Fix userfrosting/UserFrosting#1256

userfrosting · Jun 12, 2024 · fc70af0 · fc70af0
1 parent 8be4954
commit fc70af0
Show file tree

Hide file tree

Showing 3 changed files with 70 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [5.1.0](https://github.com/userfrosting/sprinkle-admin/compare/5.1.0...5.1.1)
+- Fix issue when a Group Administrator without the `create_user_field` permission creates a new user, the new user SHOULD inherit the admin's group (Fix [#1256](https://github.com/userfrosting/UserFrosting/issues/1256))
+
 ## [5.1.0](https://github.com/userfrosting/sprinkle-admin/compare/5.0.1...5.1.0)
 - Drop PHP 8.1 support, add PHP 8.3 support
 - Update to Laravel 10

diff --git a/app/src/Controller/User/UserCreateAction.php b/app/src/Controller/User/UserCreateAction.php
@@ -128,14 +128,6 @@ protected function handle(Request $request): void
         $data['flag_verified'] = true;
         $data['flag_enabled'] = true;
 
-        // Now that we check the form, we can try to register the actual user
-        $user = new $this->userModel($data);
-
-        // Try registration. Exceptions will be thrown if it fails.
-        // No need to catch, as this kind of exception will automatically
-        // handled by the error handlers.
-        $this->userValidation->validate($user);
-
         // Determine if currentUser has permission to modify the group.  If so, show the 'group' dropdown.
         // Otherwise, set to the currentUser's group and disable the dropdown.
         if ($this->authenticator->checkAccess('create_user_field', ['fields' => ['group']]) === false) {
@@ -150,6 +142,14 @@ protected function handle(Request $request): void
             $data['group_id'] = $currentUser->group_id;
         }
 
+        // Now that we check the form, we can try to register the actual user
+        $user = new $this->userModel($data);
+
+        // Try registration. Exceptions will be thrown if it fails.
+        // No need to catch, as this kind of exception will automatically
+        // handled by the error handlers.
+        $this->userValidation->validate($user);
+
         // Ready to save
         $this->db->transaction(function () use ($user, $data, $currentUser) {
             // Store new user to database

diff --git a/app/tests/Controller/User/UserCreateActionTest.php b/app/tests/Controller/User/UserCreateActionTest.php
@@ -299,6 +299,65 @@ public function testPostForGroup(): void
         $this->assertSame('success', array_reverse($messages)[0]['type']);
     }
 
+    /**
+     * When a Group Administrator without the create_user_field permission
+     * creates a new user, the new user SHOULD inherit the admin's group.
+     * Same as previous test, however, `group_id` is not set in the data payload.
+     *
+     * @see https://github.com/userfrosting/UserFrosting/issues/1256
+     */
+    public function testPostForGroupIsSetAs(): void
+    {
+        /** @var Group */
+        $group = Group::factory()->create();
+
+        /** @var User */
+        $user = User::factory()->for($group)->create();
+        $this->actAsUser($user, permissions: ['create_user']);
+
+        /** @var Config */
+        $config = $this->ci->get(Config::class);
+
+        // Force locale config.
+        $config->set('site.registration.user_defaults.locale', 'en_US');
+        $config->set('site.locales.available', ['en_US' => true]);
+
+        /** @var Mailer */
+        $mailer = Mockery::mock(Mailer::class)
+            ->makePartial()
+            ->shouldReceive('send')->once()
+            ->getMock();
+        $this->ci->set(Mailer::class, $mailer);
+
+        // Set post payload
+        $data = [
+            'user_name'  => 'foo',
+            'first_name' => 'Foo',
+            'last_name'  => 'Bar',
+            'email'      => '[email protected]',
+        ];
+
+        // Create request with method and url and fetch response
+        $request = $this->createJsonRequest('POST', '/api/users', $data);
+        $response = $this->handleRequest($request);
+
+        // Assert response status & body
+        $this->assertResponseStatus(200, $response);
+        $this->assertJsonResponse([], $response);
+
+        // Make sure the user is added to the db by querying it
+        /** @var User */
+        $user = User::where('email', '[email protected]')->first();
+        $this->assertSame($group->id, $user->group?->id);
+        $this->assertSame('en_US', $user['locale']); // Locale will be default :)
+
+        // Test message
+        /** @var AlertStream */
+        $ms = $this->ci->get(AlertStream::class);
+        $messages = $ms->getAndClearMessages();
+        $this->assertSame('success', array_reverse($messages)[0]['type']);
+    }
+
     /**
      * @depends testPost
      */