feat(laravel): automatically register policies (#6623)

valentindrdt · web-flow · commit 00787f32da54 · 2024-09-18T18:02:54.000+02:00
* feat: if a policy matches the name of a model we automatically register it, no need to do it manually anymore

* fix: optimising the way we handle collection

* fix: phpstan

* fix: cs-fixer
diff --git a/src/Laravel/Eloquent/Metadata/Factory/Resource/EloquentResourceCollectionMetadataFactory.php b/src/Laravel/Eloquent/Metadata/Factory/Resource/EloquentResourceCollectionMetadataFactory.php
@@ -18,13 +18,29 @@
 use ApiPlatform\Laravel\Eloquent\State\PersistProcessor;
 use ApiPlatform\Laravel\Eloquent\State\RemoveProcessor;
 use ApiPlatform\Metadata\CollectionOperationInterface;
+use ApiPlatform\Metadata\Delete;
 use ApiPlatform\Metadata\DeleteOperationInterface;
+use ApiPlatform\Metadata\Get;
+use ApiPlatform\Metadata\GetCollection;
+use ApiPlatform\Metadata\Patch;
+use ApiPlatform\Metadata\Post;
+use ApiPlatform\Metadata\Put;
 use ApiPlatform\Metadata\Resource\Factory\ResourceMetadataCollectionFactoryInterface;
 use ApiPlatform\Metadata\Resource\ResourceMetadataCollection;
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Facades\Gate;
 
 final class EloquentResourceCollectionMetadataFactory implements ResourceMetadataCollectionFactoryInterface
 {
+    private const POLICY_METHODS = [
+        Put::class => 'update',
+        Post::class => 'create',
+        Get::class => 'view',
+        GetCollection::class => 'viewAny',
+        Delete::class => 'delete',
+        Patch::class => 'update',
+    ];
+
     public function __construct(
         private readonly ResourceMetadataCollectionFactoryInterface $decorated,
     ) {
@@ -55,6 +71,17 @@ public function create(string $resourceClass): ResourceMetadataCollection
                     $operation = $operation->withProvider($operation instanceof CollectionOperationInterface ? CollectionProvider::class : ItemProvider::class);
                 }
 
+                if (!$operation->getPolicy() && ($policy = Gate::getPolicyFor($model))) {
+                    $policyMethod = self::POLICY_METHODS[$operation::class] ?? null;
+                    if ($operation instanceof Put && $operation->getAllowCreate()) {
+                        $policyMethod = self::POLICY_METHODS[Post::class];
+                    }
+
+                    if ($policyMethod && method_exists($policy, $policyMethod)) {
+                        $operation = $operation->withPolicy($policyMethod);
+                    }
+                }
+
                 if (!$operation->getProcessor()) {
                     $operation = $operation->withProcessor($operation instanceof DeleteOperationInterface ? RemoveProcessor::class : PersistProcessor::class);
                 }
diff --git a/src/Laravel/Security/ResourceAccessChecker.php b/src/Laravel/Security/ResourceAccessChecker.php
@@ -13,13 +13,19 @@
 
 namespace ApiPlatform\Laravel\Security;
 
+use ApiPlatform\Laravel\Eloquent\Paginator;
 use ApiPlatform\Metadata\ResourceAccessCheckerInterface;
 use Illuminate\Support\Facades\Gate;
 
 class ResourceAccessChecker implements ResourceAccessCheckerInterface
 {
     public function isGranted(string $resourceClass, string $expression, array $extraVariables = []): bool
     {
-        return Gate::allows($expression, $extraVariables['object']);
+        return Gate::allows(
+            $expression,
+            $extraVariables['object'] instanceof Paginator ?
+                $resourceClass :
+                $extraVariables['object']
+        );
     }
 }
diff --git a/src/Laravel/Tests/Policy/BookAllowPolicy.php b/src/Laravel/Tests/Policy/BookAllowPolicy.php
@@ -0,0 +1,60 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Laravel\Tests\Policy;
+
+use Illuminate\Foundation\Auth\User;
+use Workbench\App\Models\Book;
+
+class BookAllowPolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(?User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function view(?User $user, Book $book): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(?User $user): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     */
+    public function update(?User $user, Book $book): bool
+    {
+        return true;
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     */
+    public function delete(?User $user, Book $book): bool
+    {
+        return true;
+    }
+}
diff --git a/src/Laravel/Tests/Policy/BookDenyPolicy.php b/src/Laravel/Tests/Policy/BookDenyPolicy.php
@@ -0,0 +1,60 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Laravel\Tests\Policy;
+
+use Illuminate\Foundation\Auth\User;
+use Workbench\App\Models\Book;
+
+class BookDenyPolicy
+{
+    /**
+     * Determine whether the user can view any models.
+     */
+    public function viewAny(?User $user): bool
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function view(?User $user, Book $book): bool
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can create models.
+     */
+    public function create(?User $user): bool
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     */
+    public function update(?User $user, Book $book): bool
+    {
+        return false;
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     */
+    public function delete(?User $user, Book $book): bool
+    {
+        return false;
+    }
+}
diff --git a/src/Laravel/Tests/Policy/PolicyAllowTest.php b/src/Laravel/Tests/Policy/PolicyAllowTest.php
@@ -0,0 +1,149 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Laravel\Tests\Policy;
+
+use ApiPlatform\Laravel\Test\ApiTestAssertionsTrait;
+use Illuminate\Contracts\Config\Repository;
+use Illuminate\Foundation\Application;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Gate;
+use Orchestra\Testbench\Concerns\WithWorkbench;
+use Orchestra\Testbench\TestCase;
+use Workbench\App\Models\Author;
+use Workbench\App\Models\Book;
+
+class PolicyAllowTest extends TestCase
+{
+    use ApiTestAssertionsTrait;
+    use RefreshDatabase;
+    use WithWorkbench;
+
+    /**
+     * @param Application $app
+     */
+    protected function defineEnvironment($app): void
+    {
+        Gate::guessPolicyNamesUsing(function (string $modelClass) {
+            return Book::class === $modelClass ?
+                BookAllowPolicy::class :
+                null;
+        });
+
+        tap($app['config'], function (Repository $config): void {
+            $config->set('api-platform.formats', ['jsonapi' => ['application/vnd.api+json']]);
+            $config->set('api-platform.docs_formats', ['jsonapi' => ['application/vnd.api+json']]);
+        });
+    }
+
+    public function testGetCollection(): void
+    {
+        $response = $this->get('/api/books', ['accept' => ['application/vnd.api+json']]);
+        $response->assertStatus(200);
+    }
+
+    public function testGetEmptyColelction(): void
+    {
+        $response = $this->get('/api/books?publicationDate[gt]=9999-12-31', ['accept' => ['application/vnd.api+json']]);
+        $response->assertStatus(200);
+        $response->assertJsonFragment([
+            'meta' => [
+                'totalItems' => 0,
+                'itemsPerPage' => 5,
+                'currentPage' => 1,
+            ],
+        ]);
+    }
+
+    public function testGetBook(): void
+    {
+        $book = Book::first();
+        $iri = $this->getIriFromResource($book);
+        $response = $this->get($iri, ['accept' => ['application/vnd.api+json']]);
+        $response->assertStatus(200);
+    }
+
+    public function testCreateBook(): void
+    {
+        $author = Author::find(1);
+        $response = $this->postJson(
+            '/api/books',
+            [
+                'data' => [
+                    'attributes' => [
+                        'name' => 'Don Quichotte',
+                        'isbn' => fake()->isbn13(),
+                        'publicationDate' => fake()->optional()->date(),
+                    ],
+                    'relationships' => [
+                        'author' => [
+                            'data' => [
+                                'id' => $this->getIriFromResource($author),
+                                'type' => 'Author',
+                            ],
+                        ],
+                    ],
+                ],
+            ],
+            [
+                'accept' => 'application/vnd.api+json',
+                'content_type' => 'application/vnd.api+json',
+            ]
+        );
+
+        $response->assertStatus(201);
+    }
+
+    public function testUpdateBook(): void
+    {
+        $book = Book::first();
+        $iri = $this->getIriFromResource($book);
+        $response = $this->putJson(
+            $iri,
+            [
+                'data' => ['attributes' => ['name' => 'updated title']],
+            ],
+            [
+                'accept' => 'application/vnd.api+json',
+                'content_type' => 'application/vnd.api+json',
+            ]
+        );
+        $response->assertStatus(200);
+    }
+
+    public function testPatchBook(): void
+    {
+        $book = Book::first();
+        $iri = $this->getIriFromResource($book);
+        $response = $this->patchJson(
+            $iri,
+            [
+                'name' => 'updated title',
+            ],
+            [
+                'accept' => 'application/vnd.api+json',
+                'content_type' => 'application/merge-patch+json',
+            ]
+        );
+        $response->assertStatus(200);
+    }
+
+    public function testDeleteBook(): void
+    {
+        $book = Book::first();
+        $iri = $this->getIriFromResource($book);
+        $response = $this->delete($iri, headers: ['accept' => 'application/vnd.api+json']);
+        $response->assertStatus(204);
+        $this->assertNull(Book::find($book->id));
+    }
+}
diff --git a/src/Laravel/Tests/Policy/PolicyDenyTest.php b/src/Laravel/Tests/Policy/PolicyDenyTest.php

Original file line number	Diff line number	Diff line change
`@@ -13,13 +13,19 @@`
`13`	`13`
`14`	`14`	`namespace ApiPlatform\Laravel\Security;`
`15`	`15`
	`16`	`+use ApiPlatform\Laravel\Eloquent\Paginator;`
`16`	`17`	`use ApiPlatform\Metadata\ResourceAccessCheckerInterface;`
`17`	`18`	`use Illuminate\Support\Facades\Gate;`
`18`	`19`
`19`	`20`	`class ResourceAccessChecker implements ResourceAccessCheckerInterface`
`20`	`21`	`{`
`21`	`22`	`public function isGranted(string $resourceClass, string $expression, array $extraVariables = []): bool`
`22`	`23`	`{`
`23`		`- return Gate::allows($expression, $extraVariables['object']);`
	`24`	`+ return Gate::allows(`
	`25`	`+ $expression,`
	`26`	`+ $extraVariables['object'] instanceof Paginator ?`
	`27`	`+ $resourceClass :`
	`28`	`+ $extraVariables['object']`
	`29`	`+ );`
`24`	`30`	`}`
`25`	`31`	`}`