Skip to content

🔐 Implement authorization checks for removing relations #108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

🔐 Implement authorization checks for removing relations #108

wants to merge 2 commits into from

Conversation

erikgaal
Copy link
Contributor

No description provided.

@erikgaal erikgaal requested a review from robertvansteen March 30, 2019 18:16
@codecov
Copy link

codecov bot commented Mar 30, 2019
edited
Loading

Codecov Report

❗ No coverage uploaded for pull request base (master@753ebbe). Click here to learn what that means.
The diff coverage is 82.14%.

Impacted file tree graph

@@            Coverage Diff            @@
##             master     #108   +/-   ##
=========================================
  Coverage          ?   86.06%           
  Complexity        ?      674           
=========================================
  Files             ?       77           
  Lines             ?     1995           
  Branches          ?        0           
=========================================
  Hits              ?     1717           
  Misses            ?      278           
  Partials          ?        0
Impacted Files Coverage Δ Complexity Δ
src/Eloquent/Concerns/Authorizable.php 62.79% <50%> (ø) 18 <2> (?)
src/Eloquent/Concerns/InteractsWithRelations.php 93.24% <90.9%> (ø) 59 <0> (?)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 753ebbe...71acdd4. Read the comment docs.

robertvansteen
robertvansteen reviewed Apr 12, 2019
View reviewed changes
src/Eloquent/Concerns/InteractsWithRelations.php
*/
protected function connectBelongsToRelation(Relations\BelongsTo $relation, $id)
{
$current = $relation->first();

if ($current) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean we always call authorizeToRemove when there’s an existing relation? Seems a bit overkill if you are just updating it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What do you mean with just updating it?

$old = [
  'related_id' => '1',
]
$input = [
  'related_id' => '1',
]

I do however believe that when you're not actually changing the relation, it should not need to authorize changing the fields. (e.g. only check dirty/changed fields)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you would update it with 'related_id' => '2' it would trigger the authorizeToRemove that feels unnecessary. Definitely agree on skipping authorisation when it's not dirty.

@erikgaal erikgaal added this to the 3.1 milestone Apr 12, 2019
@robertvansteen robertvansteen modified the milestones: 3.1, 3.0 Aug 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robertvansteen robertvansteen robertvansteen left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0
Development

Successfully merging this pull request may close these issues.
2 participants
@erikgaal @robertvansteen