diff --git a/src/MediaController.php b/src/MediaController.php index b72bc10..e2081de 100644 --- a/src/MediaController.php +++ b/src/MediaController.php @@ -62,6 +62,8 @@ class MediaController public function update(Request $request, Media $media): MediaData { + $this->authorize('updateMedia', $media->model); + $rules = collect($media->model->getMediaCollection($media->collection_name)->runCallback('withPropertyValidation', $media->file_name)) ->mapWithKeys(fn ($rule, $key) => ["properties.{$key}" => $rule])->toArray(); @@ -76,6 +78,7 @@ class MediaController { $model = app('media-library-helpers')->get($parentModel); $model = $model::find($parentId); + $this->authorize('listMedia', $model); $isSingle = 1 === $model->getMediaCollection($collection)->collectionSizeLimit; abort_if($isSingle && !$model->getFirstMedia($collection), 404); diff --git a/tests/Feature/DestroyTest.php b/tests/Feature/DestroyTest.php new file mode 100644 index 0000000..7314248 --- /dev/null +++ b/tests/Feature/DestroyTest.php @@ -0,0 +1,35 @@ +auth()->registerModel(); + $post = $this->newPost(); + $post->addMedia($this->pdfFile()->getPathname())->withCustomProperties(['test' => 'old'])->preservingOriginal()->toMediaCollection('multipleForced'); + $post->addMedia($this->pdfFile()->getPathname())->withCustomProperties(['test' => 'old'])->preservingOriginal()->toMediaCollection('multipleForced'); + $media = $post->getFirstMedia('multipleForced'); + + $this->deleteJson("/mediaupload/{$media->id}")->assertStatus(200); + + $this->assertCount(1, $post->fresh()->getMedia('multipleForced')); +}); + +test('it deletes single media', function () { + $this->auth()->registerModel(); + $post = $this->newPost(); + $post->addMedia($this->pdfFile()->getPathname())->withCustomProperties(['test' => 'old'])->preservingOriginal()->toMediaCollection('defaultSingleFile'); + $media = $post->getFirstMedia('defaultSingleFile'); + + $this->deleteJson("/mediaupload/{$media->id}")->assertStatus(200); + + $this->assertCount(0, $post->fresh()->getMedia('defaultSingleFile')); +}); + +test('it needs authorization', function () { + $this->auth(['destroyMedia' => false])->registerModel(); + $post = $this->newPost(); + $post->addMedia($this->pdfFile()->getPathname())->withCustomProperties(['test' => 'old'])->preservingOriginal()->toMediaCollection('defaultSingleFile'); + $media = $post->getFirstMedia('defaultSingleFile'); + + $this->deleteJson("/mediaupload/{$media->id}")->assertStatus(403); +}); diff --git a/tests/Feature/IndexTest.php b/tests/Feature/IndexTest.php index 9f6d456..02bd2c6 100644 --- a/tests/Feature/IndexTest.php +++ b/tests/Feature/IndexTest.php @@ -28,6 +28,16 @@ test('it gets media for single', function () { $response->assertJsonPath('properties.test', 'old'); }); +test('it checks for authorization', function () { + $this->auth(['listMedia' => false])->registerModel(); + $post = $this->newPost(); + $post->addMedia($this->pdfFile()->getPathname())->withCustomProperties(['test' => 'old'])->preservingOriginal()->toMediaCollection('images'); + + $response = $this->getJson("/mediaupload/post/{$post->id}/images"); + + $response->assertStatus(403); +}); + test('it returns 404 when media not found', function () { $this->auth()->registerModel(); $post = $this->newPost(); diff --git a/tests/Feature/UpdateTest.php b/tests/Feature/UpdateTest.php index 731666d..70b3d20 100644 --- a/tests/Feature/UpdateTest.php +++ b/tests/Feature/UpdateTest.php @@ -37,3 +37,19 @@ test('it validates a single files properties', function () { $response->assertStatus(422); $response->assertJsonValidationErrors('properties.test'); }); + +test('it checks for authorization', function () { + $this->auth(['updateMedia' => false])->registerModel(); + $post = $this->newPost(); + $post->addMedia($this->pdfFile()->getPathname())->preservingOriginal()->toMediaCollection('multipleProperties'); + $media = $post->getFirstMedia('multipleProperties'); + + $response = $this->patchJson("/mediaupload/{$media->id}", [ + 'properties' => [ + 'test' => 'new', + 'missing' => 'value', + ], + ]); + + $response->assertStatus(403); +}); diff --git a/tests/TestCase.php b/tests/TestCase.php index 44e8f5d..f9dff79 100644 --- a/tests/TestCase.php +++ b/tests/TestCase.php @@ -64,6 +64,7 @@ class TestCase extends BaseTestCase 'storeMedia' => true, 'updateMedia' => true, 'destroyMedia' => true, + 'listMedia' => true, ...$policies, ];