From ce6827fab808e5c770129ebf71f9ee8bdcaa7d4b Mon Sep 17 00:00:00 2001
From: PovilasKorop <povilask007@gmail.com>
Date: Mon, 29 Nov 2021 15:31:28 +0200
Subject: [PATCH] Task 7 - update forbidden field

---
 README.md                                     |  8 +++++
 app/Http/Controllers/UserController.php       | 18 +++++++++++
 app/Http/Requests/UpdateUserRequest.php       | 31 ++++++++++++++++++
 app/Models/User.php                           |  1 +
 ..._29_132328_add_is_admin_to_users_table.php | 32 +++++++++++++++++++
 routes/web.php                                |  1 +
 tests/Feature/ValidationTest.php              | 18 +++++++++++
 7 files changed, 109 insertions(+)
 create mode 100644 app/Http/Controllers/UserController.php
 create mode 100644 app/Http/Requests/UpdateUserRequest.php
 create mode 100644 database/migrations/2021_11_29_132328_add_is_admin_to_users_table.php

diff --git a/README.md b/README.md
index 6a1d26b..c65289b 100644
--- a/README.md
+++ b/README.md
@@ -80,3 +80,11 @@ Test method `test_form_request_validation()`.
 
 ---
 
+## Task 7. Update Forbidden Field.
+
+In `app/Http/Controllers/UserController.php` file, in `update` method, the code updates all the fields. But users.is_admin should not be updated, even if it's passed via the request. Change the line with `$request->all()` to avoid this security issue of updating the admin.
+
+Test method `test_update_forbidden_field()`.
+
+---
+
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
new file mode 100644
index 0000000..404d747
--- /dev/null
+++ b/app/Http/Controllers/UserController.php
@@ -0,0 +1,18 @@
+<?php
+
+namespace App\Http\Controllers;
+
+use App\Http\Requests\UpdateUserRequest;
+use App\Models\User;
+
+class UserController extends Controller
+{
+    public function update(User $user, UpdateUserRequest $request)
+    {
+        // TASK: change this line to not allow is_admin field to be updated
+        // Update only the fields that are validated in UpdateUserRequest
+        $user->update($request->all());
+
+        return 'Success';
+    }
+}
diff --git a/app/Http/Requests/UpdateUserRequest.php b/app/Http/Requests/UpdateUserRequest.php
new file mode 100644
index 0000000..8646c57
--- /dev/null
+++ b/app/Http/Requests/UpdateUserRequest.php
@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class UpdateUserRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array
+     */
+    public function rules()
+    {
+        return [
+            'name' => 'required',
+            'email' => 'required',
+        ];
+    }
+}
diff --git a/app/Models/User.php b/app/Models/User.php
index e23e090..6a41429 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -21,6 +21,7 @@ class User extends Authenticatable
         'name',
         'email',
         'password',
+        'is_admin',
     ];
 
     /**
diff --git a/database/migrations/2021_11_29_132328_add_is_admin_to_users_table.php b/database/migrations/2021_11_29_132328_add_is_admin_to_users_table.php
new file mode 100644
index 0000000..279ff21
--- /dev/null
+++ b/database/migrations/2021_11_29_132328_add_is_admin_to_users_table.php
@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+class AddIsAdminToUsersTable extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->boolean('is_admin')->default(false);
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::table('users', function (Blueprint $table) {
+            //
+        });
+    }
+}
diff --git a/routes/web.php b/routes/web.php
index 190ffdc..81ec94b 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -19,6 +19,7 @@ Route::resource('projects', \App\Http\Controllers\ProjectController::class);
 Route::resource('products', \App\Http\Controllers\ProductController::class);
 Route::resource('teams', \App\Http\Controllers\TeamController::class);
 Route::resource('items', \App\Http\Controllers\ItemController::class);
+Route::put('users/{user}', [\App\Http\Controllers\UserController::class, 'update']);
 
 Route::get('/', function () {
     return view('welcome');
diff --git a/tests/Feature/ValidationTest.php b/tests/Feature/ValidationTest.php
index 4ff254d..a8e4714 100644
--- a/tests/Feature/ValidationTest.php
+++ b/tests/Feature/ValidationTest.php
@@ -81,4 +81,22 @@ class ValidationTest extends TestCase
         ]);
         $response->assertStatus(200);
     }
+
+    public function test_update_forbidden_field()
+    {
+        $user = User::factory()->create();
+
+        // field is_admin should not be possible to update
+        $updatedUser = [
+            'name' => 'Updated name',
+            'email' => 'updated@email.com',
+            'is_admin' => 1
+        ];
+        $response = $this->put('users/' . $user->id, $updatedUser);
+        $response->assertStatus(200);
+
+        $user = User::where('name', $updatedUser['name'])->first();
+        $this->assertNotNull($user);
+        $this->assertEquals(false, $user->is_admin);
+    }
 }