From 32e620299b4d05153631e763943ec17f51962a42 Mon Sep 17 00:00:00 2001 From: Daeng Deni Mardaeni Date: Sat, 17 May 2025 11:28:17 +0700 Subject: [PATCH] feat(currency): implement role-based access control, exports, and tests for currency management - Menambahkan validasi Role-based Access Control (RBAC) untuk tindakan CRUD mata uang: 1. Validasi untuk `read`, `create`, `update`, dan `delete` pada CurrencyController. 2. Menambahkan metode `getUser()` untuk memperoleh user terautentikasi. 3. Menangani respon dengan HTTP status `403 Forbidden` jika tidak memiliki izin. - Memperbaiki rute dan logika `store` serta `update`: 1. Validasi terhadap atribut `code` disesuaikan dengan skenario update (menggunakan ID). 2. Menambahkan metode `authorize()` pada CurrencyRequest untuk memastikan izin aksi sesuai role (CRUD spesifik). - Perubahan pada view blade: 1. Menambahkan validasi izin sebelum rendering tombol `Tambah`, `Hapus`, `Export`, dan `Edit`. 2. Menambahkan logika dinamis untuk izin terkait. - Tambahan logika pada export ke Excel: 1. Validasi izin untuk `basic-data.export` sebelum mengunduh file. - Test Feature dengan PHPUnit: 1. Menambahkan test coverage untuk tindakan CRUD, validasi izin role, dan ekspor data. 2. Menggunakan database segar dengan RefreshDatabase. - Refactor penggunaan model Currency di `CurrencyExport` agar sesuai namespace setelah modifikasi. - Respon di `destroy` dan `deleteMultiple` dikembalikan dalam format JSON untuk standardisasi. - Memastikan test mencakup berbagai skenario: 1. User dengan izin vs tanpa izin. 2. Operasi data valid dan tidak valid. Penyesuaian ini meningkatkan keamanan dan manajemen peran pada modul Currency, serta memastikan pengujian yang mendalam terhadap semua fitur baru. Signed-off-by: Daeng Deni Mardaeni --- app/Exports/CurrencyExport.php | 2 +- app/Http/Controllers/CurrencyController.php | 70 ++++- app/Http/Requests/CurrencyRequest.php | 11 +- resources/views/currency/create.blade.php | 142 +++++---- resources/views/currency/index.blade.php | 27 +- tests/Feature/CurrencyControllerTest.php | 320 ++++++++++++++++++++ 6 files changed, 490 insertions(+), 82 deletions(-) create mode 100644 tests/Feature/CurrencyControllerTest.php diff --git a/app/Exports/CurrencyExport.php b/app/Exports/CurrencyExport.php index 3492a67..fa79a92 100644 --- a/app/Exports/CurrencyExport.php +++ b/app/Exports/CurrencyExport.php @@ -6,7 +6,7 @@ use Maatwebsite\Excel\Concerns\WithColumnFormatting; use Maatwebsite\Excel\Concerns\WithHeadings; use Maatwebsite\Excel\Concerns\WithMapping; - use Modules\Lpj\Models\Currency; + use Modules\Basicdata\Models\Currency; use PhpOffice\PhpSpreadsheet\Style\NumberFormat; class CurrencyExport implements WithColumnFormatting, WithHeadings, FromCollection, withMapping diff --git a/app/Http/Controllers/CurrencyController.php b/app/Http/Controllers/CurrencyController.php index 2924a82..eb42ac3 100644 --- a/app/Http/Controllers/CurrencyController.php +++ b/app/Http/Controllers/CurrencyController.php @@ -12,15 +12,35 @@ class CurrencyController extends Controller { - public $user; + /** + * Get the authenticated user. + * + * @return \Illuminate\Contracts\Auth\Authenticatable|null + */ + protected function getUser() + { + return \Illuminate\Support\Facades\Auth::guard('web')->user(); + } public function index() { + // Check if the authenticated user has the required permission to view currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.read')) { + abort(403, 'Sorry! You are not allowed to view currencies.'); + } + return view('basicdata::currency.index'); } public function store(CurrencyRequest $request) { + // Check if the authenticated user has the required permission to create currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.create')) { + abort(403, 'Sorry! You are not allowed to create currencies.'); + } + $validate = $request->validated(); if ($validate) { @@ -40,17 +60,35 @@ public function create() { + // Check if the authenticated user has the required permission to create currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.create')) { + abort(403, 'Sorry! You are not allowed to create currencies.'); + } + return view('basicdata::currency.create'); } public function edit($id) { + // Check if the authenticated user has the required permission to update currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.update')) { + abort(403, 'Sorry! You are not allowed to update currencies.'); + } + $currency = Currency::find($id); return view('basicdata::currency.create', compact('currency')); } public function update(CurrencyRequest $request, $id) { + // Check if the authenticated user has the required permission to update currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.update')) { + abort(403, 'Sorry! You are not allowed to update currencies.'); + } + $validate = $request->validated(); if ($validate) { @@ -71,28 +109,42 @@ public function destroy($id) { + // Check if the authenticated user has the required permission to delete currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.delete')) { + return response()->json(['success' => false, 'message' => 'Sorry! You are not allowed to delete currencies.'], 403); + } + try { // Delete from database $currency = Currency::find($id); $currency->delete(); - echo json_encode(['success' => true, 'message' => 'Currency deleted successfully']); + return response()->json(['success' => true, 'message' => 'Currency deleted successfully']); } catch (Exception $e) { - echo json_encode(['success' => false, 'message' => 'Failed to delete currency']); + return response()->json(['success' => false, 'message' => 'Failed to delete currency']); } } public function deleteMultiple(Request $request) { + // Check if the authenticated user has the required permission to delete currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.delete')) { + return response()->json(['success' => false, 'message' => 'Sorry! You are not allowed to delete currencies.'], 403); + } + $ids = $request->input('ids'); Currency::whereIn('id', $ids)->delete(); - return response()->json(['message' => 'Currencies deleted successfully']); + return response()->json(['success' => true, 'message' => 'Currencies deleted successfully']); } public function dataForDatatables(Request $request) { - if (is_null($this->user) || !$this->user->can('currency.view')) { - //abort(403, 'Sorry! You are not allowed to view users.'); + // Check if the authenticated user has the required permission to view currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.read')) { + return response()->json(['success' => false, 'message' => 'Sorry! You are not allowed to view currencies.'], 403); } // Retrieve data from the database @@ -153,6 +205,12 @@ public function export() { + // Check if the authenticated user has the required permission to export currencies + $user = $this->getUser(); + if (is_null($user) || !$user->can('basic-data.export')) { + abort(403, 'Sorry! You are not allowed to export currencies.'); + } + return Excel::download(new CurrencyExport, 'currency.xlsx'); } } diff --git a/app/Http/Requests/CurrencyRequest.php b/app/Http/Requests/CurrencyRequest.php index 247796a..2868727 100644 --- a/app/Http/Requests/CurrencyRequest.php +++ b/app/Http/Requests/CurrencyRequest.php @@ -23,7 +23,8 @@ ]; if ($this->method() == 'PUT') { - $rules['code'] = 'required|string|max:3|unique:currencies,code,' . $this->id; + $id = $this->id ? (int)$this->id : null; + $rules['code'] = 'required|string|max:3|unique:currencies,code,' . $id; } else { $rules['code'] = 'required|string|max:3|unique:currencies,code'; } @@ -37,6 +38,14 @@ public function authorize() : bool { + $user = auth()->guard('web')->user(); + + if ($this->method() == 'PUT') { + return $user && $user->can('basic-data.update'); + } elseif ($this->method() == 'POST') { + return $user && $user->can('basic-data.create'); + } + return true; } } diff --git a/resources/views/currency/create.blade.php b/resources/views/currency/create.blade.php index 5b1c3e8..a9f973a 100644 --- a/resources/views/currency/create.blade.php +++ b/resources/views/currency/create.blade.php @@ -6,75 +6,83 @@ @section('content')
- @if(isset($currency->id)) -
+ + @csrf + @if(isset($currency->id)) @method('PUT') - @else - - @endif - @csrf -
-
-

- {{ isset($currency->id) ? 'Edit' : 'Tambah' }} Currency -

-
- Back -
-
-
-
- -
- - @error('code') - {{ $message }} - @enderror -
-
-
- -
- - @error('name') - {{ $message }} - @enderror -
-
-
- -
- - @error('symbol') - {{ $message }} - @enderror -
-
-
- -
- - @error('decimal_places') - {{ $message }} - @enderror -
-
-
- -
-
+ @endif +
+
+

+ {{ isset($currency->id) ? 'Edit' : 'Tambah' }} Currency +

+
+ Back +
+
+
+
+ +
+ + @error('code') + {{ $message }} + @enderror
- +
+
+ +
+ + @error('name') + {{ $message }} + @enderror +
+
+
+ +
+ + @error('symbol') + {{ $message }} + @enderror +
+
+
+ +
+ + @error('decimal_places') + {{ $message }} + @enderror +
+
+
+ @if(isset($currency->id)) + @can('basic-data.update') + + @endcan + @else + @can('basic-data.create') + + @endcan + @endif +
+
+
+
@endsection diff --git a/resources/views/currency/index.blade.php b/resources/views/currency/index.blade.php index 63a0cad..debadd8 100644 --- a/resources/views/currency/index.blade.php +++ b/resources/views/currency/index.blade.php @@ -19,9 +19,15 @@
+ @can('basic-data.export') Export to Excel + @endcan + @can('basic-data.create') Tambah Mata Uang + @endcan + @can('basic-data.delete') + @endcan
@@ -178,14 +184,22 @@ actions: { title: 'Status', render: (item, data) => { - return `
- + let html = `
`; + + @can('basic-data.update') + html += ` - - + `; + @endcan + + @can('basic-data.delete') + html += ` - -
`; + `; + @endcan + + html += `
`; + return html; }, } }, @@ -227,4 +241,3 @@ window.dataTable = dataTable; @endpush - diff --git a/tests/Feature/CurrencyControllerTest.php b/tests/Feature/CurrencyControllerTest.php new file mode 100644 index 0000000..7318bf9 --- /dev/null +++ b/tests/Feature/CurrencyControllerTest.php @@ -0,0 +1,320 @@ + 'basic-data', + 'slug' => 'basic-data' + ]); + + // Create permissions with permission_group_id + Permission::create([ + 'name' => 'basic-data.create', + 'guard_name' => 'web', + 'permission_group_id' => $permissionGroup->id + ]); + Permission::create([ + 'name' => 'basic-data.read', + 'guard_name' => 'web', + 'permission_group_id' => $permissionGroup->id + ]); + Permission::create([ + 'name' => 'basic-data.update', + 'guard_name' => 'web', + 'permission_group_id' => $permissionGroup->id + ]); + Permission::create([ + 'name' => 'basic-data.delete', + 'guard_name' => 'web', + 'permission_group_id' => $permissionGroup->id + ]); + Permission::create([ + 'name' => 'basic-data.export', + 'guard_name' => 'web', + 'permission_group_id' => $permissionGroup->id + ]); + + // Create admin role with all permissions + $this->adminRole = Role::create(['name' => 'admin', 'guard_name' => 'web']); + $this->adminRole->givePermissionTo(Permission::all()); + + // Create a user with admin role + $this->user = User::factory()->create(); + $this->user->assignRole($this->adminRole); + + // Create a currency for testing + $this->currency = Currency::create([ + 'code' => 'USD', + 'name' => 'US Dollar', + 'symbol' => '$', + 'decimal_places' => 2, + 'created_by' => null, + 'updated_by' => null, + 'deleted_by' => null, + 'authorized_by' => null + ]); + } + + #[Test] + public function user_with_permission_can_view_currencies_index() + { + $response = $this->actingAs($this->user) + ->get(route('basicdata.currency.index')); + + $response->assertStatus(200); + } + + #[Test] + public function user_without_permission_cannot_view_currencies_index() + { + // Create a role without permissions + $role = Role::create(['name' => 'viewer', 'guard_name' => 'web']); + + // Create a user with the viewer role + $user = User::factory()->create(); + $user->assignRole($role); + + $response = $this->actingAs($user) + ->get(route('basicdata.currency.index')); + + $response->assertStatus(403); + } + + #[Test] + public function user_with_permission_can_create_currency() + { + $response = $this->actingAs($this->user) + ->get(route('basicdata.currency.create')); + + $response->assertStatus(200); + } + + #[Test] + public function user_without_permission_cannot_create_currency() + { + // Create a role with only read permission + $role = Role::create(['name' => 'reader', 'guard_name' => 'web']); + $role->givePermissionTo('basic-data.read'); + + // Create a user with the reader role + $user = User::factory()->create(); + $user->assignRole($role); + + $response = $this->actingAs($user) + ->get(route('basicdata.currency.create')); + + $response->assertStatus(403); + } + + #[Test] + public function user_with_permission_can_store_currency() + { + $currencyData = [ + 'code' => 'EUR', + 'name' => 'Euro', + 'symbol' => '€', + 'decimal_places' => 2 + ]; + + $response = $this->actingAs($this->user) + ->post(route('basicdata.currency.store'), $currencyData); + + $response->assertRedirect(route('basicdata.currency.index')); + + // Only check the fields we're explicitly setting + $this->assertDatabaseHas('currencies', [ + 'code' => 'EUR', + 'name' => 'Euro', + 'symbol' => '€', + 'decimal_places' => 2 + ]); + } + + #[Test] + public function user_without_permission_cannot_store_currency() + { + // Create a role with only read permission + $role = Role::create(['name' => 'reader', 'guard_name' => 'web']); + $role->givePermissionTo('basic-data.read'); + + // Create a user with the reader role + $user = User::factory()->create(); + $user->assignRole($role); + + $currencyData = [ + 'code' => 'EUR', + 'name' => 'Euro', + 'symbol' => '€', + 'decimal_places' => 2 + ]; + + $response = $this->actingAs($user) + ->post(route('basicdata.currency.store'), $currencyData); + + $response->assertStatus(403); + $this->assertDatabaseMissing('currencies', [ + 'code' => 'EUR', + 'name' => 'Euro' + ]); + } + + #[Test] + public function user_with_permission_can_edit_currency() + { + $response = $this->actingAs($this->user) + ->get(route('basicdata.currency.edit', $this->currency->id)); + + $response->assertStatus(200); + } + + #[Test] + public function user_without_permission_cannot_edit_currency() + { + // Create a role with only read permission + $role = Role::create(['name' => 'reader', 'guard_name' => 'web']); + $role->givePermissionTo('basic-data.read'); + + // Create a user with the reader role + $user = User::factory()->create(); + $user->assignRole($role); + + $response = $this->actingAs($user) + ->get(route('basicdata.currency.edit', $this->currency->id)); + + $response->assertStatus(403); + } + + #[Test] + public function user_with_permission_can_update_currency() + { + $updatedData = [ + 'id' => $this->currency->id, // Include the ID in the request + 'code' => 'GBP', + 'name' => 'British Pound', + 'symbol' => '£', + 'decimal_places' => 2 + ]; + + $response = $this->actingAs($this->user) + ->put(route('basicdata.currency.update', $this->currency->id), $updatedData); + + $response->assertRedirect(route('basicdata.currency.index')); + + // Only check the fields we're explicitly setting + $this->assertDatabaseHas('currencies', [ + 'id' => $this->currency->id, + 'code' => 'GBP', + 'name' => 'British Pound', + 'symbol' => '£', + 'decimal_places' => 2 + ]); + } + + #[Test] + public function user_without_permission_cannot_update_currency() + { + // Create a role with only read permission + $role = Role::create(['name' => 'reader', 'guard_name' => 'web']); + $role->givePermissionTo('basic-data.read'); + + // Create a user with the reader role + $user = User::factory()->create(); + $user->assignRole($role); + + $updatedData = [ + 'id' => $this->currency->id, // Include the ID in the request + 'code' => 'GBP', + 'name' => 'British Pound', + 'symbol' => '£', + 'decimal_places' => 2 + ]; + + $response = $this->actingAs($user) + ->put(route('basicdata.currency.update', $this->currency->id), $updatedData); + + $response->assertStatus(403); + + // Verify the currency wasn't updated - check that it still has the original values + $this->assertDatabaseHas('currencies', [ + 'id' => $this->currency->id, + 'code' => 'USD', // Original value + 'name' => 'US Dollar' // Original value + ]); + } + + #[Test] + public function user_with_permission_can_delete_currency() + { + $response = $this->actingAs($this->user) + ->delete(route('basicdata.currency.destroy', $this->currency->id)); + + $response->assertJson(['success' => true]); + $this->assertSoftDeleted($this->currency); + } + + #[Test] + public function user_without_permission_cannot_delete_currency() + { + // Create a role with only read permission + $role = Role::create(['name' => 'reader', 'guard_name' => 'web']); + $role->givePermissionTo('basic-data.read'); + + // Create a user with the reader role + $user = User::factory()->create(); + $user->assignRole($role); + + $response = $this->actingAs($user) + ->delete(route('basicdata.currency.destroy', $this->currency->id)); + + $response->assertStatus(403); + $this->assertDatabaseHas('currencies', ['id' => $this->currency->id, 'deleted_at' => null]); + } + + #[Test] + public function user_with_permission_can_export_currencies() + { + $response = $this->actingAs($this->user) + ->get(route('basicdata.currency.export')); + + $response->assertStatus(200); + } + + #[Test] + public function user_without_permission_cannot_export_currencies() + { + // Create a role with only read permission + $role = Role::create(['name' => 'reader', 'guard_name' => 'web']); + $role->givePermissionTo('basic-data.read'); + + // Create a user with the reader role + $user = User::factory()->create(); + $user->assignRole($role); + + $response = $this->actingAs($user) + ->get(route('basicdata.currency.export')); + + $response->assertStatus(403); + } +}