simplify player owner checking

2020-06-03 09:24:31 +08:00 · 2020-06-03 09:24:31 +08:00 · e54fecd6e5
commit e54fecd6e5
parent f78d37cd6e
4 changed files with 24 additions and 51 deletions
--- a/app/Http/Controllers/PlayerController.php
+++ b/app/Http/Controllers/PlayerController.php
@ -22,7 +22,16 @@ class PlayerController extends Controller
 {
    public function __construct()
    {
-        $this->middleware([CheckPlayerOwner::class], [
+        $this->middleware(function (Request $request, $next) {
+            /** @var Player */
+            $player = $request->route('player');
+            if ($player->user->isNot($request->user())) {
+                return json(trans('admin.players.no-permission'), 1)
+                    ->setStatusCode(403);
+            }
+
+            return $next($request);
+        }, [
            'only' => ['delete', 'rename', 'setTexture', 'clearTexture'],
        ]);
    }
--- a/app/Http/Middleware/CheckPlayerOwner.php
+++ b/app/Http/Middleware/CheckPlayerOwner.php
@ -1,20 +0,0 @@
-<?php
-
-namespace App\Http\Middleware;
-
-use App\Models\Player;
-use Closure;
-use Illuminate\Support\Arr;
-
-class CheckPlayerOwner
-{
-    public function handle($request, Closure $next)
-    {
-        $pid = Arr::get($request->route()->parameters, 'pid') ?? $request->input('pid');
-        if ($pid && ($player = Player::find($pid)) && $player->uid != auth()->id()) {
-            return json(trans('admin.players.no-permission'), 1);
-        }
-
-        return $next($request);
-    }
-}
--- a/tests/HttpTest/ControllersTest/PlayerControllerTest.php
+++ b/tests/HttpTest/ControllersTest/PlayerControllerTest.php
@ -37,6 +37,20 @@ class PlayerControllerTest extends TestCase
            ->assertJson([$player->toArray()]);
    }

+    public function testAccessControl()
+    {
+        $user = factory(User::class)->make();
+        $player = factory(Player::class)->create();
+
+        $this->actingAs($user)
+            ->deleteJson(route('user.player.delete', ['player' => $player]))
+            ->assertJson([
+                'code' => 1,
+                'message' => trans('admin.players.no-permission'),
+            ])
+            ->assertForbidden();
+    }
+
    public function testAdd()
    {
        Event::fake();
--- a/tests/HttpTest/MiddlewareTest/CheckPlayerOwnerTest.php
+++ b/tests/HttpTest/MiddlewareTest/CheckPlayerOwnerTest.php
@ -1,30 +0,0 @@
-<?php
-
-namespace Tests;
-
-use App\Models\Player;
-use App\Models\User;
-use Illuminate\Foundation\Testing\DatabaseTransactions;
-
-class CheckPlayerOwnerTest extends TestCase
-{
-    use DatabaseTransactions;
-
-    public function testHandle()
-    {
-        $other_user = factory(User::class)->create();
-        $player = factory(Player::class)->create();
-        $owner = $player->user;
-
-        $this->actingAs($other_user)
-            ->get('/user/player')
-            ->assertSuccessful();
-
-        $this->actingAs($other_user)
-            ->postJson('/user/player/rename/'.$player->pid)
-            ->assertJson([
-                'code' => 1,
-                'message' => trans('admin.players.no-permission'),
-            ]);
-    }
-}