Add user authorization check on forms and index views

8 years ago · 8333c118cb
3 changed files with 18 additions and 6 deletions
--- a/src/stubs/view-forms.stub
+++ b/src/stubs/view-forms.stub
@ -1,4 +1,4 @@
-@if (Request::get('action') == 'create')
+@if (Request::get('action') == 'create' && auth()->user()->can('create', new fullMstr))
    {!! Form::open(['route' => 'masters.store']) !!}
    {!! FormField::text('name', ['required' => true, 'label' => trans('master.name')]) !!}
    {!! FormField::textarea('description', ['label' => trans('master.description')]) !!}
@ -6,7 +6,7 @@
    {{ link_to_route('masters.index', trans('app.cancel'), [], ['class' => 'btn btn-default']) }}
    {!! Form::close() !!}
@endif
-@if (Request::get('action') == 'edit' && $editableMaster)
+@if (Request::get('action') == 'edit' && $editableMaster && auth()->user()->can('update', $editableMaster))
    {!! Form::model($editableMaster, ['route' => ['masters.update', $editableMaster->id],'method' => 'patch']) !!}
    {!! FormField::text('name', ['required' => true, 'label' => trans('master.name')]) !!}
    {!! FormField::textarea('description', ['label' => trans('master.description')]) !!}
@ -20,7 +20,7 @@
    {{ link_to_route('masters.index', trans('app.cancel'), [], ['class' => 'btn btn-default']) }}
    {!! Form::close() !!}
@endif
-@if (Request::get('action') == 'delete' && $editableMaster)
+@if (Request::get('action') == 'delete' && $editableMaster && auth()->user()->can('delete', $editableMaster))
    <div class="panel panel-default">
        <div class="panel-heading"><h3 class="panel-title">{{ trans('master.delete') }}</h3></div>
        <div class="panel-body">
--- a/src/stubs/view-index.stub
+++ b/src/stubs/view-index.stub
@ -5,7 +5,9 @@
@section('content')
 <h1 class="page-header">
    <div class="pull-right">
+    @can('create', new fullMstr)
        {{ link_to_route('masters.index', trans('master.create'), ['action' => 'create'], ['class' => 'btn btn-success']) }}
+    @endcan
    </div>
    {{ trans('master.list') }}
    <small>{{ trans('app.total') }} : {{ $mstrCollections->total() }} {{ trans('master.master') }}</small>
@ -36,18 +38,22 @@
                        <td>{{ $singleMstr->name }}</td>
                        <td>{{ $singleMstr->description }}</td>
                        <td class="text-center">
+                        @can('update', $singleMstr)
                            {!! link_to_route(
                                'masters.index',
                                trans('app.edit'),
                                ['action' => 'edit', 'id' => $singleMstr->id] + Request::only('page', 'q'),
                                ['id' => 'edit-singleMstr-' . $singleMstr->id]
                            ) !!} |
+                        @endcan
+                        @can('delete', $singleMstr)
                            {!! link_to_route(
                                'masters.index',
                                trans('app.delete'),
                                ['action' => 'delete', 'id' => $singleMstr->id] + Request::only('page', 'q'),
                                ['id' => 'del-singleMstr-' . $singleMstr->id]
                            ) !!}
+                        @endcan
                        </td>
                    </tr>
                    @endforeach
--- a/tests/Generators/ViewsGeneratorTest.php
+++ b/tests/Generators/ViewsGeneratorTest.php
@ -21,7 +21,9 @@ class ViewsGeneratorTest extends TestCase
@section('content')
 <h1 class=\"page-header\">
    <div class=\"pull-right\">
+    @can('create', new {$this->full_model_name})
        {{ link_to_route('{$this->table_name}.index', trans('{$this->lang_name}.create'), ['action' => 'create'], ['class' => 'btn btn-success']) }}
+    @endcan
    </div>
    {{ trans('{$this->lang_name}.list') }}
    <small>{{ trans('app.total') }} : {{ \${$this->collection_model_var_name}->total() }} {{ trans('{$this->lang_name}.{$this->lang_name}') }}</small>
@ -52,18 +54,22 @@ class ViewsGeneratorTest extends TestCase
                        <td>{{ \${$this->single_model_var_name}->name }}</td>
                        <td>{{ \${$this->single_model_var_name}->description }}</td>
                        <td class=\"text-center\">
+                        @can('update', \${$this->single_model_var_name})
                            {!! link_to_route(
                                '{$this->table_name}.index',
                                trans('app.edit'),
                                ['action' => 'edit', 'id' => \${$this->single_model_var_name}->id] + Request::only('page', 'q'),
                                ['id' => 'edit-{$this->single_model_var_name}-' . \${$this->single_model_var_name}->id]
                            ) !!} |
+                        @endcan
+                        @can('delete', \${$this->single_model_var_name})
                            {!! link_to_route(
                                '{$this->table_name}.index',
                                trans('app.delete'),
                                ['action' => 'delete', 'id' => \${$this->single_model_var_name}->id] + Request::only('page', 'q'),
                                ['id' => 'del-{$this->single_model_var_name}-' . \${$this->single_model_var_name}->id]
                            ) !!}
+                        @endcan
                        </td>
                    </tr>
                    @endforeach
@ -90,7 +96,7 @@ class ViewsGeneratorTest extends TestCase

        $formViewPath = resource_path("views/{$this->table_name}/forms.blade.php");
        $this->assertFileExists($formViewPath);
-        $formViewContent = "@if (Request::get('action') == 'create')
+        $formViewContent = "@if (Request::get('action') == 'create' && auth()->user()->can('create', new {$this->full_model_name}))
    {!! Form::open(['route' => '{$this->table_name}.store']) !!}
    {!! FormField::text('name', ['required' => true, 'label' => trans('{$this->lang_name}.name')]) !!}
    {!! FormField::textarea('description', ['label' => trans('{$this->lang_name}.description')]) !!}
@ -98,7 +104,7 @@ class ViewsGeneratorTest extends TestCase
    {{ link_to_route('{$this->table_name}.index', trans('app.cancel'), [], ['class' => 'btn btn-default']) }}
    {!! Form::close() !!}
@endif
-@if (Request::get('action') == 'edit' && \$editable{$this->model_name})
+@if (Request::get('action') == 'edit' && \$editable{$this->model_name} && auth()->user()->can('update', \$editable{$this->model_name}))
    {!! Form::model(\$editable{$this->model_name}, ['route' => ['{$this->table_name}.update', \$editable{$this->model_name}->id],'method' => 'patch']) !!}
    {!! FormField::text('name', ['required' => true, 'label' => trans('{$this->lang_name}.name')]) !!}
    {!! FormField::textarea('description', ['label' => trans('{$this->lang_name}.description')]) !!}
@ -112,7 +118,7 @@ class ViewsGeneratorTest extends TestCase
    {{ link_to_route('{$this->table_name}.index', trans('app.cancel'), [], ['class' => 'btn btn-default']) }}
    {!! Form::close() !!}
@endif
-@if (Request::get('action') == 'delete' && \$editable{$this->model_name})
+@if (Request::get('action') == 'delete' && \$editable{$this->model_name} && auth()->user()->can('delete', \$editable{$this->model_name}))
    <div class=\"panel panel-default\">
        <div class=\"panel-heading\"><h3 class=\"panel-title\">{{ trans('{$this->lang_name}.delete') }}</h3></div>
        <div class=\"panel-body\">