Added separate policy for Attachment

Author: tabuna

src/Platform/Http/Controllers/SortableController.php

@@ -9,18 +9,30 @@
 class SortableController extends Controller
 {
     /**
-     * @param Request $request
+     * Save the sort order for a sortable model.
+     * Authorization is performed via the model's Policy method `isSortable`.
+     *
+     * @param \Illuminate\Http\Request $request Must contain 'model' (class name) and 'items' (array of {id, sortOrder})
      *
      * @return void
      */
     public function saveSortOrder(Request $request): void
     {
+        $request->validate([
+            'model' => 'required|string',
+            'items' => 'required|array',
+            'items.*.id' => 'required',
+            'items.*.sortOrder' => 'required|integer|min:0',
+        ]);
+
         $classModel = $request->input('model');
 
         abort_unless(class_exists($classModel), 400);
 
         $model = new $classModel;
 
+        $this->authorize('isSortable', $model);
+
         $request->collect('items')->each(function ($item) use ($model) {
             $model->where($model->getKeyName(), '=', $item['id'])->update([
                 $model->getSortColumnName() => $item['sortOrder'],

tests/App/Policies/PolicySortDeny.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Orchid\Tests\App\Policies;
+
+use Illuminate\Contracts\Auth\Authenticatable;
+
+/**
+ * Policy for tests: forbids sorting to assert that SortableController
+ * respects the policy and returns 403 when isSortable() returns false.
+ */
+class PolicySortDeny
+{
+    public function isSortable(?Authenticatable $user): bool
+    {
+        return false;
+    }
+}

tests/Feature/Platform/SortableTest.php

@@ -4,12 +4,64 @@
 
 namespace Orchid\Tests\Feature\Platform;
 
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Http\UploadedFile;
 use Orchid\Attachment\Models\Attachment;
+use Orchid\Platform\Models\User;
+use Orchid\Tests\App\Policies\PolicySortDeny;
 use Orchid\Tests\TestFeatureCase;
 
 class SortableTest extends TestFeatureCase
 {
+    public function setUp():void
+    {
+        parent::setUp();
+        Gate::policy(Attachment::class, null);
+    }
+
+    public function tearDown():void
+    {
+        Gate::policy(Attachment::class, null);
+        parent::tearDown();
+    }
+
+    public function testSortingIsForbiddenWhenPolicyDenies(): void
+    {
+        Gate::policy(Attachment::class, PolicySortDeny::class);
+
+        $response = $this
+            ->actingAs($this->createAdminUser())
+            ->post(route('orchid.files.upload'), [
+                'files' => [
+                    UploadedFile::fake()->image('first.jpg'),
+                    UploadedFile::fake()->image('second.png'),
+                ],
+            ]);
+
+        $attachments = $response->decodeResponseJson()->json();
+
+        $ids = array_column($attachments, 'id');
+        $sortBefore = Attachment::whereIn('id', $ids)->pluck('sort', 'id')->toArray();
+
+        $sortItems = collect($ids)->map(fn ($id, $index) => [
+            'id' => $id,
+            'sortOrder' => $index,
+        ])->values()->all();
+
+        $response = $this
+            ->actingAs($this->createAdminUser())
+            ->post(route('orchid.sorting'), [
+                'items' => $sortItems,
+                'model' => Attachment::class,
+            ]);
+
+        $response->assertForbidden();
+
+        $sortAfter = Attachment::whereIn('id', $ids)->pluck('sort', 'id')->toArray();
+        $this->assertSame($sortBefore, $sortAfter, 'Sort order must not change when policy denies.');
+    }
+
+
     public function testAttachmentHttpSort(): void
     {
         $response = $this
@@ -43,7 +95,7 @@ public function testAttachmentHttpSort(): void
                 'model' => Attachment::class,
             ]);
 
-        $response->isOk();
+        $response->assertOk();
 
         $attachments = Attachment::whereIn('id', $originalFiles)
             ->pluck('sort', 'id')