Scope series to user

Author: joedixon

app/Http/Controllers/Articles/ArticlesController.php

@@ -13,6 +13,7 @@
 use App\Models\Series;
 use App\Models\Tag;
 use App\Policies\ArticlePolicy;
+use Illuminate\Http\Request;
 
 class ArticlesController extends Controller
 {
@@ -32,11 +33,11 @@ public function show(Article $article)
         ]);
     }
 
-    public function create()
+    public function create(Request $request)
     {
         $tags = Tag::all();
         $selectedTags = old('tags', []);
-        $series = Series::all();
+        $series = $request->user()->series;
         $selectedSeries = old('series');
 
         return view('articles.create', [
@@ -56,13 +57,13 @@ public function store(ArticleRequest $request)
         return redirect()->route('articles.show', $article->slug());
     }
 
-    public function edit(Article $article)
+    public function edit(Request $request, Article $article)
     {
         $this->authorize(ArticlePolicy::UPDATE, $article);
 
         $selectedTags = old('tags', $article->tags()->pluck('id')->toArray());
-        $series = Series::all();
-        $selectedSeries = old('series', $article->series->id);
+        $series = $request->user()->series;
+        $selectedSeries = old('series', $article->series_id);
 
         return view('articles.edit', [
             'article' => $article,

app/Http/Requests/ArticleRequest.php

@@ -2,6 +2,7 @@
 
 namespace App\Http\Requests;
 
+use App\Rules\AuthorOwnsSeriesRule;
 use App\Rules\HttpImageRule;
 use App\User;
 
@@ -14,8 +15,8 @@ public function rules()
             'body' => ['required', new HttpImageRule],
             'tags' => 'array|nullable',
             'tags.*' => 'exists:tags,id',
-            'series' => 'exists:series,id|nullable',
             'original_url' => 'url|nullable',
+            'series' => ['nullable', new AuthorOwnsSeriesRule],
         ];
     }
 

app/Rules/AuthorOwnsSeriesRule.php

@@ -0,0 +1,23 @@
+<?php
+
+namespace App\Rules;
+
+use App\Models\Series;
+use Illuminate\Contracts\Validation\Rule;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Validation\Concerns\ValidatesAttributes;
+
+final class AuthorOwnsSeriesRule implements Rule
+{
+    use ValidatesAttributes;
+
+    public function passes($attribute, $value): bool
+    {
+        return Series::where('author_id', Auth::id())->exists();
+    }
+
+    public function message(): string
+    {
+        return 'The :attribute field does not belong to you.';
+    }
+}

app/User.php

@@ -5,6 +5,7 @@
 use App\Helpers\HasTimestamps;
 use App\Helpers\ModelHelpers;
 use App\Models\Reply;
+use App\Models\Series;
 use App\Models\Thread;
 use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Foundation\Auth\User as Authenticatable;
@@ -214,6 +215,11 @@ public function replyAble(): HasMany
         return $this->hasMany(Reply::class, 'author_id');
     }
 
+    public function series(): HasMany
+    {
+        return $this->hasMany(Series::class, 'author_id');
+    }
+
     /**
      * @todo Make this work with Eloquent instead of a collection
      */

tests/Feature/ArticleTest.php

@@ -18,13 +18,31 @@ public function users_cannot_create_an_article_when_not_logged_in()
             ->seePageIs('/login');
     }
 
+    /** @test */
+    public function users_cannot_see_series_they_do_not_own_when_creating_a_series()
+    {
+        $user = $this->createUser();
+        factory(Series::class)->create(['title' => 'This should be seen', 'author_id' => $user->id]);
+        factory(Series::class)->create(['title' => 'This should not be seen']);
+
+        $this->loginAs($user);
+
+        $this->get('/articles/create')
+            ->see('This should be seen')
+            ->dontSee('This should not be seen');
+    }
+
     /** @test */
     public function users_can_create_an_article()
     {
+        $user = $this->createUser();
         $tag = factory(Tag::class)->create(['name' => 'Test Tag']);
-        $series = factory(Series::class)->create(['title' => 'Test series']);
+        $series = factory(Series::class)->create([
+            'title' => 'Test series',
+            'author_id' => $user->id,
+        ]);
 
-        $this->login();
+        $this->loginAs($user);
 
         $this->post('/articles', [
             'title' => 'Using database migrations',
@@ -36,6 +54,25 @@ public function users_can_create_an_article()
             ->assertSessionHas('success', 'Article successfully created!');
     }
 
+    /** @test */
+    public function users_cannot_create_an_article_using_a_series_they_do_not_own()
+    {
+        $tag = factory(Tag::class)->create(['name' => 'Test Tag']);
+        $series = factory(Series::class)->create(['title' => 'Test series']);
+
+        $this->login();
+
+        $response = $this->post('/articles', [
+            'title' => 'Using database migrations',
+            'body' => 'This article will go into depth on working with database migrations.',
+            'tags' => [$tag->id()],
+            'series' => $series->id(),
+        ]);
+
+        $response->assertSessionHas('error', 'Something went wrong. Please review the fields below.');
+        $response->assertSessionHasErrors(['series' => 'The series field does not belong to you.']);
+    }
+
     /** @test */
     public function users_cannot_create_an_article_with_a_title_that_is_too_long()
     {
@@ -63,12 +100,30 @@ public function an_article_may_not_contain_an_http_image_url()
         $response->assertSessionHasErrors(['body' => 'The body field contains at least one image with an HTTP link.']);
     }
 
+    /** @test */
+    public function users_cannot_see_series_they_do_not_own_when_editing_an_article()
+    {
+        $user = $this->createUser();
+        factory(Article::class)->create(['slug' => 'my-first-article', 'author_id' => $user->id]);
+        factory(Series::class)->create(['title' => 'This should be seen', 'author_id' => $user->id]);
+        factory(Series::class)->create(['title' => 'This should not be seen']);
+
+        $this->loginAs($user);
+
+        $this->get('/articles/my-first-article/edit')
+            ->see('This should be seen')
+            ->dontSee('This should not be seen');
+    }
+
     /** @test */
     public function users_can_edit_an_article()
     {
         $user = $this->createUser();
         $tag = factory(Tag::class)->create(['name' => 'Test Tag']);
-        $series = factory(Series::class)->create(['title' => 'Test series']);
+        $series = factory(Series::class)->create([
+            'title' => 'Test series',
+            'author_id' => $user->id,
+        ]);
 
         factory(Article::class)->create([
             'author_id' => $user->id(),
@@ -87,6 +142,31 @@ public function users_can_edit_an_article()
             ->assertSessionHas('success', 'Article successfully updated!');
     }
 
+    /** @test */
+    public function users_cannot_edit_an_article_using_a_series_they_do_not_own()
+    {
+        $user = $this->createUser();
+        $tag = factory(Tag::class)->create(['name' => 'Test Tag']);
+        $series = factory(Series::class)->create(['title' => 'Test series']);
+
+        factory(Article::class)->create([
+            'author_id' => $user->id(),
+            'slug' => 'my-first-article',
+        ]);
+
+        $this->loginAs($user);
+
+        $response = $this->put('/articles/my-first-article', [
+            'title' => 'Using database migrations',
+            'body' => 'This article will go into depth on working with database migrations.',
+            'tags' => [$tag->id()],
+            'series' => $series->id(),
+        ]);
+
+        $response->assertSessionHas('error', 'Something went wrong. Please review the fields below.');
+        $response->assertSessionHasErrors(['series' => 'The series field does not belong to you.']);
+    }
+
     /** @test */
     public function users_cannot_edit_an_article_with_a_title_that_is_too_long()
     {