From a69c50d9e84cccfe91559502271f47504f102f72 Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Tue, 9 May 2023 13:01:27 +1000
Subject: [PATCH] Tests for user deleting themselves

---
 app/Http/Requests/User/BulkUserRequest.php | 16 +++++++++++++---
 tests/Feature/UserTest.php                 | 21 +++++++++++++++++++++
 2 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/app/Http/Requests/User/BulkUserRequest.php b/app/Http/Requests/User/BulkUserRequest.php
index 1ae2ee8dca..afea05c1da 100644
--- a/app/Http/Requests/User/BulkUserRequest.php
+++ b/app/Http/Requests/User/BulkUserRequest.php
@@ -11,9 +11,10 @@
 
 namespace App\Http\Requests\User;
 
-use App\Http\Requests\Request;
-use App\Http\ValidationRules\Ninja\CanRestoreUserRule;
 use App\Utils\Ninja;
+use App\Http\Requests\Request;
+use Illuminate\Auth\Access\AuthorizationException;
+use App\Http\ValidationRules\Ninja\CanRestoreUserRule;
 
 class BulkUserRequest extends Request
 {
@@ -23,7 +24,11 @@ class BulkUserRequest extends Request
      * @return bool
      */
     public function authorize() : bool
-    {
+    {nlog($this->all());
+        nlog($this->ids);
+        if($this->action == 'delete' && in_array(auth()->user()->hashed_id, $this->ids))
+            return false;
+
         return auth()->user()->isAdmin();
     }
 
@@ -44,4 +49,9 @@ class BulkUserRequest extends Request
 
         $this->replace($input);
     }
+
+    protected function failedAuthorization()
+    {
+        throw new AuthorizationException("This Action is unauthorized.");
+    }
 }
diff --git a/tests/Feature/UserTest.php b/tests/Feature/UserTest.php
index 97668b4f0e..f11ab71df9 100644
--- a/tests/Feature/UserTest.php
+++ b/tests/Feature/UserTest.php
@@ -56,6 +56,27 @@ class UserTest extends TestCase
         );
     }
 
+    public function testUserAttemptingtToDeleteThemselves()
+    {
+        $data = [
+            'action' => 'delete',
+            'ids' => [$this->user->hashed_id],
+        ];
+
+        nlog($data);
+
+        $response = $this->withHeaders([
+            'X-API-SECRET' => config('ninja.api_secret'),
+            'X-API-TOKEN' => $this->token,
+            // 'X-API-PASSWORD' => 'ALongAndBriliantPassword',
+        ])->postJson('/api/v1/users/bulk', $data)
+        ->assertStatus(200);
+
+        // nlog($response->json());
+
+        // $response->assertStatus(403);
+    }
+
     public function testDisconnectUserOauthMailer()
     {
         $user =