Handle attempting to delete another user's template

2026-03-12 17:52:00 +08:00 · 2026-01-07 16:37:34 -08:00
parent 4e874cdb1b
commit f8af21306a
2 changed files with 21 additions and 7 deletions
--- a/app/Http/Controllers/ReportTemplatesController.php
+++ b/app/Http/Controllers/ReportTemplatesController.php
@@ -19,7 +19,7 @@ class ReportTemplatesController extends Controller

        $report = $request->user()->reportTemplates()->create([
            'name' => $validated['name'],
-            'options' => $request->except(['_token', 'name','share_report_template']),
+            'options' => $request->except(['_token', 'name', 'share_report_template']),
            'share_report_template' => $request->has('share_report_template'),
        ]);

@@ -46,7 +46,7 @@ class ReportTemplatesController extends Controller
    {
        $this->authorize('reports.view');

-        if ($reportTemplate->created_by != auth()->id()){
+        if ($reportTemplate->created_by != auth()->id()) {
            return redirect()
                ->route('report-templates.show', $reportTemplate)
                ->withError(trans('general.report_not_editable'));
@@ -62,7 +62,7 @@ class ReportTemplatesController extends Controller
    {
        $this->authorize('reports.view');

-        if ($reportTemplate->created_by != auth()->id()){
+        if ($reportTemplate->created_by != auth()->id()) {
            return redirect()
                ->route('report-templates.show', $reportTemplate)
                ->withError(trans('general.report_not_editable'));
@@ -91,6 +91,12 @@ class ReportTemplatesController extends Controller
    {
        $this->authorize('reports.view');

+        if ($reportTemplate->creator()->isNot(auth()->user())) {
+            return redirect()
+                ->route('report-templates.show', $reportTemplate)
+                ->withError(trans('general.generic_model_not_found', ['model' => 'report template']));
+        }
+
        $reportTemplate->delete();

        return redirect()->route('reports/custom')
--- a/tests/Feature/ReportTemplates/DeleteReportTemplateTest.php
+++ b/tests/Feature/ReportTemplates/DeleteReportTemplateTest.php
@@ -19,7 +19,7 @@ class DeleteReportTemplateTest extends TestCase implements TestsPermissionsRequi
            ->post(route('report-templates.destroy', $reportTemplate->id))
            ->assertStatus(302);

-        $this->assertModelExists($reportTemplate);
+        $this->assertNotSoftDeleted($reportTemplate);
    }

    public function testCannotDeleteAnotherUsersReportTemplate()
@@ -28,14 +28,22 @@ class DeleteReportTemplateTest extends TestCase implements TestsPermissionsRequi

        $this->actingAs(User::factory()->canViewReports()->create())
            ->delete(route('report-templates.destroy', $reportTemplate->id))
-            ->assertStatus(302);
+            ->assertStatus(302)
+            ->assertSessionHas('error', trans('general.generic_model_not_found', ['model' => 'report template']));

-        $this->assertModelExists($reportTemplate);
+        $this->assertNotSoftDeleted($reportTemplate);
    }

    public function testCannotDeleteAnotherUsersSharedReportTemplate()
    {
-        $this->markTestIncomplete();
+        $reportTemplate = ReportTemplate::factory()->shared()->create();
+
+        $this->actingAs(User::factory()->canViewReports()->create())
+            ->delete(route('report-templates.destroy', $reportTemplate->id))
+            ->assertStatus(302)
+            ->assertSessionHas('error', trans('general.generic_model_not_found', ['model' => 'report template']));
+
+        $this->assertNotSoftDeleted($reportTemplate);
    }

    public function testCanDeleteAReportTemplate()