From 1eb494c7d7b5f11315cf1876b3079ed50f074faf Mon Sep 17 00:00:00 2001
From: Austin Kregel <5355937+austinkregel@users.noreply.github.com>
Date: Mon, 17 Oct 2022 01:47:54 -0400
Subject: [PATCH] Update the controllers to respect only the owner's
 permission, right now sharing is read only. Update Spork to whitelist core
 feature. Fix tests

---
 .../Controllers/FeatureListController.php     | 15 +++++++++--
 src/Http/Requests/UpdateRequest.php           | 27 +++++++++++++++++++
 src/Spork.php                                 |  2 +-
 src/SporkServiceProvider.php                  |  1 +
 tests/Integration/FeatureListTest.php         | 11 +++++---
 tests/Unit/SporkTest.php                      | 26 +++++++++---------
 6 files changed, 63 insertions(+), 19 deletions(-)
 create mode 100644 src/Http/Requests/UpdateRequest.php

diff --git a/src/Http/Controllers/FeatureListController.php b/src/Http/Controllers/FeatureListController.php
index 874df1b..6cb9f59 100644
--- a/src/Http/Controllers/FeatureListController.php
+++ b/src/Http/Controllers/FeatureListController.php
@@ -8,8 +8,10 @@
 use Spork\Core\Events\FeatureUpdated;
 use Spork\Core\Http\Requests\ShareRequest;
 use Spork\Core\Http\Requests\StoreRequest;
+use Spork\Core\Http\Requests\UpdateRequest;
 use Spork\Core\Models\FeatureList;
 use Spork\Core\Spork;
+use Illuminate\Http\Request;
 
 class FeatureListController
 {
@@ -55,16 +57,25 @@ public function store(StoreRequest $request)
         return response()->json($createdFeature, 201);
     }
 
-    public function update(StoreRequest $request, FeatureList $featureList)
+    public function update(UpdateRequest $request, $featureList)
     {
+        $featureList = FeatureList::findOrFail($featureList);
+
+        abort_unless($featureList->user_id === $request->user()->id, 401);
+
         $featureList->update($request->validated());
+
         event(new FeatureUpdated($featureList));
 
         return response()->json($featureList, 200);
     }
 
-    public function destroy(FeatureList $featureList)
+    public function destroy(Request $request, $featureList)
     {
+        $featureList = FeatureList::findOrFail($featureList);
+       
+        abort_unless($featureList->user_id === $request->user()->id, 401);
+
         $featureList->delete();
         event(new FeatureDeleted($featureList));
 
diff --git a/src/Http/Requests/UpdateRequest.php b/src/Http/Requests/UpdateRequest.php
new file mode 100644
index 0000000..d6c62d1
--- /dev/null
+++ b/src/Http/Requests/UpdateRequest.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace Spork\Core\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+use Illuminate\Validation\Rule;
+use Spork\Core\Spork;
+
+class UpdateRequest extends FormRequest
+{
+    public function authorize()
+    {
+        return true;
+    }
+
+    public function rules()
+    {
+        return [
+            'name' => 'string',
+            'feature' => [
+                'string',
+                Rule::in(Spork::provides()),
+            ],
+            'settings' => 'nullable|array',
+        ];
+    }
+}
diff --git a/src/Spork.php b/src/Spork.php
index 48bb1e2..65f0111 100644
--- a/src/Spork.php
+++ b/src/Spork.php
@@ -126,6 +126,6 @@ public static function provides(): array
     {
         return array_reduce(static::$features, function ($provides, $feature) {
             return array_merge($provides, $feature['provides'] ?? []);
-        }, []);
+        }, ['core']);
     }
 }
diff --git a/src/SporkServiceProvider.php b/src/SporkServiceProvider.php
index afcd950..984e068 100644
--- a/src/SporkServiceProvider.php
+++ b/src/SporkServiceProvider.php
@@ -2,6 +2,7 @@
 
 namespace Spork\Core;
 
+use Spork\Core\Models\FeatureList;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider;
 use Illuminate\Support\Facades\Route;
 
diff --git a/tests/Integration/FeatureListTest.php b/tests/Integration/FeatureListTest.php
index 8d90413..78c6f7d 100644
--- a/tests/Integration/FeatureListTest.php
+++ b/tests/Integration/FeatureListTest.php
@@ -29,17 +29,22 @@ public function testFeatureCreatedEventIsLaunched()
         Event::fake();
         $user = TestUser::factory()->create();
 
-        $this->actingAs($user)->postJson('/api/core/feature-list', [
+        $response = $this->actingAs($user)->postJson('/api/core/feature-list', [
             'name' => 'Test feature',
             'feature' => 'core',
             'settings' => [],
         ]);
 
-        $this->actingAs($user)->putJson('/api/core/feature-list/1', [
+        $response->assertStatus(201);
+        $featureId = $response->getData()->id;
+        $response2 = $this->actingAs($user)->putJson('/api/core/feature-list/' . $featureId, [
             'name' => 'A feature',
         ]);
+        $response2->assertStatus(200);
 
-        $this->actingAs($user)->deleteJson('/api/core/feature-list/1');
+        $this->withoutExceptionHandling();
+        $response3 = $this->actingAs($user)->deleteJson('/api/core/feature-list/' . $featureId);
+        $response3->assertStatus(204);
 
         Event::assertDispatched(FeatureCreated::class);
         Event::assertDispatched(FeatureUpdated::class);
diff --git a/tests/Unit/SporkTest.php b/tests/Unit/SporkTest.php
index 8d4e9c1..4159525 100644
--- a/tests/Unit/SporkTest.php
+++ b/tests/Unit/SporkTest.php
@@ -20,16 +20,16 @@ public function setUp(): void
     public function testAddFeatureFiresFeatureRegisteredEvent()
     {
         Event::fake();
-        Config::set('spork.core.enabled', true);
+        Config::set('spork.cores.enabled', true);
 
-        Spork::addFeature('core', 'icon', '/path', 'default', []);
+        Spork::addFeature('cores', 'icon', '/path', 'default', []);
 
         Event::assertDispatched(FeatureRegistered::class);
 
         $this->assertSame([
-            'core' => [
-                'name' => 'Core',
-                'slug' => 'core',
+            'cores' => [
+                'name' => 'Cores',
+                'slug' => 'cores',
                 'icon' => 'icon',
                 'path' => '/path',
                 'enabled' => true,
@@ -38,9 +38,9 @@ public function testAddFeatureFiresFeatureRegisteredEvent()
             ],
         ], Spork::$features);
 
-        $this->assertSame([], Spork::provides());
+        $this->assertSame(['core'], Spork::provides());
 
-        $this->assertTrue(Spork::hasFeature('core'));
+        $this->assertTrue(Spork::hasFeature('cores'));
     }
 
     public function testDoesntMakeFeatureAvailable()
@@ -48,14 +48,14 @@ public function testDoesntMakeFeatureAvailable()
         Event::fake();
         Config::set('spork.core.enabled', false);
 
-        Spork::addFeature('core', 'icon', '/path', 'default', []);
+        Spork::addFeature('cores', 'icon', '/path', 'default', []);
 
         Event::assertDispatched(FeatureRegistered::class);
 
         $this->assertSame([
-            'core' => [
-                'name' => 'Core',
-                'slug' => 'core',
+            'cores' => [
+                'name' => 'Cores',
+                'slug' => 'cores',
                 'icon' => 'icon',
                 'path' => '/path',
                 'enabled' => false,
@@ -64,9 +64,9 @@ public function testDoesntMakeFeatureAvailable()
             ],
         ], Spork::$features);
 
-        $this->assertSame([], Spork::provides());
+        $this->assertSame(['core'], Spork::provides());
 
-        $this->assertFalse(Spork::hasFeature('core'));
+        $this->assertFalse(Spork::hasFeature('cores'));
     }
 
     public function testLoadWithAddsAsitGetsCalledAndWontDuplicateValues()