From 950c7788be0649ce2c20607b3862b07dcdbd9fec Mon Sep 17 00:00:00 2001
From: Nabeel S <nabeelio@users.noreply.github.com>
Date: Sat, 6 Mar 2021 13:49:42 -0500
Subject: [PATCH] Restrict Simbrief to user who generated it (#1064)

* Restrict simbrief to user

* Style fixes

* Add tests

* Style fix
---
 app/Http/Controllers/Api/UserController.php   |  3 +-
 .../Controllers/Frontend/FlightController.php | 10 ++-
 app/Services/BidService.php                   |  4 +-
 .../layouts/default/flights/table.blade.php   |  2 +-
 tests/SimBriefTest.php                        | 80 ++++++++++++++++++-
 5 files changed, 93 insertions(+), 6 deletions(-)

diff --git a/app/Http/Controllers/Api/UserController.php b/app/Http/Controllers/Api/UserController.php
index 49cc1bb6..4fe0963a 100644
--- a/app/Http/Controllers/Api/UserController.php
+++ b/app/Http/Controllers/Api/UserController.php
@@ -106,7 +106,8 @@ class UserController extends Controller
      */
     public function bids(Request $request)
     {
-        $user = $this->userSvc->getUser($this->getUserId($request));
+        $user_id = $this->getUserId($request);
+        $user = $this->userSvc->getUser($user_id);
 
         // Add a bid
         if ($request->isMethod('PUT') || $request->isMethod('POST')) {
diff --git a/app/Http/Controllers/Frontend/FlightController.php b/app/Http/Controllers/Frontend/FlightController.php
index aba65fbc..a4a53e6f 100644
--- a/app/Http/Controllers/Frontend/FlightController.php
+++ b/app/Http/Controllers/Frontend/FlightController.php
@@ -106,7 +106,13 @@ class FlightController extends Controller
         }
 
         $flights = $this->flightRepo->searchCriteria($request)
-            ->with(['dpt_airport', 'arr_airport', 'airline'])
+            ->with([
+                'dpt_airport',
+                'arr_airport',
+                'airline',
+                'simbrief' => function ($query) use ($user) {
+                    $query->where('user_id', $user->id);
+                }, ])
             ->orderBy('flight_number', 'asc')
             ->orderBy('route_leg', 'asc')
             ->paginate();
@@ -115,6 +121,7 @@ class FlightController extends Controller
             ->pluck('flight_id')->toArray();
 
         return view('flights.index', [
+            'user'          => $user,
             'airlines'      => $this->airlineRepo->selectBoxList(true),
             'airports'      => $this->airportRepo->selectBoxList(true),
             'flights'       => $flights,
@@ -158,6 +165,7 @@ class FlightController extends Controller
         }
 
         return view('flights.bids', [
+            'user'          => $user,
             'airlines'      => $this->airlineRepo->selectBoxList(true),
             'airports'      => $this->airportRepo->selectBoxList(true),
             'flights'       => $flights,
diff --git a/app/Services/BidService.php b/app/Services/BidService.php
index 738c7b75..14a9241b 100644
--- a/app/Services/BidService.php
+++ b/app/Services/BidService.php
@@ -50,7 +50,9 @@ class BidService extends Service
         $bids = Bid::with([
             'flight',
             'flight.fares',
-            'flight.simbrief',
+            'flight.simbrief' => function ($query) use ($user) {
+                $query->where('user_id', $user->id);
+            },
             'flight.simbrief.aircraft',
             'flight.subfleets',
             'flight.subfleets.aircraft',
diff --git a/resources/views/layouts/default/flights/table.blade.php b/resources/views/layouts/default/flights/table.blade.php
index 96b85bdb..f9db2bee 100644
--- a/resources/views/layouts/default/flights/table.blade.php
+++ b/resources/views/layouts/default/flights/table.blade.php
@@ -82,7 +82,7 @@
             @endif
 
             <!-- If this flight has a briefing, show the link to view it-->
-            @if ($flight->simbrief)
+            @if ($flight->simbrief && $flight->simbrief->user_id === $user->id)
               <a href="{{ route('frontend.simbrief.briefing', $flight->simbrief->id) }}"
                  class="btn btn-sm btn-outline-primary">
                 View Simbrief Flight Plan
diff --git a/tests/SimBriefTest.php b/tests/SimBriefTest.php
index d38006e9..2d6122ef 100644
--- a/tests/SimBriefTest.php
+++ b/tests/SimBriefTest.php
@@ -51,18 +51,38 @@ class SimBriefTest extends TestCase
      * @param \App\Models\User          $user
      * @param \App\Models\Aircraft|null $aircraft
      * @param array                     $fares
+     * @param string|null               $flight_id
      *
      * @return \App\Models\SimBrief
      */
-    protected function loadSimBrief(User $user, Aircraft $aircraft, $fares = []): SimBrief
+    protected function loadSimBrief(User $user, Aircraft $aircraft, $fares = [], $flight_id = null): SimBrief
     {
+        if (empty($flight_id)) {
+            $flight_id = self::$simbrief_flight_id;
+        }
+
         /** @var \App\Models\Flight $flight */
         $flight = factory(Flight::class)->create([
-            'id'             => self::$simbrief_flight_id,
+            'id'             => $flight_id,
             'dpt_airport_id' => 'OMAA',
             'arr_airport_id' => 'OMDB',
         ]);
 
+        return $this->downloadOfp($user, $flight, $aircraft, $fares);
+    }
+
+    /**
+     * Download an OFP file
+     *
+     * @param $user
+     * @param $flight
+     * @param $aircraft
+     * @param $fares
+     *
+     * @return \App\Models\SimBrief|null
+     */
+    protected function downloadOfp($user, $flight, $aircraft, $fares)
+    {
         $this->mockXmlResponse([
             'simbrief/briefing.xml',
             'simbrief/acars_briefing.xml',
@@ -194,6 +214,62 @@ class SimBriefTest extends TestCase
         $this->assertEquals($fares[0]['count'], $subfleet['fares'][0]['count']);
     }
 
+    /**
+     * Make sure that the bids/simbrief created for the same flight by two different
+     * users doesn't leak across users
+     *
+     * @throws \Exception
+     */
+    public function testUserBidSimbriefDoesntLeak()
+    {
+        $this->updateSetting('bids.disable_flight_on_bid', false);
+        $fares = [
+            [
+                'id'       => 100,
+                'code'     => 'F',
+                'name'     => 'Test Fare',
+                'type'     => FareType::PASSENGER,
+                'capacity' => 100,
+                'count'    => 99,
+            ],
+        ];
+
+        /** @var \App\Models\Flight $flight */
+        $flight = factory(Flight::class)->create();
+
+        // Create two briefings and make sure it doesn't leak
+        $userinfo2 = $this->createUserData();
+        $user2 = $userinfo2['user'];
+        $this->downloadOfp($user2, $flight, $userinfo2['aircraft']->first(), $fares);
+
+        $userinfo = $this->createUserData();
+        $user = $userinfo['user'];
+        $briefing = $this->downloadOfp($user, $flight, $userinfo['aircraft']->first(), $fares);
+
+        // Add the flight to the user's bids
+        $uri = '/api/user/bids';
+        $data = ['flight_id' => $flight->id];
+
+        // add for both users
+        $body = $this->put($uri, $data, [], $user2)->json('data');
+        $this->assertNotEmpty($body);
+
+        $body = $this->put($uri, $data, [], $user)->json('data');
+        $this->assertNotEmpty($body);
+
+        $body = $this->get('/api/user/bids', [], $user);
+        $body = $body->json('data')[0];
+
+        // Make sure Simbrief is there
+        $this->assertNotNull($body['flight']['simbrief']['id']);
+        $this->assertNotNull($body['flight']['simbrief']['subfleet']['fares']);
+        $this->assertEquals($body['flight']['simbrief']['id'], $briefing->id);
+
+        $subfleet = $body['flight']['simbrief']['subfleet'];
+        $this->assertEquals($fares[0]['id'], $subfleet['fares'][0]['id']);
+        $this->assertEquals($fares[0]['count'], $subfleet['fares'][0]['count']);
+    }
+
     public function testAttachToPirep()
     {
         $userinfo = $this->createUserData();