(add authorization tests for publishing concerts)

2026-01-26 11:14:06 +00:00 · 2017-07-10 14:37:01 -04:00
parent 85a81dc0ea
commit d4c1a32dc6
3 changed files with 53 additions and 2 deletions
--- a/app/Http/Controllers/Backstage/PublishedConcertsController.php
+++ b/app/Http/Controllers/Backstage/PublishedConcertsController.php
@@ -6,18 +6,20 @@ use App\Concert;
 use Carbon\Carbon;
 use Illuminate\Http\Request;
 use App\Http\Controllers\Controller;
+use Illuminate\Support\Facades\Auth;

 class PublishedConcertsController extends Controller
 {
    public function store()
    {
-        $concert = Concert::find(request('concert_id'));
+        $concert = Auth::user()->concerts()->findOrFail(request('concert_id'));

        if ($concert->isPublished()) {
            abort(422);
        }

        $concert->publish();
+
        return redirect()->route('backstage.concerts.index');
    }
 }
--- a/routes/web.php
+++ b/routes/web.php
@@ -25,6 +25,6 @@ Route::group(['middleware' => 'auth', 'prefix' => 'backstage', 'namespace' => 'B
    Route::post('/concerts', 'ConcertsController@store');
    Route::get('/concerts/{id}/edit', 'ConcertsController@edit')->name('backstage.concerts.edit');
    Route::patch('/concerts/{id}', 'ConcertsController@update')->name('backstage.concerts.update');
+    Route::post('/published-concerts', 'PublishedConcertsController@store');
 });

-Route::post('/backstage/published-concerts', 'Backstage\PublishedConcertsController@store');
--- a/tests/Feature/Backstage/PublishConcertTest.php
+++ b/tests/Feature/Backstage/PublishConcertTest.php
@@ -48,4 +48,53 @@ class PublishConcertTest extends TestCase
        $response->assertStatus(422);
        $this->assertEquals(3, $concert->fresh()->ticketsRemaining());
    }
+
+    /** @test */
+    function a_promoter_cannot_publish_other_concerts()
+    {
+        $user = factory(User::class)->create();
+        $otherUser = factory(User::class)->create();
+        $concert = factory(Concert::class)->states('unpublished')->create([
+            'user_id' => $otherUser->id,
+            'ticket_quantity' => 3,
+        ]);
+
+        $response = $this->actingAs($user)->post('/backstage/published-concerts', [
+            'concert_id' => $concert->id,
+        ]);
+
+        $response->assertStatus(404);
+        $concert = $concert->fresh();
+        $this->assertFalse($concert->isPublished());
+        $this->assertEquals(0, $concert->ticketsRemaining());
+    }
+
+    /** @test */
+    function a_guest_cannot_publish_concerts()
+    {
+        $concert = factory(Concert::class)->states('unpublished')->create([
+            'ticket_quantity' => 3,
+        ]);
+
+        $response = $this->post('/backstage/published-concerts', [
+            'concert_id' => $concert->id,
+        ]);
+
+        $response->assertRedirect('/login');
+        $concert = $concert->fresh();
+        $this->assertFalse($concert->isPublished());
+        $this->assertEquals(0, $concert->ticketsRemaining());
+    }
+
+    /** @test */
+    function concerts_that_do_not_exist_cannot_be_published()
+    {
+        $user = factory(User::class)->create();
+
+        $response = $this->actingAs($user)->post('/backstage/published-concerts', [
+            'concert_id' => 999,
+        ]);
+
+        $response->assertStatus(404);
+    }
 }