Refactor routes to use LimitWikiAccess middleware

Author: AndrewKostka

app/Http/Controllers/WikiController.php

@@ -200,22 +200,8 @@ public function create(Request $request): \Illuminate\Http\Response
 
     public function delete(Request $request): \Illuminate\Http\JsonResponse
     {
-        $user = $request->user();
-
-        $request->validate([
-            'wiki' => 'required|numeric',
-        ]);
-
-        $wikiId = $request->input('wiki');
-        $userId = $user->id;
         $wikiDeletionReason = $request->input('deletionReasons');
-
-        // Check that the requesting user manages the wiki
-        if (WikiManager::where('user_id', $userId)->where('wiki_id', $wikiId)->count() !== 1) {
-            // The deletion was requested by a user that does not manage the wiki
-            return response()->json('Unauthorized', 401);
-        }
-        $wiki = Wiki::find($wikiId);
+        $wiki = $request->attributes->get('wiki');
 
         if(isset($wikiDeletionReason)){
             //Save the wiki deletion reason
@@ -231,25 +217,11 @@ public function delete(Request $request): \Illuminate\Http\JsonResponse
     // TODO should this just be get wiki?
     public function getWikiDetailsForIdForOwner(Request $request): \Illuminate\Http\Response
     {
-        $user = $request->user();
-
-        $wikiId = $request->input('wiki');
-
-        // TODO general check to make sure current user can manage the wiki
-        // this should probably be middle ware?
-        // TODO only do 1 query where instead of 2?
-        $test = WikiManager::where('user_id', $user->id)
-      ->where('wiki_id', $wikiId)
-      ->first();
-        if (! $test) {
-            abort(403);
-        }
-
-        $wiki = Wiki::where('id', $wikiId)
-      ->with('wikiManagers')
-      ->with('wikiDbVersion')
-      ->with('wikiLatestProfile')
-      ->with('publicSettings')->first();
+        $wiki = $request->attributes->get('wiki')
+            ->with('wikiManagers')
+            ->with('wikiDbVersion')
+            ->with('wikiLatestProfile')
+            ->with('publicSettings')->first();
 
         $res = [
             'success' => true,

app/Http/Controllers/WikiLogoController.php

@@ -20,27 +20,15 @@ class WikiLogoController extends Controller
     public function update(Request $request)
     {
         $request->validate([
-            'wiki' => 'required|numeric',
             'logo' => 'required|mimes:png',
         ]);
 
-        $user = $request->user();
-
-        $wikiId = $request->input('wiki');
-        $userId = $user->id;
-
-        // Check that the requesting user manages the wiki
-        // TODO turn this into a generic guard for all of these types of routes...
-        if (WikiManager::where('user_id', $userId)->where('wiki_id', $wikiId)->count() !== 1) {
-            // The logo update was requested by a user that does not manage the wiki
-            return response()->json('Unauthorized', 401);
-        }
+        $wiki = $request->attributes->get('wiki');
 
         // run the job to set the wiki logo
-        ( new SetWikiLogo('id', $wikiId, $request->file('logo')->getRealPath()) )->handle();
+        ( new SetWikiLogo('id', $wiki->id, $request->file('logo')->getRealPath()) )->handle();
 
         // get the logo URL from the settings
-        $wiki = Wiki::find($wikiId);
         $wgLogoSetting = $wiki->settings()->firstWhere(['name' => WikiSetting::wgLogo])->value;
 
         $res['success'] = true;

app/Http/Controllers/WikiSettingController.php

@@ -40,29 +40,18 @@ public function update($setting, Request $request)
         $settingValidations = $this->getSettingValidations();
 
         $request->validate([
-            'wiki' => 'required|numeric',
             // Allow both internal and external setting names, see normalizeSetting
             'setting' => 'required|string|in:'.implode(',', array_keys($settingValidations)),
         ]);
         $settingName = $request->input('setting');
 
         $request->validate(['value' => $settingValidations[$settingName]]);
         $value = $request->input('value');
-
-        $user = $request->user();
-        $wikiId = $request->input('wiki');
-        $userId = $user->id;
-
-        // Check that the requesting user manages the wiki
-        // TODO turn this into a generic guard for all of these types of routes...
-        if (WikiManager::where('user_id', $userId)->where('wiki_id', $wikiId)->count() !== 1) {
-            // The deletion was requested by a user that does not manage the wiki
-            return response()->json('Unauthorized', 401);
-        }
+        $wiki = $request->attributes->get('wiki');
 
         WikiSetting::updateOrCreate(
             [
-                'wiki_id' => $wikiId,
+                'wiki_id' => $wiki->id,
                 'name' => $settingName,
             ],
             [

routes/api.php

@@ -38,14 +38,16 @@
         });
         $router->group(['prefix' => 'wiki', 'middleware' => ['verified']], function () use ($router) {
             $router->post('create', ['uses' => 'WikiController@create']);
-            $router->post('delete', ['uses' => 'WikiController@delete']);
-            $router->post('details', ['uses' => 'WikiController@getWikiDetailsForIdForOwner']);
-            $router->get('details', ['uses' => 'WikiController@getWikiDetailsForIdForOwner']);
-            $router->post('logo/update', ['uses' => 'WikiLogoController@update']);
-            $router->post('setting/{setting}/update', ['uses' => 'WikiSettingController@update']);
-            $router->get('entityImport', ['middleware' => 'limit_wiki_access', 'uses' => 'WikiEntityImportController@get']);
-            $router->post('entityImport', ['middleware' => 'limit_wiki_access', 'uses' => 'WikiEntityImportController@create']);
-            $router->post('profile', ['middleware' => 'limit_wiki_access', 'uses' => 'WikiProfileController@create']);
+            $router->group(['middleware' => 'limit_wiki_access'], function () use ($router) {
+                $router->post('delete', ['uses' => 'WikiController@delete']);
+                $router->post('details', ['uses' => 'WikiController@getWikiDetailsForIdForOwner']);
+                $router->get('details', ['uses' => 'WikiController@getWikiDetailsForIdForOwner']);
+                $router->post('logo/update', ['uses' => 'WikiLogoController@update']);
+                $router->post('setting/{setting}/update', ['uses' => 'WikiSettingController@update']);
+                $router->get('entityImport', ['uses' => 'WikiEntityImportController@get']);
+                $router->post('entityImport', ['uses' => 'WikiEntityImportController@create']);
+                $router->post('profile', ['uses' => 'WikiProfileController@create']);
+            });
         });
         $router->apiResource('deletedWikiMetrics', 'DeletedWikiMetricsController')->only(['index'])
             ->middleware(AuthorisedUsersForDeletedWikiMetricsMiddleware::class);

tests/Routes/Wiki/DeleteWikiTest.php

@@ -43,6 +43,6 @@ public function testFailOnWrongWikiManager(): void
         WikiManager::factory()->create(['wiki_id' => $userWiki->id, 'user_id' => $user->id]);
         $this->actingAs($user, 'api')
             ->post('wiki/delete', ['wiki' => $otherWiki->id])
-            ->assertStatus(401);
+            ->assertStatus(403);
     }
 }

tests/Routes/Wiki/LogoUpdateTest.php

@@ -65,6 +65,6 @@ public function testFailOnWrongWikiManager(): void
             ->createWithContent("logo_200x200.png", file_get_contents(__DIR__ . "/../../data/logo_200x200.png"));
         $this->actingAs($user, 'api')
             ->post('wiki/logo/update', ['wiki' => $otherWiki->id, 'logo' => $file])
-            ->assertStatus(401);
+            ->assertStatus(403);
     }
 }

tests/Routes/Wiki/SettingUpdateTest.php

@@ -26,11 +26,12 @@ class SettingUpdateTest extends TestCase
     public function testSetInvalidSetting()
     {
         $settingName = 'iDoNotExistAsASetting';
-
+        $wiki = Wiki::factory()->create();
         $user = User::factory()->create(['verified' => true]);
+        WikiManager::factory()->create(['wiki_id' => $wiki->id, 'user_id' => $user->id]);
         $this->actingAs($user, 'api')
             ->json('POST', str_replace('foo', $settingName, $this->route), [
-            'wiki' => 1,
+            'wiki' => $wiki->id,
             'setting' => $settingName,
             'value' => '1',
           ])
@@ -51,7 +52,7 @@ public function testFailOnWrongWikiManager(): void
                 'setting' => $settingName,
                 'value' => '1'
             ])
-            ->assertStatus(401);
+            ->assertStatus(403);
     }
 
     static public function provideValidSettings()
@@ -156,11 +157,13 @@ static public function provideValidSettingsBadValues()
      */
     public function testValidSettingBadValues($settingName, $settingValue)
     {
+        $wiki = Wiki::factory()->create();
         $user = User::factory()->create(['verified' => true]);
+        WikiManager::factory()->create(['wiki_id' => $wiki->id, 'user_id' => $user->id]);
 
         $this->actingAs($user, 'api')
             ->json('POST', str_replace('foo', $settingName, $this->route), [
-            'wiki' => 1,
+            'wiki' => $wiki->id,
             'setting' => $settingName,
             'value' => $settingValue,
             ])