mirror of
https://github.com/HolgerHatGarKeineNode/einundzwanzig-app.git
synced 2026-05-18 20:34:52 +00:00
🔄 **Refactor and extend meetup membership-based authorization**
- Updated `authorizeAccess` to restrict `meetups.edit` views and updates to users in "My-Meetups". - Attached creators to `meetup_user` pivot for default membership. - Adjusted related tests to validate membership-based edit permissions. 📱 **Improve sidebar and mobile navigation accessibility** - Added `aria-labels` to improve screen reader support for sidebar and mobile header elements. - Updated desktop and mobile user menus alignment for consistency. ⚡ **Enhance Lightning login flow** - Introduced `lightningLoginInProgress` for smoother polling synchronization with the redirect flow. - Updated logic to dispatch `lightning-login-ready` event instead of immediate redirect, avoiding race conditions.
This commit is contained in:
HolgerHatGarKeineNode
@@ -0,0 +1,32 @@
|
||||
<?php
|
||||
|
||||
use App\Models\City;
|
||||
use App\Models\Country;
|
||||
|
||||
beforeEach(function () {
|
||||
$country = Country::factory()->create(['code' => 'de']);
|
||||
City::factory()->create(['country_id' => $country->id]);
|
||||
});
|
||||
|
||||
it('renders the sidebar with the user profile reachable on mobile viewport', function () {
|
||||
actingAsUser(['name' => 'Sidebar Tester']);
|
||||
|
||||
$page = visit('/de/dashboard');
|
||||
|
||||
$page->resize(390, 844)
|
||||
->click('[aria-label="Menü öffnen"]')
|
||||
->assertSee('Dashboard')
|
||||
->assertSee('Repository')
|
||||
->assertSee('Sidebar Tester');
|
||||
});
|
||||
|
||||
it('renders the sidebar with the user profile on desktop viewport', function () {
|
||||
actingAsUser(['name' => 'Sidebar Tester']);
|
||||
|
||||
$page = visit('/de/dashboard');
|
||||
|
||||
$page->resize(1280, 800)
|
||||
->assertSee('Dashboard')
|
||||
->assertSee('Repository')
|
||||
->assertSee('Sidebar Tester');
|
||||
});
|
||||
@@ -105,7 +105,7 @@ it('returns 404 when the k1 path parameter is malformed', function () {
|
||||
->assertNotFound();
|
||||
});
|
||||
|
||||
it('redirects auth.login checkAuth() to the completion URL without rotating the session', function () {
|
||||
it('dispatches lightning-login-ready from auth.login checkAuth() without rotating the session', function () {
|
||||
$user = User::factory()->create();
|
||||
$k1 = bin2hex(random_bytes(32));
|
||||
LoginKey::factory()->create([
|
||||
@@ -117,10 +117,41 @@ it('redirects auth.login checkAuth() to the completion URL without rotating the
|
||||
Livewire::test('auth.login')
|
||||
->set('k1', $k1)
|
||||
->call('checkAuth')
|
||||
->assertRedirect(route('auth.ln.complete', ['k1' => $k1]));
|
||||
->assertDispatched('lightning-login-ready', url: route('auth.ln.complete', ['k1' => $k1]));
|
||||
|
||||
// The poll handler must NOT log the user in directly — that's the
|
||||
// controller's job. Logging in here would rotate the session id and
|
||||
// CSRF token mid-poll, producing 419s on any in-flight Livewire request.
|
||||
// It also must NOT return a server-side redirect: emitting an event lets
|
||||
// Alpine pause wire:poll via lightningLoginInProgress before navigating,
|
||||
// which avoids the "request loop without redirect" symptom in production.
|
||||
expect(auth()->check())->toBeFalse();
|
||||
});
|
||||
|
||||
it('does not dispatch lightning-login-ready when no LoginKey exists', function () {
|
||||
$k1 = bin2hex(random_bytes(32));
|
||||
|
||||
Livewire::test('auth.login')
|
||||
->set('k1', $k1)
|
||||
->call('checkAuth')
|
||||
->assertNotDispatched('lightning-login-ready');
|
||||
|
||||
expect(auth()->check())->toBeFalse();
|
||||
});
|
||||
|
||||
it('does not dispatch lightning-login-ready when the LoginKey is older than 5 minutes', function () {
|
||||
$user = User::factory()->create();
|
||||
$k1 = bin2hex(random_bytes(32));
|
||||
LoginKey::factory()->create([
|
||||
'user_id' => $user->id,
|
||||
'k1' => $k1,
|
||||
'created_at' => now()->subMinutes(10),
|
||||
]);
|
||||
|
||||
Livewire::test('auth.login')
|
||||
->set('k1', $k1)
|
||||
->call('checkAuth')
|
||||
->assertNotDispatched('lightning-login-ready');
|
||||
|
||||
expect(auth()->check())->toBeFalse();
|
||||
});
|
||||
|
||||
@@ -4,6 +4,7 @@ use App\Models\City;
|
||||
use App\Models\Country;
|
||||
use App\Models\Meetup;
|
||||
use App\Models\MeetupEvent;
|
||||
use App\Models\User;
|
||||
use Livewire\Livewire;
|
||||
|
||||
beforeEach(function () {
|
||||
@@ -29,22 +30,42 @@ it('mounts meetups.create when authenticated', function () {
|
||||
Livewire::test('meetups.create')->assertStatus(200);
|
||||
});
|
||||
|
||||
it('mounts meetups.edit when authenticated as the meetup creator', function () {
|
||||
it('mounts meetups.edit when the authenticated user has added the meetup to My-Meetups', function () {
|
||||
$owner = actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'created_by' => $owner->id,
|
||||
]);
|
||||
$meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
|
||||
$meetup->users()->attach($owner);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])->assertStatus(200);
|
||||
});
|
||||
|
||||
it('aborts meetups.edit with 403 when authenticated user is not the creator', function () {
|
||||
it('mounts meetups.edit for a My-Meetups member even if another user created the meetup', function () {
|
||||
$creator = User::factory()->create();
|
||||
$member = actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'created_by' => $creator->id,
|
||||
]);
|
||||
$meetup->users()->attach($member);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])->assertStatus(200);
|
||||
});
|
||||
|
||||
it('aborts meetups.edit with 403 when the authenticated user has not added the meetup to My-Meetups', function () {
|
||||
actingAsUser();
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $this->meetup])->assertStatus(403);
|
||||
});
|
||||
|
||||
it('aborts meetups.edit with 403 when the authenticated user is only the creator but not in My-Meetups', function () {
|
||||
$creator = actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'created_by' => $creator->id,
|
||||
]);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])->assertStatus(403);
|
||||
});
|
||||
|
||||
it('mounts meetups.create-edit-events for new event', function () {
|
||||
actingAsUser();
|
||||
Livewire::test('meetups.create-edit-events', ['meetup' => $this->meetup])->assertStatus(200);
|
||||
|
||||
@@ -10,13 +10,13 @@ beforeEach(function () {
|
||||
$this->city = City::factory()->create(['country_id' => $country->id]);
|
||||
});
|
||||
|
||||
it('updates an existing Meetup name when authenticated', function () {
|
||||
$owner = actingAsUser();
|
||||
it('updates an existing Meetup name when the user has it in My-Meetups', function () {
|
||||
$member = actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'name' => 'Original Name',
|
||||
'created_by' => $owner->id,
|
||||
]);
|
||||
$meetup->users()->attach($member);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
||||
->set('name', 'Updated Name')
|
||||
@@ -29,12 +29,12 @@ it('updates an existing Meetup name when authenticated', function () {
|
||||
});
|
||||
|
||||
it('rejects update when name collides with another existing Meetup', function () {
|
||||
$owner = actingAsUser();
|
||||
$member = actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'name' => 'Original Name',
|
||||
'created_by' => $owner->id,
|
||||
]);
|
||||
$meetup->users()->attach($member);
|
||||
Meetup::factory()->create(['name' => 'Other Name', 'city_id' => $this->city->id]);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
||||
@@ -44,12 +44,12 @@ it('rejects update when name collides with another existing Meetup', function ()
|
||||
});
|
||||
|
||||
it('allows update when name is unchanged (Rule::unique ignores own id)', function () {
|
||||
$owner = actingAsUser();
|
||||
$member = actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'name' => 'Original Name',
|
||||
'created_by' => $owner->id,
|
||||
]);
|
||||
$meetup->users()->attach($member);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
||||
->set('name', 'Original Name')
|
||||
@@ -58,6 +58,19 @@ it('allows update when name is unchanged (Rule::unique ignores own id)', functio
|
||||
->assertHasNoErrors();
|
||||
});
|
||||
|
||||
it('blocks updateMeetup when the user has not added the meetup to My-Meetups', function () {
|
||||
actingAsUser();
|
||||
$meetup = Meetup::factory()->create([
|
||||
'city_id' => $this->city->id,
|
||||
'name' => 'Original Name',
|
||||
]);
|
||||
|
||||
Livewire::test('meetups.edit', ['meetup' => $meetup])
|
||||
->assertStatus(403);
|
||||
|
||||
expect($meetup->refresh()->name)->toBe('Original Name');
|
||||
});
|
||||
|
||||
it('redirects guests when accessing meetup-edit', function () {
|
||||
$meetup = Meetup::factory()->create(['city_id' => $this->city->id]);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user