Switch to policy authorization

src/Http/Controllers/Api/TransectImageController.php

@@ -27,7 +27,7 @@ class TransectImageController extends Controller
      */
     public function indexOrderByFilename($id) {
         $transect = Transect::findOrFail($id);
-        $this->requireCanSee($transect);
+        $this->authorize('access', $transect);
 
         return $transect->images()
             ->orderBy('filename', 'asc')

src/Http/Controllers/ImageController.php

@@ -16,7 +16,7 @@ class ImageController extends Controller
     public function index($id)
     {
         $image = Image::findOrFail($id);
-        $this->requireCanSee($image);
+        $this->authorize('access', $image);
         $exifKeys = ['DateTime', 'Model', 'ShutterSpeedValue', 'ApertureValue', 'Flash', 'GPS Latitude', 'GPS Longitude', 'GPS Altitude'];
         $image->setAttribute('exif', $image->getExif());
         $size = $image->getSize();

src/Http/Controllers/TransectController.php

@@ -17,7 +17,7 @@ class TransectController extends Controller
     public function create()
     {
         $project = Project::findOrFail($this->request->input('project'));
-        $this->requireCanAdmin($project);
+        $this->authorize('update', $project);
 
         return view('transects::create')
             ->with('project', $project)
@@ -34,12 +34,11 @@ public function create()
     public function index($id)
     {
         $transect = Transect::with('projects')->findOrFail($id);
-        $this->requireCanSee($transect);
+        $this->authorize('access', $transect);
 
         return view('transects::index')
             ->with('imageIds', $transect->images()->orderBy('filename', 'asc')->pluck('id'))
-            ->withTransect($transect)
-            ->with('isAdmin', $this->user->canAdminOneOfProjects($transect->projectIds()));
+            ->withTransect($transect);
     }
 
     /**
@@ -52,7 +51,7 @@ public function index($id)
     public function edit($id)
     {
         $transect = Transect::with('projects')->findOrFail($id);
-        $this->requireCanAdmin($transect);
+        $this->authorize('update', $transect);
 
         return view('transects::edit')
             ->withTransect($transect)

src/resources/views/index/menubar.blade.php

@@ -1,7 +1,7 @@
 <div class="transect-menubar">
-    @if ($isAdmin)
+    @can ('update', $transect)
         <a href="{{ route('transect-edit', $transect->id) }}" class="btn btn-default transect-menubar__item" title="Edit this transect"><span class="glyphicon glyphicon-pencil" aria-hidden="true"></span></a>
-    @endif
+    @endcan
     @if (!empty($modules->getMixins('transectsFilters')))
         <div class="transect-filter-menu-group">
             <button class="btn btn-default transect-menubar__item" data-popover-placement="right" data-uib-popover-template="'filterPopover.html'" type="button" title="Filter images" data-ng-class="{'btn-info':active()}" data-ng-controller="FilterController">

tests/Http/Controllers/Api/TransectsModuleHttpControllersApiTransectImageControllerTest.php

@@ -14,7 +14,7 @@ public function testIndexOrderByFilename() {
 
         $this->beUser();
         $this->get("/api/v1/transects/{$id}/images/order-by/filename");
-        $this->assertResponseStatus(401);
+        $this->assertResponseStatus(403);
 
         if (DB::connection() instanceof Illuminate\Database\SQLiteConnection) {
             $expect = "[\"{$image2->id}\",\"{$image1->id}\"]";

tests/Http/Controllers/TransectsModuleHttpControllersImageControllerTest.php

@@ -17,7 +17,7 @@ public function testIndex() {
       // doesn't belong to project
       $this->be($user);
       $this->get('images/'.$image->id);
-      $this->assertResponseStatus(401);
+      $this->assertResponseStatus(403);
 
       $this->be($project->creator);
       $this->get('images/'.$image->id);

tests/Http/Controllers/TransectsModuleHttpControllersTransectControllerTest.php

@@ -12,17 +12,15 @@ public function testIndex() {
         // doesn't belong to project
         $this->beUser();
         $this->get("transects/{$id}");
-        $this->assertResponseStatus(401);
+        $this->assertResponseStatus(403);
 
         $this->beEditor();
         $this->get("transects/{$id}");
         $this->assertResponseOk();
-        $this->assertViewHas('isAdmin', false);
 
         $this->beAdmin();
         $this->get("transects/{$id}");
         $this->assertResponseOk();
-        $this->assertViewHas('isAdmin', true);
 
         // doesn't exist
         $this->get('projects/-1');
@@ -39,7 +37,7 @@ public function testCreate() {
         $this->beEditor();
         // user is not allowed to edit the project
         $this->get('transects/create?project='.$id);
-        $this->assertResponseStatus(401);
+        $this->assertResponseStatus(403);
 
         $this->beAdmin();
         // project doesn't exist
@@ -55,20 +53,20 @@ public function testEdit() {
 
         $this->beUser();
         $this->get("transects/edit/{$id}");
-        $this->assertResponseStatus(401);
+        $this->assertResponseStatus(403);
 
         $this->beGuest();
         $this->get("transects/edit/{$id}");
-        $this->assertResponseStatus(401);
+        $this->assertResponseStatus(403);
 
         $this->beEditor();
         $this->get("transects/edit/{$id}");
-        $this->assertResponseStatus(401);
+        $this->assertResponseStatus(403);
 
         // even the transect creator is not allowed if they are no project admin
         $this->be($this->transect()->creator);
         $this->get("transects/edit/{$id}");
-        $this->assertResponseStatus(401);
+        $this->assertResponseStatus(403);
 
         $this->beAdmin();
         $this->get("transects/edit/{$id}");