Merge pull request #155 from KA-Huis/feature/SM-105

cyrildewit · web-flow · commit 5da9521705f8 · 2022-05-20T20:26:59.000+02:00
SM-105: Create endpoint to retrieve a user
diff --git a/app/API/V1/Http/Controllers/UserController.php b/app/API/V1/Http/Controllers/UserController.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\API\V1\Http\Controllers;
+
+use App\API\V1\Http\Resources\PrivateUserResource;
+use App\API\V1\Http\Resources\PublicUserResource;
+use App\Http\Controllers\Controller;
+use App\Models\User;
+use Illuminate\Auth\Access\AuthorizationException;
+use Illuminate\Http\Request;
+
+final class UserController extends Controller
+{
+    /**
+     * @throws AuthorizationException
+     */
+    public function show(Request $request, User $user): PublicUserResource|PrivateUserResource
+    {
+        $this->authorize('view', $user);
+
+        if ($request->user()->can('viewPrivateProfile')) {
+            return new PrivateUserResource($user);
+        }
+
+        return new PublicUserResource($user);
+    }
+}
diff --git a/app/API/V1/Http/Resources/PrivateUserResource.php b/app/API/V1/Http/Resources/PrivateUserResource.php
@@ -6,7 +6,7 @@
 
 use Illuminate\Http\Resources\Json\JsonResource;
 
-class UserResource extends JsonResource
+class PrivateUserResource extends JsonResource
 {
     /**
      * Transform the resource into an array.
@@ -18,6 +18,7 @@ class UserResource extends JsonResource
     public function toArray($request)
     {
         return [
+            'id'                 => $this->id,
             'first_name'         => $this->first_name,
             'last_name'          => $this->last_name,
             'email'              => $this->email,
diff --git a/app/API/V1/Http/Resources/PublicUserResource.php b/app/API/V1/Http/Resources/PublicUserResource.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\API\V1\Http\Resources;
+
+use Illuminate\Http\Resources\Json\JsonResource;
+
+class PublicUserResource extends JsonResource
+{
+    /**
+     * Transform the resource into an array.
+     *
+     * @param \Illuminate\Http\Request $request
+     *
+     * @return array|\Illuminate\Contracts\Support\Arrayable|\JsonSerializable
+     */
+    public function toArray($request)
+    {
+        return [
+            'id'                 => $this->id,
+            'first_name'         => $this->first_name,
+            'last_name'          => $this->last_name,
+            'created_at'         => $this->created_at,
+            'updated_at'         => $this->updated_at,
+            'deleted_at'         => $this->deleted_at,
+        ];
+    }
+}
diff --git a/app/API/V1/Http/Resources/ReparationRequestResource.php b/app/API/V1/Http/Resources/ReparationRequestResource.php
@@ -26,7 +26,7 @@ public function toArray($request)
             'updated_at'  => $this->updated_at,
             'deleted_at'  => $this->deleted_at,
             'reporter_id' => $this->reporter_id,
-            'reporter'    => new UserResource($this->whenLoaded('reporter')),
+            'reporter'    => new PublicUserResource($this->whenLoaded('reporter')),
             'statuses'    => new ReparationRequestStatusCollection($this->whenLoaded('statuses')),
             'materials'   => new ReparationRequestMaterialCollection($this->whenLoaded('materials')),
         ];
diff --git a/app/API/V1/Http/Resources/ReservationResource.php b/app/API/V1/Http/Resources/ReservationResource.php
@@ -27,7 +27,7 @@ public function toArray($request)
             'updated_at'         => $this->updated_at,
             'deleted_at'         => $this->deleted_at,
             'created_by_user_id' => $this->created_by_user_id,
-            'created_by_user'    => new UserResource($this->whenLoaded('createdByUser')),
+            'created_by_user'    => new PublicUserResource($this->whenLoaded('createdByUser')),
             'space'              => new SpaceResource($this->whenLoaded('space')),
             'group'              => new GroupResource($this->whenLoaded('group')),
         ];
diff --git a/app/Policies/UserPolicy.php b/app/Policies/UserPolicy.php
@@ -27,6 +27,14 @@ public function view(User $user, User $userSubject): bool
         return true;
     }
 
+    /**
+     * Determine whether the user can view the model.
+     */
+    public function viewPrivateProfile(User $user, User $userSubject): bool
+    {
+        return $user->id === $userSubject->id;
+    }
+
     /**
      * Determine whether the user can create models.
      */
diff --git a/openapi/openapi-v1.yml b/openapi/openapi-v1.yml
@@ -22,7 +22,7 @@ components:
           scopes: { }
 
   schemas:
-    User:
+    PublicUserProfile:
       type: object
       properties:
         id:
@@ -47,6 +47,33 @@ components:
         - first_nane
         - last_name
         - email
+    PrivateUserProfile:
+      type: object
+      properties:
+        id:
+          type: integer
+          format: bigint20
+          minimum: 1
+        first_name:
+          type: string
+        last_name:
+          type: string
+        email:
+          type: string
+        created_at:
+          type: string
+          format: date-time
+        updated_at:
+          type: string
+          format: date-time
+        deleted_at:
+          type: string
+          format: date-time
+      required:
+        - id
+        - first_nane
+        - last_name
+        - email
     Reservation:
       type: object
       properties:
@@ -84,7 +111,7 @@ components:
         created_by_user:
           readOnly: true
           allOf:
-            - $ref: '#/components/schemas/User'
+            - $ref: '#/components/schemas/PublicUserProfile'
         space:
           readOnly: true
           allOf:
@@ -213,7 +240,7 @@ components:
         reporter:
           readOnly: true
           allOf:
-            - $ref: '#/components/schemas/User'
+            - $ref: '#/components/schemas/PublicUserProfile'
       required:
         - id
         - title
@@ -1085,3 +1112,31 @@ paths:
                 type: object
         403:
           $ref: '#/components/responses/UnauthorizedResponse'
+
+  /users/{id}:
+    parameters:
+      - in: path
+        name: id
+        description: The user ID
+        required: true
+        schema:
+          type: integer
+          minimum: 1
+    get:
+      tags:
+        - Users
+      summary: Get user
+      description: Retrieve a single user by its id.
+      responses:
+        200:
+          description: Succcessful operation
+          content:
+            application/json:
+              schema:
+                oneOf:
+                  - $ref: '#/components/schemas/PublicUserProfile'
+                  - $ref: '#/components/schemas/PrivateUserProfile'
+        403:
+          $ref: '#/components/responses/UnauthorizedResponse'
+        422:
+          $ref: '#/components/responses/ValidationErrorResponse'
diff --git a/routes/api/v1.php b/routes/api/v1.php
@@ -9,6 +9,7 @@
 use App\API\V1\Http\Controllers\ReparationRequestMaterialController;
 use App\API\V1\Http\Controllers\ReservationController;
 use App\API\V1\Http\Controllers\SpaceController;
+use App\API\V1\Http\Controllers\UserController;
 use App\Authentication\Guards\RestApiGuard;
 use Illuminate\Routing\Router;
 
@@ -73,4 +74,11 @@
                 $router->get('/{group}', [GroupController::class, 'show'])->name('show');
                 $router->delete('/{group}', [GroupController::class, 'destroy'])->name('destroy');
             });
+
+        $router
+            ->prefix('users')
+            ->name('user.')
+            ->group(static function (Router $router) {
+                $router->get('/{user}', [UserController::class, 'show'])->name('show');
+            });
     });
diff --git a/tests/Feature/API/V1/Http/Controllers/UserControllerTest.php b/tests/Feature/API/V1/Http/Controllers/UserControllerTest.php
@@ -0,0 +1,56 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\API\V1\Http\Controllers;
+
+use App\Authentication\Guards\RestApiGuard;
+use App\Models\User;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Routing\UrlGenerator;
+use Illuminate\Testing\Fluent\AssertableJson;
+use Tests\TestCase;
+
+class UserControllerTest extends TestCase
+{
+    use RefreshDatabase;
+
+    private UrlGenerator $urlGenerator;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        $this->urlGenerator = $this->app->get(UrlGenerator::class);
+    }
+
+    public function testShowEndpoint(): void
+    {
+        // Given
+        $user = User::factory()->create();
+
+        $expectedUser = User::factory()
+            ->create();
+
+        $endpointUri = $this->urlGenerator->route('api.v1.user.show', [
+            'user' => $expectedUser->id,
+        ]);
+
+        // When
+        $response = $this
+            ->actingAs($user, (new RestApiGuard())->getName())
+            ->get($endpointUri);
+
+        // Then
+        $response->assertOk()
+            ->assertJson(
+                fn (AssertableJson $json) => $json
+                    ->has('data',
+                        fn (AssertableJson $json) => $json
+                            ->where('id', $expectedUser->id)
+                            ->etc()
+                    )
+                    ->etc()
+            );
+    }
+}
diff --git a/tests/Unit/Policies/UserPolicyTest.php b/tests/Unit/Policies/UserPolicyTest.php
@@ -50,6 +50,59 @@ public function testView(): void
         self::assertTrue($response);
     }
 
+    /**
+     * This tests the `viewPrivateProfile` action.
+     *
+     * @testdox This verifies the happy flow when someone is allowed to view a reparation request.
+     */
+    public function testViewPrivateProfile(): void
+    {
+        // Given
+        $policy = new UserPolicy();
+
+        $user = Mockery::mock(User::class);
+        $user->shouldReceive('getAttribute')
+            ->with('id')
+            ->andReturn(1)
+            ->twice();
+
+        // When
+        $response = $policy->viewPrivateProfile($user, $user);
+
+        // Then
+        self::assertTrue($response);
+    }
+
+    /**
+     * This tests the `viewPrivateProfile` action.
+     *
+     * @testdox This verifies the flow when someone is not allowed to view a private user profile, because it's not its
+     * own profile.
+     */
+    public function testViewPrivateProfileWhenSubjectIsDifferentThanAuthenticatedUser(): void
+    {
+        // Given
+        $policy = new UserPolicy();
+
+        $user = Mockery::mock(User::class);
+        $user->shouldReceive('getAttribute')
+            ->with('id')
+            ->andReturn(1)
+            ->once();
+
+        $userSubject = Mockery::mock(User::class);
+        $userSubject->shouldReceive('getAttribute')
+            ->with('id')
+            ->andReturn(2)
+            ->once();
+
+        // When
+        $response = $policy->viewPrivateProfile($user, $userSubject);
+
+        // Then
+        self::assertFalse($response);
+    }
+
     /**
      * This tests the `create` action.
      *

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@`
`6`	`6`
`7`	`7`	`use Illuminate\Http\Resources\Json\JsonResource;`
`8`	`8`
`9`		`-class UserResource extends JsonResource`
	`9`	`+class PrivateUserResource extends JsonResource`
`10`	`10`	`{`
`11`	`11`	`/**`
`12`	`12`	`* Transform the resource into an array.`
`@@ -18,6 +18,7 @@ class UserResource extends JsonResource`
`18`	`18`	`public function toArray($request)`
`19`	`19`	`{`
`20`	`20`	`return [`
	`21`	`+ 'id' => $this->id,`
`21`	`22`	`'first_name' => $this->first_name,`
`22`	`23`	`'last_name' => $this->last_name,`
`23`	`24`	`'email' => $this->email,`