Do some checks before updating player profile

2017-11-15 14:00:11 +08:00 · 2017-11-15 14:00:11 +08:00 · faa73bebc9
commit faa73bebc9
parent aaf612f2d9
5 changed files with 107 additions and 8 deletions
--- a/app/Http/Controllers/PlayerController.php
+++ b/app/Http/Controllers/PlayerController.php
@ -16,6 +16,8 @@ use App\Events\CheckPlayerExists;
 use App\Events\PlayerWillBeAdded;
 use App\Events\PlayerWillBeDeleted;
 use App\Exceptions\PrettyPageException;
+use App\Http\Middleware\CheckPlayerExist;
+use App\Http\Middleware\CheckPlayerOwner;
 use App\Services\Repositories\UserRepository;

 class PlayerController extends Controller
@ -43,6 +45,14 @@ class PlayerController extends Controller
                $this->player->checkForInvalidTextures();
            }
        }
+
+        $this->middleware(
+            [CheckPlayerExist::class, CheckPlayerOwner::class],
+            [
+                'only' => ['delete', 'rename', 'setTexture', 'clearTexture', 'setPreference']
+            ]);
+
+        return json('dd', 0);
    }

    public function index()
--- a/app/Http/Middleware/CheckPlayerExist.php
+++ b/app/Http/Middleware/CheckPlayerExist.php
@ -10,6 +10,17 @@ class CheckPlayerExist
 {
    public function handle($request, \Closure $next)
    {
+        if ($request->has('pid') && $request->isMethod('post')) {
+            if (is_null(Player::find($request->input('pid')))) {
+                return response()->json([
+                    'errno' => 1,
+                    'msg' => trans('general.unexistent-player')
+                ]);
+            } else {
+                return $next($request);
+            }
+        }
+
        if (stripos($request->getUri(), '.json') != false) {
            preg_match('/\/([^\/]*)\.json/', $request->getUri(), $matches);
        } else {
--- a/app/Http/Middleware/CheckPlayerOwner.php
+++ b/app/Http/Middleware/CheckPlayerOwner.php
@ -0,0 +1,32 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use App\Models\Player;
+
+class CheckPlayerOwner
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if ($pid = $request->input('pid')) {
+            $player = Player::find($pid);
+
+            if ($player->uid != app('user.current')->uid) {
+                return response()->json([
+                    'errno' => 1,
+                    'msg' => trans('admin.players.no-permission')
+                ]);
+            }
+        }
+
+        return $next($request);
+    }
+}
--- a/tests/MiddlewareTest.php
+++ b/tests/MiddlewareTest.php
@ -110,6 +110,51 @@ class MiddlewareTest extends TestCase

        $this->expectsEvents(\App\Events\CheckPlayerExists::class);
        $this->get("/{$player->player_name}.json");
+
+        $player = factory(\App\Models\Player::class)->create();
+        $user = \App\Models\User::find($player->uid);
+        $this->actAs($user)
+            ->post('/user/player/rename', [
+                'pid' => -1,
+                'new_player_name' => 'name'
+            ])->seeJson([
+                'errno' => 1,
+                'msg' => trans('general.unexistent-player')
+            ]);
+        $this->actAs($user)
+            ->post('/user/player/rename', [
+                'pid' => $player->pid,
+                'new_player_name' => 'name'
+            ])->seeJson([
+                'errno' => 0
+            ]);
+    }
+
+    public function testCheckPlayerOwner()
+    {
+        $other_user = factory(\App\Models\User::class)->create();
+        $player = factory(\App\Models\Player::class)->create();
+        $owner = \App\Models\User::find($player->uid);
+
+        $this->actAs($other_user)
+            ->visit('/user/player')
+            ->assertResponseStatus(200);
+
+        $this->actAs($other_user)
+            ->post('/user/player/rename', [
+                'pid' => $player->pid
+            ])->seeJson([
+                'errno' => 1,
+                'msg' => trans('admin.players.no-permission')
+            ]);
+
+        $this->actAs($owner)
+            ->post('/user/player/rename', [
+                'pid' => $player->pid,
+                'new_player_name' => 'name'
+            ])->seeJson([
+                'errno' => 0
+            ]);
    }

    public function testRedirectIfAuthenticated()
--- a/tests/PlayerControllerTest.php
+++ b/tests/PlayerControllerTest.php
@ -279,14 +279,15 @@ class PlayerControllerTest extends TestCase
    {
        // Without `preference` field
        $player = factory(Player::class)->create();
-        $this->post('/user/player/preference', [
-            'pid' => $player->pid
-        ], [
-            'X-Requested-With' => 'XMLHttpRequest'
-        ])->seeJson([
-            'errno' => 1,
-            'msg' => trans('validation.required', ['attribute' => 'preference'])
-        ]);
+        $this->actAs(User::find($player->uid))
+            ->post('/user/player/preference', [
+                'pid' => $player->pid
+            ], [
+                'X-Requested-With' => 'XMLHttpRequest'
+            ])->seeJson([
+                'errno' => 1,
+                'msg' => trans('validation.required', ['attribute' => 'preference'])
+            ]);

        // value of `preference` is invalid
        $this->post('/user/player/preference', [