feat(Project): Introduced a policy to control the access

app/Http/Controllers/Api/ActivityController.php

@@ -7,7 +7,6 @@
 use App\Actions\CreateActivityAction;
 use App\Http\Requests\CreateActivityRequest;
 use App\Models\Project;
-use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 
 final readonly class ActivityController

app/Http/Requests/CreateActivityRequest.php

@@ -1,12 +1,14 @@
 <?php
 
+declare(strict_types=1);
+
 namespace App\Http\Requests;
 
 use App\Enums\EventType;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Validation\Rule;
 
-class CreateActivityRequest extends FormRequest
+final class CreateActivityRequest extends FormRequest
 {
     /**
      * Get the validation rules that apply to the request.

app/Policies/ProjectPolicy.php

@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Policies;
+
+use App\Models\Project;
+use App\Models\User;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+final readonly class ProjectPolicy
+{
+    use HandlesAuthorization;
+
+    /**
+     * Determine whether the user can view the project.
+     */
+    public function view(User $authUser, Project $project): bool
+    {
+        return $authUser->id === $project->user_id;
+    }
+}

app/Providers/AppServiceProvider.php

@@ -4,10 +4,13 @@
 
 namespace App\Providers;
 
+use App\Models\Project;
+use App\Policies\ProjectPolicy;
 use Carbon\CarbonImmutable;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Support\Facades\Date;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\URL;
 use Illuminate\Support\Facades\Vite;
 use Illuminate\Support\ServiceProvider;
@@ -32,6 +35,7 @@ public function boot(): void
         $this->configureDates();
         $this->configureUrls();
         $this->configureVite();
+        $this->configurePolicies();
     }
 
     /**
@@ -77,4 +81,12 @@ private function configureVite(): void
     {
         Vite::useAggressivePrefetching();
     }
+
+    /**
+     * Configure the application's policies.
+     */
+    private function configurePolicies(): void
+    {
+        Gate::policy(Project::class, ProjectPolicy::class);
+    }
 }

database/factories/UserFactory.php

@@ -4,12 +4,17 @@
 
 namespace Database\Factories;
 
+use App\Models\User;
 use Illuminate\Database\Eloquent\Factories\Factory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Collection;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Str;
 
 /**
- * @extends \Illuminate\Database\Eloquent\Factories\Factory<\App\Models\User>
+ * @method Collection<User>|User create($attributes = [], ?Model $parent = null)
+ *
+ * @extends Factory<User>
  */
 final class UserFactory extends Factory
 {

routes/web.php

@@ -10,7 +10,7 @@
 });
 
 Route::prefix('api')->group(function () {
-    Route::prefix('{project}')->group(function () {
+    Route::prefix('{project}')->middleware('can:view,project')->group(function () {
         Route::post('activities', [ActivityController::class, 'store'])->name('api.activities.store');
     });
 });

tests/Feature/Http/Api/ActivityControllerTest.php

@@ -5,23 +5,26 @@
 use App\Enums\EventType;
 use App\Jobs\IngestActivity;
 use App\Models\Project;
+use App\Models\User;
 use Illuminate\Support\Facades\Queue;
 
 beforeEach()->only();
 
 it('can create an activity', function () {
     // Arrange...
     Queue::fake([IngestActivity::class]);
-    $project = Project::factory()->create()->fresh();
+    $authUser = User::factory()->create();
+    $project = Project::factory()->for($authUser)->create()->fresh();
 
     $events = [
         EventType::view('/about'),
     ];
 
     // Act...
-    $response = $this->postJson(route('api.activities.store', $project), [
-        'events' => $events,
-    ]);
+    $response = $this->actingAs($authUser)
+        ->postJson(route('api.activities.store', $project), [
+            'events' => $events,
+        ]);
 
     // Assert...
     $response->assertStatus(201);
@@ -32,15 +35,34 @@
     Queue::assertPushed(IngestActivity::class, 1);
 });
 
+it('cannot create an activity for a project that does not belong to the user', function () {
+    Queue::fake([IngestActivity::class]);
+    $project = Project::factory()->create();
+
+    $this->actingAs(User::factory()->create())
+        ->postJson(route('api.activities.store', $project), [
+            'events' => [
+                EventType::view('/about'),
+            ],
+        ])
+        ->assertStatus(403);
+
+    $this->assertDatabaseCount('activities', 0);
+
+    Queue::assertNotPushed(IngestActivity::class);
+});
+
 it('does not handle empty events', function () {
     // Arrange...
     Queue::fake([IngestActivity::class]);
-    $project = Project::factory()->create()->fresh();
+    $authUser = User::factory()->create();
+    $project = Project::factory()->for($authUser)->create()->fresh();
 
     // Act...
-    $response = $this->postJson(route('api.activities.store', $project), [
-        'events' => [],
-    ]);
+    $response = $this->actingAs($authUser)
+        ->postJson(route('api.activities.store', $project), [
+            'events' => [],
+        ]);
 
     // Assert...
     $response->assertStatus(422)->assertJsonValidationErrors([
@@ -56,27 +78,29 @@
 it('does not handle corrupted events', function () {
     // Arrange...
     Queue::fake([IngestActivity::class]);
-    $project = Project::factory()->create()->fresh();
+    $authUser = User::factory()->create();
+    $project = Project::factory()->for($authUser)->create()->fresh();
 
     // Act...
-    $response = $this->postJson(route('api.activities.store', $project), [
-        'events' => [
-            1,
-            'string',
-            [
+    $response = $this->actingAs($authUser)
+        ->postJson(route('api.activities.store', $project), [
+            'events' => [
                 1,
-            ],
-            [
-                'type' => 'view',
-            ],
-            [
-                'type' => 'view',
-                'payload' => [
-                    //
+                'string',
+                [
+                    1,
                 ],
-            ]
-        ],
-    ]);
+                [
+                    'type' => 'view',
+                ],
+                [
+                    'type' => 'view',
+                    'payload' => [
+                        //
+                    ],
+                ],
+            ],
+        ]);
 
     // Assert...
     $response->assertStatus(422)->assertJsonValidationErrors([

tests/Unit/Policies/ProjectPolicyTest.php

@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+use App\Models\Project;
+use App\Models\User;
+use App\Policies\ProjectPolicy;
+
+it('can view a project', function () {
+    $user = User::factory()->create();
+    $project = Project::factory()->for($user)->create();
+
+    expect((new ProjectPolicy())->view($user, $project))
+        ->toBeTrue();
+});
+
+it('cannot view a project that does not belong to the user', function () {
+    $user = User::factory()->create();
+    $project = Project::factory()->create();
+
+    expect((new ProjectPolicy())->view($user, $project))
+        ->toBeFalse();
+});