Fix shopping list acl

Author: karlomikus

CHANGELOG.md

@@ -1,3 +1,7 @@
+# v5.9.3
+## Fixes
+- Fixed shopping list access check
+
 # v5.9.2
 ## Fixes
 - Fixed CSV import errors

app/Http/Controllers/ShoppingListController.php

@@ -30,7 +30,7 @@ class ShoppingListController extends Controller
     public function index(Request $request, int $id): JsonResource
     {
         $user = User::findOrFail($id);
-        if ($request->user()->id !== $user->id || $request->user()->cannot('show', $user)) {
+        if ($request->user()->id !== $user->id) {
             abort(403);
         }
 
@@ -54,7 +54,7 @@ public function index(Request $request, int $id): JsonResource
     public function batchStore(IngredientsBatchRequest $request, int $id): Response
     {
         $user = User::findOrFail($id);
-        if ($request->user()->id !== $user->id || $request->user()->cannot('show', $user)) {
+        if ($request->user()->id !== $user->id) {
             abort(403);
         }
 
@@ -111,7 +111,7 @@ public function batchStore(IngredientsBatchRequest $request, int $id): Response
     public function batchDelete(IngredientsBatchRequest $request, int $id): Response
     {
         $user = User::findOrFail($id);
-        if ($request->user()->id !== $user->id || $request->user()->cannot('show', $user)) {
+        if ($request->user()->id !== $user->id) {
             abort(403);
         }
 
@@ -150,7 +150,7 @@ public function batchDelete(IngredientsBatchRequest $request, int $id): Response
     public function share(Request $request, int $id): JsonResponse
     {
         $user = User::findOrFail($id);
-        if ($request->user()->id !== $user->id || $request->user()->cannot('show', $user)) {
+        if ($request->user()->id !== $user->id) {
             abort(403);
         }
 

tests/Feature/Http/ShoppingListControllerTest.php

@@ -9,6 +9,7 @@
 use Kami\Cocktail\Models\UserShoppingList;
 use Illuminate\Testing\Fluent\AssertableJson;
 use Illuminate\Foundation\Testing\RefreshDatabase;
+use Kami\Cocktail\Models\Enums\UserRoleEnum;
 
 class ShoppingListControllerTest extends TestCase
 {
@@ -84,4 +85,26 @@ public function test_delete_multiple_ingredients_from_shopping_list_response():
 
         $this->assertDatabaseCount('user_shopping_lists', 0);
     }
+
+    public function test_list_ingredients_on_shopping_list_response_guest_role(): void
+    {
+        $membership = $this->setupBarMembership(UserRoleEnum::Guest);
+        $this->actingAs($membership->user);
+
+        UserShoppingList::factory()->count(5)->create();
+        UserShoppingList::factory()
+            ->recycle($membership, $membership->bar, $membership->user)
+            ->count(5)
+            ->create();
+
+        $response = $this->getJson('/api/users/'. $membership->user_id .'/shopping-list', ['Bar-Assistant-Bar-Id' => $membership->bar_id]);
+
+        $response->assertOk();
+        $response->assertJson(
+            fn (AssertableJson $json) =>
+            $json
+                ->has('data', 5)
+                ->etc()
+        );
+    }
 }