Add access permission (#13)

* Added access permission for detours. analyse and style

* Fix failing test and quality script

* Add tests for the new middleware authorizing the routes

Author: niekboon

config/statamic-detour.php

@@ -23,4 +23,8 @@
     ],
 
     'queue' => 'default',
+
+    'permissions' => [
+        'access' => 'access detours',
+    ],
 ];

routes/cp.php

@@ -4,15 +4,17 @@
 use JustBetter\Detour\Http\Controllers\DetourController;
 use JustBetter\Detour\Http\Controllers\ImportExportController;
 
-Route::prefix('detours')->group(function () {
-    Route::get('/', [DetourController::class, 'index'])->name('justbetter.detours.index');
+Route::prefix('detours')
+    ->middleware('detours.access')
+    ->group(function () {
+        Route::get('/', [DetourController::class, 'index'])->name('justbetter.detours.index');
 
-    Route::post('/store', [DetourController::class, 'store'])->name('justbetter.detours.store');
+        Route::post('/store', [DetourController::class, 'store'])->name('justbetter.detours.store');
 
-    Route::delete('/{detour}', [DetourController::class, 'destroy'])->name('justbetter.detours.destroy');
+        Route::delete('/{detour}', [DetourController::class, 'destroy'])->name('justbetter.detours.destroy');
 
-    Route::get('/actions', [ImportExportController::class, 'index'])->name('justbetter.detours.actions.index');
-    Route::get('/actions/export', [ImportExportController::class, 'export'])->name('justbetter.detours.actions.export');
+        Route::get('/actions', [ImportExportController::class, 'index'])->name('justbetter.detours.actions.index');
+        Route::get('/actions/export', [ImportExportController::class, 'export'])->name('justbetter.detours.actions.export');
 
-    Route::post('/actions/import', [ImportExportController::class, 'import'])->name('justbetter.detours.actions.import');
-});
+        Route::post('/actions/import', [ImportExportController::class, 'import'])->name('justbetter.detours.actions.import');
+    });

src/Http/Middleware/AuthorizeDetours.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace JustBetter\Detour\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Statamic\Facades\User;
+use Symfony\Component\HttpFoundation\Response;
+
+class AuthorizeDetours
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $user = User::current();
+        $permission = config()->string('justbetter.statamic-detour.permissions.access');
+
+        abort_unless(
+            $user && ($user->isSuper() || $user->hasPermission($permission)),
+            403
+        );
+
+        return $next($request);
+    }
+}

src/Http/Requests/ImportRequest.php

@@ -2,6 +2,7 @@
 
 namespace JustBetter\Detour\Http\Requests;
 
+use Illuminate\Contracts\Validation\ValidationRule;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Http\UploadedFile;
 use Illuminate\Validation\Validator;
@@ -16,7 +17,7 @@ class ImportRequest extends FormRequest
     protected array $requiredHeaders = ['from', 'to', 'type', 'code'];
 
     /**
-     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     * @return array<string, ValidationRule|array<mixed>|string>
      */
     public function rules(): array
     {

src/Http/Requests/IndexRequest.php

@@ -2,6 +2,7 @@
 
 namespace JustBetter\Detour\Http\Requests;
 
+use Illuminate\Contracts\Validation\ValidationRule;
 use Illuminate\Foundation\Http\FormRequest;
 
 /**
@@ -10,7 +11,7 @@
 class IndexRequest extends FormRequest
 {
     /**
-     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     * @return array<string, ValidationRule|array<mixed>|string>
      */
     public function rules(): array
     {

src/Http/Requests/StoreRequest.php

@@ -2,6 +2,7 @@
 
 namespace JustBetter\Detour\Http\Requests;
 
+use Illuminate\Contracts\Validation\ValidationRule;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Validation\Rule;
 
@@ -15,7 +16,7 @@
 class StoreRequest extends FormRequest
 {
     /**
-     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     * @return array<string, ValidationRule|array<mixed>|string>
      */
     public function rules(): array
     {

src/ServiceProvider.php

@@ -15,9 +15,12 @@
 use JustBetter\Detour\Actions\MatchDetour;
 use JustBetter\Detour\Actions\ResolveRepository;
 use JustBetter\Detour\Actions\StoreDetour;
+use JustBetter\Detour\Http\Middleware\AuthorizeDetours;
 use JustBetter\Detour\Http\Middleware\RedirectIfNeeded;
 use JustBetter\Detour\Repositories\FileRepository;
+use Statamic\Auth\Permission;
 use Statamic\Facades\CP\Nav;
+use Statamic\Facades\Permission as PermissionFacade;
 use Statamic\Providers\AddonServiceProvider;
 
 class ServiceProvider extends AddonServiceProvider
@@ -76,6 +79,9 @@ protected function registerMiddleware(): static
     {
         $this->app->booted(function () {
             $router = app(Router::class);
+
+            $router->aliasMiddleware('detours.access', AuthorizeDetours::class);
+
             if (config('justbetter.statamic-detour.mode') === 'performance') {
                 $router->pushMiddlewareToGroup('web', RedirectIfNeeded::class);
             } else {
@@ -90,6 +96,7 @@ public function bootAddon(): void
     {
         $this
             ->bootConfig()
+            ->bootPermissions()
             ->bootNavigation()
             ->bootMigrations();
     }
@@ -110,17 +117,33 @@ function ($nav) {
                 $nav->content('Overview')
                     ->section('Detours')
                     ->route('justbetter.detours.index')
-                    ->icon('<svg class="svg-icon" style="width: 2em; height: 2em;vertical-align: middle;text-align:center;fill: currentColor;overflow: hidden;" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M653.328 125.024l-56.576 56.704L734.88 320H399.68C240.88 320 112 448.992 112 607.776c0 158.816 128 287.952 288 287.952v-80c-112 0-208-93.312-208-208.016 0-114.688 93.152-208 207.84-208h334.96l-137.888 137.856 56.528 56.56 234.48-234.496L653.344 125.024z" fill="#565D64" /></svg>');
+                    ->can(config()->string('justbetter.statamic-detour.permissions.access'))
+                    ->icon('<svg class="svg-icon" style="width: 1.25em; height: 1.25em;vertical-align: middle;text-align:center;fill: currentColor;overflow: hidden;" viewBox="0 0 1024 1024" version="1.1" xmlns="http://www.w3.org/2000/svg"><path d="M653.328 125.024l-56.576 56.704L734.88 320H399.68C240.88 320 112 448.992 112 607.776c0 158.816 128 287.952 288 287.952v-80c-112 0-208-93.312-208-208.016 0-114.688 93.152-208 207.84-208h334.96l-137.888 137.856 56.528 56.56 234.48-234.496L653.344 125.024z" fill="#565D64" /></svg>');
 
                 $nav->content('Import / Export')
                     ->section('Detours')
                     ->route('justbetter.detours.actions.index')
+                    ->can(config()->string('justbetter.statamic-detour.permissions.access'))
                     ->icon('<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M7 4v12"/><path d="M4 13l3 3 3-3"/><path d="M17 20V8"/><path d="M14 11l3-3 3 3"/></svg>');
             });
 
         return $this;
     }
 
+    protected function bootPermissions(): static
+    {
+        PermissionFacade::group('detours', 'Detours', function () {
+            $permission = config()->string('justbetter.statamic-detour.permissions.access');
+            PermissionFacade::register($permission, function (Permission $permission) {
+                $permission
+                    ->label('Access detours')
+                    ->description('Gives the user access to managing detours (view, create, delete)');
+            });
+        });
+
+        return $this;
+    }
+
     protected function bootMigrations(): static
     {
         $driver = config('justbetter.statamic-detour.driver');

tests/Http/Controllers/DetourControllerTest.php

@@ -10,12 +10,19 @@
 use JustBetter\Detour\Http\Requests\IndexRequest;
 use JustBetter\Detour\Tests\TestCase;
 use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\User;
 
 class DetourControllerTest extends TestCase
 {
     #[Test]
     public function it_can_load_a_view(): void
     {
+        /** @var \Statamic\Auth\File\User $user */
+        $user = User::make();
+        $user->id('test-user')->email('test@example.com')->makeSuper();
+
+        $this->actingAs($user);
+
         $controller = app(DetourController::class);
         $contract = app(ListsDetours::class);
         $request = IndexRequest::create('/cp/detours', 'GET');

tests/Http/Middleware/AuthorizeDetoursTest.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace JustBetter\Detour\Tests\Http\Middleware;
+
+use JustBetter\Detour\Tests\TestCase;
+use PHPUnit\Framework\Attributes\Test;
+use Statamic\Facades\Role;
+use Statamic\Facades\User;
+
+class AuthorizeDetoursTest extends TestCase
+{
+    #[Test]
+    public function it_forbids_users_without_the_detours_permission(): void
+    {
+        $role = Role::make('cp-only')->permissions(['access cp']);
+        $role->save();
+
+        /** @var \Statamic\Auth\File\User $user */
+        $user = User::make();
+        $user
+            ->id('test-user-no-detours')
+            ->email('no-detours@example.com')
+            ->assignRole($role)
+            ->save();
+
+        $this->actingAs($user);
+
+        $this->get(cp_route('index'))->assertRedirect(cp_route('dashboard'));
+        $this->get(cp_route('justbetter.detours.index'))->assertForbidden();
+    }
+
+    #[Test]
+    public function it_can_authorize_detours(): void
+    {
+        $permission = config()->string('justbetter.statamic-detour.permissions.access');
+
+        $role = Role::make('detours-access')->permissions(['access cp', $permission]);
+        $role->save();
+
+        /** @var \Statamic\Auth\File\User $user */
+        $user = User::make();
+        $user
+            ->id('test-user-with-detours')
+            ->email('with-detours@example.com')
+            ->assignRole($role)
+            ->save();
+
+        $this->actingAs($user);
+
+        $this->get(cp_route('index'))->assertRedirect(cp_route('dashboard'));
+        $this->get(cp_route('justbetter.detours.index'))->assertOk();
+    }
+}