mirror of
https://github.com/bs-community/blessing-skin-server.git
synced 2025-01-24 14:04:07 +08:00
Do some checks before updating player profile
This commit is contained in:
parent
aaf612f2d9
commit
faa73bebc9
@ -16,6 +16,8 @@ use App\Events\CheckPlayerExists;
|
||||
use App\Events\PlayerWillBeAdded;
|
||||
use App\Events\PlayerWillBeDeleted;
|
||||
use App\Exceptions\PrettyPageException;
|
||||
use App\Http\Middleware\CheckPlayerExist;
|
||||
use App\Http\Middleware\CheckPlayerOwner;
|
||||
use App\Services\Repositories\UserRepository;
|
||||
|
||||
class PlayerController extends Controller
|
||||
@ -43,6 +45,14 @@ class PlayerController extends Controller
|
||||
$this->player->checkForInvalidTextures();
|
||||
}
|
||||
}
|
||||
|
||||
$this->middleware(
|
||||
[CheckPlayerExist::class, CheckPlayerOwner::class],
|
||||
[
|
||||
'only' => ['delete', 'rename', 'setTexture', 'clearTexture', 'setPreference']
|
||||
]);
|
||||
|
||||
return json('dd', 0);
|
||||
}
|
||||
|
||||
public function index()
|
||||
|
@ -10,6 +10,17 @@ class CheckPlayerExist
|
||||
{
|
||||
public function handle($request, \Closure $next)
|
||||
{
|
||||
if ($request->has('pid') && $request->isMethod('post')) {
|
||||
if (is_null(Player::find($request->input('pid')))) {
|
||||
return response()->json([
|
||||
'errno' => 1,
|
||||
'msg' => trans('general.unexistent-player')
|
||||
]);
|
||||
} else {
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
|
||||
if (stripos($request->getUri(), '.json') != false) {
|
||||
preg_match('/\/([^\/]*)\.json/', $request->getUri(), $matches);
|
||||
} else {
|
||||
|
32
app/Http/Middleware/CheckPlayerOwner.php
Normal file
32
app/Http/Middleware/CheckPlayerOwner.php
Normal file
@ -0,0 +1,32 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use App\Models\Player;
|
||||
|
||||
class CheckPlayerOwner
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return mixed
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
if ($pid = $request->input('pid')) {
|
||||
$player = Player::find($pid);
|
||||
|
||||
if ($player->uid != app('user.current')->uid) {
|
||||
return response()->json([
|
||||
'errno' => 1,
|
||||
'msg' => trans('admin.players.no-permission')
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
@ -110,6 +110,51 @@ class MiddlewareTest extends TestCase
|
||||
|
||||
$this->expectsEvents(\App\Events\CheckPlayerExists::class);
|
||||
$this->get("/{$player->player_name}.json");
|
||||
|
||||
$player = factory(\App\Models\Player::class)->create();
|
||||
$user = \App\Models\User::find($player->uid);
|
||||
$this->actAs($user)
|
||||
->post('/user/player/rename', [
|
||||
'pid' => -1,
|
||||
'new_player_name' => 'name'
|
||||
])->seeJson([
|
||||
'errno' => 1,
|
||||
'msg' => trans('general.unexistent-player')
|
||||
]);
|
||||
$this->actAs($user)
|
||||
->post('/user/player/rename', [
|
||||
'pid' => $player->pid,
|
||||
'new_player_name' => 'name'
|
||||
])->seeJson([
|
||||
'errno' => 0
|
||||
]);
|
||||
}
|
||||
|
||||
public function testCheckPlayerOwner()
|
||||
{
|
||||
$other_user = factory(\App\Models\User::class)->create();
|
||||
$player = factory(\App\Models\Player::class)->create();
|
||||
$owner = \App\Models\User::find($player->uid);
|
||||
|
||||
$this->actAs($other_user)
|
||||
->visit('/user/player')
|
||||
->assertResponseStatus(200);
|
||||
|
||||
$this->actAs($other_user)
|
||||
->post('/user/player/rename', [
|
||||
'pid' => $player->pid
|
||||
])->seeJson([
|
||||
'errno' => 1,
|
||||
'msg' => trans('admin.players.no-permission')
|
||||
]);
|
||||
|
||||
$this->actAs($owner)
|
||||
->post('/user/player/rename', [
|
||||
'pid' => $player->pid,
|
||||
'new_player_name' => 'name'
|
||||
])->seeJson([
|
||||
'errno' => 0
|
||||
]);
|
||||
}
|
||||
|
||||
public function testRedirectIfAuthenticated()
|
||||
|
@ -279,14 +279,15 @@ class PlayerControllerTest extends TestCase
|
||||
{
|
||||
// Without `preference` field
|
||||
$player = factory(Player::class)->create();
|
||||
$this->post('/user/player/preference', [
|
||||
'pid' => $player->pid
|
||||
], [
|
||||
'X-Requested-With' => 'XMLHttpRequest'
|
||||
])->seeJson([
|
||||
'errno' => 1,
|
||||
'msg' => trans('validation.required', ['attribute' => 'preference'])
|
||||
]);
|
||||
$this->actAs(User::find($player->uid))
|
||||
->post('/user/player/preference', [
|
||||
'pid' => $player->pid
|
||||
], [
|
||||
'X-Requested-With' => 'XMLHttpRequest'
|
||||
])->seeJson([
|
||||
'errno' => 1,
|
||||
'msg' => trans('validation.required', ['attribute' => 'preference'])
|
||||
]);
|
||||
|
||||
// value of `preference` is invalid
|
||||
$this->post('/user/player/preference', [
|
||||
|
Loading…
Reference in New Issue
Block a user