Prevent user from deleting their own profile

8 years ago · f7b22f75f3
2 changed files with 9 additions and 1 deletions
--- a/app/Policies/UserPolicy.php
+++ b/app/Policies/UserPolicy.php
@ -16,6 +16,6 @@ class UserPolicy

    public function delete(User $user, User $editableUser)
    {
-        return $editableUser->manager_id == $user->id;
+        return $editableUser->manager_id == $user->id && $editableUser->id != $user->id;
    }
 }
--- a/tests/Unit/Policies/UserPolicyTest.php
+++ b/tests/Unit/Policies/UserPolicyTest.php
@ -35,4 +35,12 @@ class UserPolicyTest extends TestCase

        $this->assertTrue($manager->can('delete', $user));
    }
+
+    /** @test */
+    public function user_cannot_delete_their_own_data()
+    {
+        $user = factory(User::class)->create();
+
+        $this->assertFalse($user->can('delete', $user));
+    }
 }