feat: centralize view-users gate, apply middleware, add coverage

Author: eiresendez

ProcessMaker/Http/Controllers/Api/UserController.php

@@ -86,11 +86,7 @@ class UserController extends Controller
      */
     public function index(Request $request)
     {
-        if (!(Auth::user()->can('view-users') ||
-            Auth::user()->can('create-processes') ||
-            Auth::user()->can('edit-processes') ||
-            Auth::user()->can('create-projects') ||
-            Auth::user()->can('view-projects'))) {
+        if (Auth::user()->cannot('view-users')) {
             throw new AuthorizationException(__('Not authorized to view users.'));
         }
         $query = User::nonSystem();

ProcessMaker/Providers/AuthServiceProvider.php

@@ -102,9 +102,13 @@ public function defineGates()
                 });
             }
 
-            // Allow project managers to list users for membership without the full view-users permission.
+            // Allow listing users when managing projects or processes without the full view-users permission.
             Gate::define('view-users', function ($user) {
-                return $user->hasPermission('view-users') || $user->hasPermission('create-projects');
+                return $user->hasPermission('view-users')
+                    || $user->hasPermission('create-projects')
+                    || $user->hasPermission('create-processes')
+                    || $user->hasPermission('edit-processes')
+                    || $user->hasPermission('view-projects');
             });
         } catch (\Exception $e) {
             Log::notice('Unable to register gates. Either no database connection or no permissions table exists.');

tests/Feature/Api/UserControllerTest.php

@@ -0,0 +1,69 @@
+<?php
+
+namespace Tests\Feature\Api;
+
+use Illuminate\Support\Facades\Cache;
+use ProcessMaker\Models\Permission;
+use Tests\Feature\Shared\RequestHelper;
+use Tests\TestCase;
+
+class UserControllerTest extends TestCase
+{
+    use RequestHelper {
+        RequestHelper::setUp as requestHelperSetUp;
+    }
+
+    public $withPermissions = true;
+
+    protected function setUp(): void
+    {
+        $this->requestHelperSetUp();
+
+        $this->user->is_administrator = false;
+        $this->user->save();
+        $this->user->permissions()->detach();
+        Cache::forget("user_{$this->user->id}_manager");
+        Cache::forget("user_{$this->user->id}_permissions");
+        $this->user->invalidatePermissionCache();
+    }
+
+    public function testUsersIndexRequiresPermission(): void
+    {
+        self::assertFalse($this->user->hasPermission('view-users'));
+
+        $response = $this->apiCall('GET', route('api.users.index'));
+
+        $response->assertStatus(403);
+    }
+
+    public function testUsersIndexSucceedsWithPermission(): void
+    {
+        $this->user->permissions()->attach(Permission::byName('view-users'));
+        $this->user->refresh();
+        $this->user->invalidatePermissionCache();
+
+        $response = $this->apiCall('GET', route('api.users.index'));
+
+        $response->assertOk();
+    }
+
+    public function testUsersTaskCountRequiresPermission(): void
+    {
+        self::assertFalse($this->user->hasPermission('view-users'));
+
+        $response = $this->apiCall('GET', route('api.users.users_task_count'));
+
+        $response->assertStatus(403);
+    }
+
+    public function testUsersTaskCountSucceedsWithPermission(): void
+    {
+        $this->user->permissions()->attach(Permission::byName('view-users'));
+        $this->user->refresh();
+        $this->user->invalidatePermissionCache();
+
+        $response = $this->apiCall('GET', route('api.users.users_task_count'));
+
+        $response->assertOk();
+    }
+}