('index');
+        $this->middleware('permission:'.UsersPermissions::CAN_LIST_USERS.'|'.UsersPermissions::CAN_SHOW_USERS)->only('show');
+        $this->middleware('permission:'.UsersPermissions::CAN_CREATE_USERS)->only('store');
+        $this->middleware('permission:'.UsersPermissions::CAN_UPDATE_USERS.'|'.UsersPermissions::CAN_UPDATE_USERS_SELF)->only('update');
+        $this->middleware('permission:'.UsersPermissions::CAN_DELETE_USERS)->only('destroy');
+    }
+
     /**
      * Display a listing of the resource.
      */
@@ -42,6 +65,12 @@ public function store(Request $request)
      */
     public function show(User $user)
     {
+        /** @var User $authUser */
+        $authUser = auth()->user();
+
+        if(!$authUser->checkPermissionTo(UsersPermissions::CAN_LIST_USERS) && !$authUser->is($user)) {
+            return new ApiErrorResponse("You can only view your own user.", status: Response::HTTP_FORBIDDEN);
+        }
         return new ApiSuccessResponse($user);
     }
 
@@ -56,6 +85,13 @@ public function update(Request $request, User $user)
             'password'  => 'sometimes|required|min:8|confirmed',
         ]);
 
+        /** @var User $authUser */
+        $authUser = auth()->user();
+
+        if($authUser->checkPermissionTo(UsersPermissions::CAN_UPDATE_USERS_SELF) && !$authUser->is($user)) {
+            return new ApiErrorResponse("You can only update your own user.", status: Response::HTTP_FORBIDDEN);
+        }
+
         $user->update($validated);
 
         return new ApiSuccessResponse($user);

app/Permissions/UsersPermissions.php

@@ -0,0 +1,29 @@
+<?php
+
+namespace App\Permissions;
+
+/**
+ * Class UsersPermissions
+ *
+ * This class defines the permissions related to users.
+ */
+class UsersPermissions
+{
+    /** Permission for listing and view all users. */
+    public const CAN_LIST_USERS = 'list-users';
+
+    /** Permission for showing users itself. */
+    public const CAN_SHOW_USERS = 'show-users';
+
+    /** Permission for creating users. */
+    public const CAN_CREATE_USERS = 'create-users';
+
+    /** Permission for updating users. */
+    public const CAN_UPDATE_USERS = 'update-users';
+
+    /** Permission for updating users itself. */
+    public const CAN_UPDATE_USERS_SELF = 'update-users-self';
+
+    /** Permission for deleting users. */
+    public const CAN_DELETE_USERS = 'delete-users';
+}

database/migrations/2023_12_13_214743_add_user_permissions.php

@@ -0,0 +1,71 @@
+<?php
+
+use App\Permissions\UsersPermissions;
+use Carbon\Carbon;
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Support\Facades\DB;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        DB::table('permissions')->insert(
+            [
+                [
+                    'name' => UsersPermissions::CAN_LIST_USERS,
+                    'guard_name' => 'web',
+                    'created_at' => Carbon::now(),
+                    'updated_at' => Carbon::now(),
+                ],
+                [
+                    'name' => UsersPermissions::CAN_SHOW_USERS,
+                    'guard_name' => 'web',
+                    'created_at' => Carbon::now(),
+                    'updated_at' => Carbon::now(),
+                ],
+                [
+                    'name' => UsersPermissions::CAN_CREATE_USERS,
+                    'guard_name' => 'web',
+                    'created_at' => Carbon::now(),
+                    'updated_at' => Carbon::now(),
+                ],
+                [
+                    'name' => UsersPermissions::CAN_UPDATE_USERS,
+                    'guard_name' => 'web',
+                    'created_at' => Carbon::now(),
+                    'updated_at' => Carbon::now(),
+                ],
+                [
+                    'name' => UsersPermissions::CAN_UPDATE_USERS_SELF,
+                    'guard_name' => 'web',
+                    'created_at' => Carbon::now(),
+                    'updated_at' => Carbon::now(),
+                ],
+                [
+                    'name' => UsersPermissions::CAN_DELETE_USERS,
+                    'guard_name' => 'web',
+                    'created_at' => Carbon::now(),
+                    'updated_at' => Carbon::now(),
+                ]
+            ]
+        );
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        DB::table('permissions')->whereIn('name', [
+            UsersPermissions::CAN_LIST_USERS,
+            UsersPermissions::CAN_SHOW_USERS,
+            UsersPermissions::CAN_CREATE_USERS,
+            UsersPermissions::CAN_UPDATE_USERS,
+            UsersPermissions::CAN_UPDATE_USERS_SELF,
+            UsersPermissions::CAN_DELETE_USERS,
+        ])->delete();
+    }
+};