Add h5p_author_delete permission (#197)

EscolaLMS · Sep 21, 2023 · 357a1df · 357a1df
1 parent 23e6a30
commit 357a1df
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 3 deletions.
diff --git a/src/Enums/H5PPermissionsEnum.php b/src/Enums/H5PPermissionsEnum.php
@@ -14,6 +14,7 @@ class H5PPermissionsEnum extends BasicEnum
 
     const H5P_AUTHOR_LIST = 'h5p_author_list';
     const H5P_AUTHOR_UPDATE = 'h5p_author_update';
+    const H5P_AUTHOR_DELETE = 'h5p_author_delete';
 
     const H5P_LIBRARY_LIST = 'h5p_library_list';
     const H5P_LIBRARY_READ = 'h5p_library_read';

diff --git a/src/Policies/H5PContentPolicy.php b/src/Policies/H5PContentPolicy.php
@@ -26,12 +26,14 @@ public function create(?User $user): bool
         return $user && $user->can(H5PPermissionsEnum::H5P_CREATE);
     }
 
-    public function delete(?User $user): bool
+    public function delete(?User $user, H5PContent $h5PContent): bool
     {
-        return $user && $user->can(H5PPermissionsEnum::H5P_DELETE);
+        return $user &&
+            ($user->can(H5PPermissionsEnum::H5P_DELETE) ||
+            ($user->can(H5PPermissionsEnum::H5P_AUTHOR_DELETE) && $h5PContent->user_id == $user->getKey()));
     }
 
-    public function update(?User $user, H5PContent $h5PContent ): bool
+    public function update(?User $user, H5PContent $h5PContent): bool
     {
         if ($user && $user->can(H5PPermissionsEnum::H5P_AUTHOR_UPDATE) && !$user->can(H5PPermissionsEnum::H5P_UPDATE)) {
             return $h5PContent->user_id == $user->getKey();

diff --git a/tests/Api/ContentApiTest.php b/tests/Api/ContentApiTest.php
@@ -568,6 +568,27 @@ public function testContentDelete(): void
         $response->assertStatus(404);
     }
 
+    public function testContentDeleteByAuthor(): void
+    {
+        $this->authenticateAsUser();
+        $this->user->givePermissionTo(H5PPermissionsEnum::H5P_AUTHOR_DELETE);
+
+        $library = H5PLibrary::factory()->create(['runnable' => 1]);
+        $content = H5PContent::factory()->create([
+            'user_id' => $this->user->getKey(),
+            'library_id' => $library->getKey()
+        ]);
+
+        $this->actingAs($this->user, 'api')
+            ->delete('/api/admin/hh5p/content/' . $content->getKey())
+            ->assertStatus(200);
+
+        $otherContent = H5PContent::factory()->create(['library_id' => $library->getKey()]);
+        $this->actingAs($this->user, 'api')
+            ->delete('/api/admin/hh5p/content/' . $otherContent->getKey())
+            ->assertForbidden();
+    }
+
     public function testContentShow(): void
     {
         $this->authenticateAsAdmin();