Return 404 if transect to detach does not belong to project

app/Http/Controllers/Api/ProjectTransectController.php

@@ -178,9 +178,9 @@ public function attach($projectId, $transectId)
      */
     public function destroy($projectId, $transectId)
     {
-        $transect = Transect::findOrFail($transectId);
-        $this->authorize('update', $transect);
         $project = Project::findOrFail($projectId);
+        $transect = $project->transects()->findOrFail($transectId);
+        $this->authorize('destroy', $transect);
 
         $project->removeTransect($transect, $this->request->has('force'));
 

app/Policies/TransectPolicy.php

@@ -2,10 +2,10 @@
 
 namespace Dias\Policies;
 
-use Dias\Transect;
+use DB;
 use Dias\User;
 use Dias\Role;
-use DB;
+use Dias\Transect;
 use Illuminate\Auth\Access\HandlesAuthorization;
 
 class TransectPolicy extends CachedPolicy
@@ -90,4 +90,16 @@ public function update(User $user, Transect $transect)
                 ->exists();
         });
     }
+
+    /**
+     * Determine if the given transect can be deleted by the user.
+     *
+     * @param  User  $user
+     * @param  Transect  $transect
+     * @return bool
+     */
+    public function destroy(User $user, Transect $transect)
+    {
+        return $this->update($user, $transect);
+    }
 }

tests/php/Http/Controllers/Api/ApiProjectTransectControllerTest.php

@@ -156,9 +156,14 @@ public function testDestroy()
 
         $this->beAdmin();
         $this->delete('/api/v1/projects/1/transects/'.$id);
-        // trying to delete withour force
+        // trying to delete without force
         $this->assertResponseStatus(400);
 
+        $otherTransect = TransectTest::create();
+        $this->delete('/api/v1/projects/1/transects/'.$otherTransect->id);
+        // does not belong to the project
+        $this->assertResponseStatus(404);
+
         $this->expectsEvents('images.cleanup');
 
         $this->delete('/api/v1/projects/1/transects/'.$id, [