Add authorization to saving saved reports route

2026-05-01 20:26:39 +00:00 · 2023-12-11 15:34:17 -08:00
parent c3845f4393
commit 52028ddef2
3 changed files with 21 additions and 0 deletions
--- a/app/Http/Controllers/SavedReportsController.php
+++ b/app/Http/Controllers/SavedReportsController.php
@ -8,6 +8,8 @@ class SavedReportsController extends Controller
 {
    public function store(Request $request)
    {
+        $this->authorize('reports.view');
+
        $report = $request->user()->savedReports()->create([
            'name' => $request->get('report_name'),
            'options' => $request->except(['_token', 'report_name']),
--- a/routes/web.php
+++ b/routes/web.php
@ -357,6 +357,7 @@ Route::group(['middleware' => ['auth']], function () {
    )->name('reports/export/accessories');
    Route::get('reports/custom', [ReportsController::class, 'getCustomReport'])->name('reports/custom');
    Route::post('reports/custom', [ReportsController::class, 'postCustom']);
+    // @todo: change to saved-template?
    Route::post('reports/savedtemplate', [SavedReportsController::class, 'store'])->name('savedreports/store');

    Route::get(
--- a/tests/Feature/SavedReports/SavedReportsTest.php
+++ b/tests/Feature/SavedReports/SavedReportsTest.php
@ -49,4 +49,22 @@ class SavedReportsTest extends TestCase
    {
        $this->markTestIncomplete();
    }
+
+    public function testSavingReportRequiresValidFields()
+    {
+        $this->markTestIncomplete();
+
+        $this->actingAs(User::factory()->canViewReports()->create())
+            ->post(route('savedreports/store'), [
+                //
+            ])
+            ->assertSessionHasErrors('report_name');
+    }
+
+    public function testSavingReportRequiresCorrectPermission()
+    {
+        $this->actingAs(User::factory()->create())
+            ->post(route('savedreports/store'))
+            ->assertForbidden();
+    }
 }