Refactor LimitWikiAccess middleware

Author: AndrewKostka

app/Http/Controllers/WikiEntityImportController.php

@@ -32,22 +32,14 @@ public function __construct(CollectorRegistry $registry)
     }
     public function get(Request $request): \Illuminate\Http\JsonResponse
     {
-        $validatedInput = $request->validate([
-            'wiki' => ['required', 'integer'],
-        ]);
-        $wiki = Wiki::find($validatedInput['wiki']);
-        if (!$wiki) {
-            abort(404, 'No such wiki');
-        }
-
+        $wiki = $request->attributes->get('wiki');
         $imports = $wiki->wikiEntityImports()->get();
         return response()->json(['data' => $imports]);
     }
 
     public function create(Request $request): \Illuminate\Http\JsonResponse
     {
         $validatedInput = $request->validate([
-            'wiki' => ['required', 'integer'],
             'source_wiki_url' => ['required', 'url'],
             'entity_ids' => ['required', 'string', function (string $attr, mixed $value, \Closure $fail) {
                 $chunks = explode(',', $value);
@@ -59,11 +51,7 @@ public function create(Request $request): \Illuminate\Http\JsonResponse
             }],
         ]);
 
-        $wiki = Wiki::find($validatedInput['wiki']);
-        if (!$wiki) {
-            abort(404, 'No such wiki');
-        }
-
+        $wiki = $request->attributes->get('wiki');
         $imports = $wiki->wikiEntityImports()->get();
         foreach ($imports as $import) {
             if ($import->status === WikiEntityImportStatus::Success) {

app/Http/Controllers/WikiProfileController.php

@@ -4,7 +4,6 @@
 
 use App\Helper\ProfileValidator;
 use App\Rules\NonEmptyJsonRule;
-use App\Wiki;
 use App\WikiProfile;
 use Illuminate\Http\Request;
 
@@ -19,16 +18,11 @@ public function __construct(ProfileValidator $profileValidator)
 
     public function create(Request $request): \Illuminate\Http\JsonResponse
     {
+        $wiki = $request->attributes->get('wiki');
         $validatedInput = $request->validate([
-            'wiki' => ['required', 'integer'],
             'profile' => ['required', 'json', new NonEmptyJsonRule]
         ]);
 
-        $wiki = Wiki::find($validatedInput['wiki']);
-        if (!$wiki) {
-            abort(404, 'No such wiki');
-        }
-
         $rawProfile = json_decode($validatedInput['profile'], true);
         $profileValidator = $this->profileValidator->validate($rawProfile);
         $profileValidator->validateWithBag('post');

app/Http/Middleware/LimitWikiAccess.php

@@ -10,21 +10,32 @@
 class LimitWikiAccess
 {
     /**
-     * Handle an incoming request.
-     *
-     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     * Reject any incoming request unless the user is a manager of the
+     * requested wiki. If the user is authorized, inject the wiki
+     * object into the request context.
      */
     public function handle(Request $request, Closure $next): Response
     {
-        $userHasAccess = WikiManager::where([
+        $validatedInput = $request->validate([
+            'wiki' => ['required', 'integer']
+        ]);
+
+        $wikiManager = WikiManager::where([
             'user_id' => $request->user()?->id,
-            'wiki_id' => $request->input('wiki'),
-        ])->exists();
+            'wiki_id' => $validatedInput['wiki'],
+        ])
+        ->with('wiki')
+        ->first();
 
-        if (!$userHasAccess) {
+        if (!$wikiManager) {
             abort(403);
         }
 
+        if (!$wikiManager->wiki) {
+            abort(404, 'No such wiki');
+        }
+
+        $request->attributes->set('wiki', $wikiManager->wiki);
         return $next($request);
     }
 }

tests/Middleware/LimitWikiAccessText.php

@@ -0,0 +1,79 @@
+<?php
+
+namespace Tests\Jobs;
+
+use App\User;
+use App\Wiki;
+use App\WikiManager;
+use Illuminate\Http\Request;
+use Tests\TestCase;
+use Illuminate\Support\Facades\Route;
+
+class LimitWikiAccessText extends TestCase
+{
+    public function setUp(): void
+    {
+        parent::setUp();
+        Route::middleware('limit_wiki_access')->get('/endpoint', function (Request $request) {
+            return response()->json([
+                'wiki_id' => $request->attributes->get('wiki')->id
+            ]);
+        });
+    }
+
+    public function tearDown(): void
+    {
+        parent::tearDown();
+    }
+
+    private function createWikiAndUser(): array
+    {
+        $wiki = Wiki::factory()->create();
+        $user = User::factory()->create(['verified' => true]);
+        WikiManager::factory()->create(['wiki_id' => $wiki->id, 'user_id' => $user->id]);
+        return array($wiki, $user);
+    }
+
+    private function getURI(Wiki $wiki): string
+    {
+        return "/endpoint?wiki={$wiki->id}";
+    }
+
+    public function testSuccess(): void
+    {
+        [$wiki, $user] = $this->createWikiAndUser();
+
+        $this->actingAs($user)
+        ->json('GET', $this->getURI($wiki))
+        ->assertStatus(200)
+        ->assertJson(['wiki_id' => $wiki->id]);
+    }
+
+    public function testFailOnWrongWikiManager(): void
+    {
+        $userWiki = Wiki::factory()->create();
+        $otherWiki = Wiki::factory()->create();
+        $user = User::factory()->create(['verified' => true]);
+        WikiManager::factory()->create(['wiki_id' => $userWiki->id, 'user_id' => $user->id]);
+        $this->actingAs($user)->json('GET', $this->getURI($otherWiki))->assertStatus(403);
+    }
+
+    public function testFailOnDeletedWiki(): void
+    {
+        [$wiki, $user] = $this->createWikiAndUser();
+        $wiki->delete();
+        $this->actingAs($user)->json('GET', $this->getURI($wiki))->assertStatus(404);
+    }
+
+    public function testFailOnMissingWiki(): void
+    {
+        [$wiki, $user] = $this->createWikiAndUser();
+        $this->actingAs($user)->json('GET', '/endpoint')->assertStatus(422);
+    }
+
+    public function testFailOnMissingUser(): void
+    {
+        [$wiki, $user] = $this->createWikiAndUser();
+        $this->json('GET', $this->getURI($wiki))->assertStatus(403);
+    }
+}