From 52028ddef2f400b8251b455d648ec4d3ddcc609c Mon Sep 17 00:00:00 2001
From: Marcus Moore <contact@marcusmoore.io>
Date: Mon, 11 Dec 2023 15:34:17 -0800
Subject: [PATCH] Add authorization to saving saved reports route

---
 .../Controllers/SavedReportsController.php     |  2 ++
 routes/web.php                                 |  1 +
 .../Feature/SavedReports/SavedReportsTest.php  | 18 ++++++++++++++++++
 3 files changed, 21 insertions(+)

diff --git a/app/Http/Controllers/SavedReportsController.php b/app/Http/Controllers/SavedReportsController.php
index 603cb76c08..ddc611539c 100644
--- a/app/Http/Controllers/SavedReportsController.php
+++ b/app/Http/Controllers/SavedReportsController.php
@@ -8,6 +8,8 @@ class SavedReportsController extends Controller
 {
     public function store(Request $request)
     {
+        $this->authorize('reports.view');
+
         $report = $request->user()->savedReports()->create([
             'name' => $request->get('report_name'),
             'options' => $request->except(['_token', 'report_name']),
diff --git a/routes/web.php b/routes/web.php
index 8da447916a..14d98d7318 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -357,6 +357,7 @@ Route::group(['middleware' => ['auth']], function () {
     )->name('reports/export/accessories');
     Route::get('reports/custom', [ReportsController::class, 'getCustomReport'])->name('reports/custom');
     Route::post('reports/custom', [ReportsController::class, 'postCustom']);
+    // @todo: change to saved-template?
     Route::post('reports/savedtemplate', [SavedReportsController::class, 'store'])->name('savedreports/store');
 
     Route::get(
diff --git a/tests/Feature/SavedReports/SavedReportsTest.php b/tests/Feature/SavedReports/SavedReportsTest.php
index 7c465beae8..c95da4feaf 100644
--- a/tests/Feature/SavedReports/SavedReportsTest.php
+++ b/tests/Feature/SavedReports/SavedReportsTest.php
@@ -49,4 +49,22 @@ class SavedReportsTest extends TestCase
     {
         $this->markTestIncomplete();
     }
+
+    public function testSavingReportRequiresValidFields()
+    {
+        $this->markTestIncomplete();
+
+        $this->actingAs(User::factory()->canViewReports()->create())
+            ->post(route('savedreports/store'), [
+                //
+            ])
+            ->assertSessionHasErrors('report_name');
+    }
+
+    public function testSavingReportRequiresCorrectPermission()
+    {
+        $this->actingAs(User::factory()->create())
+            ->post(route('savedreports/store'))
+            ->assertForbidden();
+    }
 }