tristan-orourke
commented
1 month ago api/tests/UsesProtectedRequestContext.php - this trait will be useful for tests
Open tristan-orourke opened 2 months ago
tristan-orourke
commented
1 month ago api/tests/UsesProtectedRequestContext.php - this trait will be useful for tests
🐛 Bug
Our custom ProtectedRequestUserChecker class adds an extra layer to the Laratrust isAbleTo check. If a permission would require any role besides Applicant or Base roles, it fails unless the request came from the Protected endpoint.
However, in the case of an array of permissions being passed in, it seems to always fail. The default behaviour of this method is to pass as long as the user has one of the permissions (unless a second parameter of
trueis passed in).🦋 Expected Behaviour
If an array of permissions is passed in, without a second parameter of
true, then ProtectedRequestUserChecker should evaluate each permission separately. As long as any one permission belongs to the user and is unprivileged, then it should succeed even outside of a privileged request.🕵️ Details
This is related to #11144 and #11143.
📋 Steps to Reproduce
php artisan tinker$applicant = User::where('email', 'applicant@test.com')->first()$applicant->isAbleTo('view-own-application')and `$applicant->isAbleTo(['view-own-application'])🙋♀️ Proposed Solution
Split the array internally (privileged and unprivileged) and check them separately.
✅ Acceptance Criteria
A set of assumptions which, when tested, verify that the bug was addressed.
user->isAbleTo(), without a second parameter oftrue, then ProtectedRequestUserChecker should evaluate each permission separately. As long as any one permission belongs to the user and is unprivileged, then it should succeed even outside of a privileged request.trueis passed in, if should return true if and only if: