Require admin privileges to change team logos

mariusklocke · Dec 10, 2023 · 5297565 · 5297565
1 parent 97bfddb
commit 5297565
Show file tree

Hide file tree

Showing 6 changed files with 36 additions and 6 deletions.
diff --git a/src/Application/Security/AuthChecker.php b/src/Application/Security/AuthChecker.php
@@ -2,8 +2,6 @@
 
 namespace HexagonalPlayground\Application\Security;
 
-use HexagonalPlayground\Application\Security\AuthenticationException;
-
 class AuthChecker
 {
     public function check(?AuthContext $authContext): void

diff --git a/src/Infrastructure/API/Logos/DeleteAction.php b/src/Infrastructure/API/Logos/DeleteAction.php
@@ -5,6 +5,7 @@
 
 use HexagonalPlayground\Application\Repository\TeamRepositoryInterface;
 use HexagonalPlayground\Infrastructure\API\ActionInterface;
+use HexagonalPlayground\Infrastructure\API\Security\AuthorizationTrait;
 use HexagonalPlayground\Infrastructure\Filesystem\TeamLogoRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -13,6 +14,7 @@
 class DeleteAction implements ActionInterface
 {
     use TeamFinderTrait;
+    use AuthorizationTrait;
     private TeamLogoRepository $teamLogoRepository;
     private LoggerInterface $logger;
 
@@ -25,6 +27,8 @@ public function __construct(TeamRepositoryInterface $teamRepository, TeamLogoRep
 
     public function __invoke(ServerRequestInterface $request, ResponseInterface $response, array $args): ResponseInterface
     {
+        $this->assertIsAdmin($request);
+
         $team = $this->findTeam($request->getQueryParams());
 
         if ($team->getLogoId() !== null) {

diff --git a/src/Infrastructure/API/Logos/UploadAction.php b/src/Infrastructure/API/Logos/UploadAction.php
@@ -7,6 +7,7 @@
 use HexagonalPlayground\Domain\Exception\InternalException;
 use HexagonalPlayground\Domain\Exception\InvalidInputException;
 use HexagonalPlayground\Infrastructure\API\ActionInterface;
+use HexagonalPlayground\Infrastructure\API\Security\AuthorizationTrait;
 use HexagonalPlayground\Infrastructure\Filesystem\TeamLogoRepository;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
@@ -16,6 +17,7 @@
 class UploadAction implements ActionInterface
 {
     use TeamFinderTrait;
+    use AuthorizationTrait;
     private TeamLogoRepository $teamLogoRepository;
     private LoggerInterface $logger;
 
@@ -28,6 +30,8 @@ public function __construct(TeamRepositoryInterface $teamRepository, TeamLogoRep
 
     public function __invoke(ServerRequestInterface $request, ResponseInterface $response, array $args): ResponseInterface
     {
+        $this->assertIsAdmin($request);
+
         $team = $this->findTeam($request->getQueryParams());
         $file = $this->getUploadedFile($request);
 

diff --git a/src/Infrastructure/API/Security/AuthorizationTrait.php b/src/Infrastructure/API/Security/AuthorizationTrait.php
@@ -0,0 +1,16 @@
+<?php
+declare(strict_types=1);
+
+namespace HexagonalPlayground\Infrastructure\API\Security;
+
+use Psr\Http\Message\ServerRequestInterface;
+
+trait AuthorizationTrait
+{
+    private function assertIsAdmin(ServerRequestInterface $request): void
+    {
+        $authReader = new AuthReader();
+        $authContext = $authReader->requireAuthContext($request);
+        $authContext->getUser()->assertIsAdmin();
+    }
+}
diff --git a/tests/GraphQL/TeamTest.php b/tests/GraphQL/TeamTest.php
@@ -88,10 +88,11 @@ public function testTeamLogoCanBeUploaded(string $teamId): string
     {
         $tempFile = $this->generateRandomFile();
         try {
+            $token = $this->createAdminToken();
             $method = 'POST';
             $url = "/api/logos?teamId=$teamId";
             $fileMediaType = 'image/webp';
-            $headers = [];
+            $headers = ['Authorization' => "Bearer $token"];
 
             // Upload logo
             $response = $this->slimClient->sendUploadRequest($method, $url, $tempFile, $fileMediaType, $headers);
@@ -115,8 +116,9 @@ public function testTeamLogoCanBeUploaded(string $teamId): string
      */
     public function testTeamLogoCanDeDeleted(string $teamId): string
     {
+        $token = $this->createAdminToken();
         $url = "/api/logos?teamId=$teamId";
-        $headers = [];
+        $headers = ['Authorization' => "Bearer $token"];
         $response = $this->slimClient->delete($url, $headers);
         self::assertSame(204, $response->getStatusCode());
 

diff --git a/tests/GraphQL/TestCase.php b/tests/GraphQL/TestCase.php
@@ -50,11 +50,17 @@ protected static function catchEvents(string $eventName, callable $callable): ar
 
     protected function useAdminAuth(): void
     {
-        $this->client->useCredentials(getenv('ADMIN_EMAIL'), getenv('ADMIN_PASSWORD'));
-        $token = $this->client->createToken();
+        $token = $this->createAdminToken();
         $this->client->useToken($token);
     }
 
+    protected function createAdminToken(): string
+    {
+        $this->client->useCredentials(getenv('ADMIN_EMAIL'), getenv('ADMIN_PASSWORD'));
+
+        return $this->client->createToken();
+    }
+
     protected function expectClientException(): void
     {
         self::expectException(Exception::class);