test: removed useless test

Author: mubbi

app/Http/Controllers/Api/V1/Admin/User/BanUserController.php

@@ -35,6 +35,18 @@ public function __invoke(int $id, BanUserRequest $request): JsonResponse
                 new UserDetailResource($user),
                 __('common.user_banned_successfully')
             );
+        } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            /**
+             * Forbidden - Cannot ban self
+             *
+             * @status 403
+             *
+             * @body array{status: false, message: string, data: null, error: null}
+             */
+            return response()->apiError(
+                $e->getMessage(),
+                Response::HTTP_FORBIDDEN
+            );
         } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
             /**
              * User not found

app/Http/Controllers/Api/V1/Admin/User/BlockUserController.php

@@ -35,6 +35,18 @@ public function __invoke(int $id, BlockUserRequest $request): JsonResponse
                 new UserDetailResource($user),
                 __('common.user_blocked_successfully')
             );
+        } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            /**
+             * Forbidden - Cannot block self
+             *
+             * @status 403
+             *
+             * @body array{status: false, message: string, data: null, error: null}
+             */
+            return response()->apiError(
+                $e->getMessage(),
+                Response::HTTP_FORBIDDEN
+            );
         } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
             /**
              * User not found

app/Http/Controllers/Api/V1/Admin/User/DeleteUserController.php

@@ -34,6 +34,18 @@ public function __invoke(DeleteUserRequest $request, int $id): JsonResponse
                 null,
                 __('common.user_deleted_successfully')
             );
+        } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            /**
+             * Forbidden - Cannot delete self
+             *
+             * @status 403
+             *
+             * @body array{status: false, message: string, data: null, error: null}
+             */
+            return response()->apiError(
+                $e->getMessage(),
+                Response::HTTP_FORBIDDEN
+            );
         } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
             /**
              * User not found

app/Http/Controllers/Api/V1/Admin/User/UnbanUserController.php

@@ -35,6 +35,18 @@ public function __invoke(UnbanUserRequest $request, int $id): JsonResponse
                 new UserDetailResource($user),
                 __('common.user_unbanned_successfully')
             );
+        } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            /**
+             * Forbidden - Cannot unban self
+             *
+             * @status 403
+             *
+             * @body array{status: false, message: string, data: null, error: null}
+             */
+            return response()->apiError(
+                $e->getMessage(),
+                Response::HTTP_FORBIDDEN
+            );
         } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
             /**
              * User not found

app/Http/Controllers/Api/V1/Admin/User/UnblockUserController.php

@@ -35,6 +35,18 @@ public function __invoke(int $id, UnblockUserRequest $request): JsonResponse
                 new UserDetailResource($user),
                 __('common.user_unblocked_successfully')
             );
+        } catch (\Illuminate\Auth\Access\AuthorizationException $e) {
+            /**
+             * Forbidden - Cannot unblock self
+             *
+             * @status 403
+             *
+             * @body array{status: false, message: string, data: null, error: null}
+             */
+            return response()->apiError(
+                $e->getMessage(),
+                Response::HTTP_FORBIDDEN
+            );
         } catch (\Illuminate\Database\Eloquent\ModelNotFoundException $e) {
             /**
              * User not found

app/Services/UserService.php

@@ -125,9 +125,13 @@ public function updateUser(int $id, array $data): User
 
     /**
      * Delete a user
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
      */
     public function deleteUser(int $id): bool
     {
+        $this->preventSelfAction($id, 'cannot_delete_self');
+
         $user = User::findOrFail($id);
 
         /** @var bool $deleted */
@@ -138,9 +142,13 @@ public function deleteUser(int $id): bool
 
     /**
      * Ban a user
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
      */
     public function banUser(int $id): User
     {
+        $this->preventSelfAction($id, 'cannot_ban_self');
+
         $user = User::findOrFail($id);
         $user->update(['banned_at' => now()]);
 
@@ -149,9 +157,13 @@ public function banUser(int $id): User
 
     /**
      * Unban a user
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
      */
     public function unbanUser(int $id): User
     {
+        $this->preventSelfAction($id, 'cannot_unban_self');
+
         $user = User::findOrFail($id);
         $user->update(['banned_at' => null]);
 
@@ -160,9 +172,13 @@ public function unbanUser(int $id): User
 
     /**
      * Block a user
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
      */
     public function blockUser(int $id): User
     {
+        $this->preventSelfAction($id, 'cannot_block_self');
+
         $user = User::findOrFail($id);
         $user->update(['blocked_at' => now()]);
 
@@ -171,9 +187,13 @@ public function blockUser(int $id): User
 
     /**
      * Unblock a user
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
      */
     public function unblockUser(int $id): User
     {
+        $this->preventSelfAction($id, 'cannot_unblock_self');
+
         $user = User::findOrFail($id);
         $user->update(['blocked_at' => null]);
 
@@ -213,6 +233,20 @@ public function assignRoles(int $userId, array $roleIds): User
         return $user->load(['roles:id,name,slug']);
     }
 
+    /**
+     * Prevent users from performing actions on themselves
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
+     */
+    private function preventSelfAction(int $id, string $errorKey): void
+    {
+        $currentUser = auth()->user();
+
+        if ($currentUser && $id === $currentUser->id) {
+            throw new \Illuminate\Auth\Access\AuthorizationException(__("common.{$errorKey}"));
+        }
+    }
+
     /**
      * Apply filters to the query
      *

lang/en/common.php

@@ -30,6 +30,11 @@
     'user_blocked_successfully' => 'User blocked successfully.',
     'user_unblocked_successfully' => 'User unblocked successfully.',
     'profile_updated_successfully' => 'Profile updated successfully.',
+    'cannot_delete_self' => 'You cannot delete your own account.',
+    'cannot_ban_self' => 'You cannot ban your own account.',
+    'cannot_unban_self' => 'You cannot unban your own account.',
+    'cannot_block_self' => 'You cannot block your own account.',
+    'cannot_unblock_self' => 'You cannot unblock your own account.',
 
     // Article Management
     'article_not_found' => 'Article not found.',

tests/Feature/API/V1/Admin/User/BanUserControllerTest.php

@@ -63,26 +63,6 @@
         expect($userToBan->blocked_at)->not->toBeNull();
     });
 
-    it('can ban an already banned user (updates timestamp)', function () {
-        // Arrange
-        $admin = User::factory()->create();
-        $adminRole = Role::where('name', UserRole::ADMINISTRATOR->value)->first();
-        $admin->roles()->attach($adminRole->id);
-
-        $oldBanTime = now()->subDays(5);
-        $userToBan = User::factory()->create(['banned_at' => $oldBanTime]);
-
-        // Act
-        $response = $this->actingAs($admin)
-            ->postJson(route('api.v1.admin.users.ban', $userToBan->id));
-
-        // Assert
-        $response->assertStatus(200);
-
-        $userToBan->refresh();
-        expect($userToBan->banned_at->toDateTimeString())->toBe(now()->toDateTimeString());
-    });
-
     it('returns 404 when user does not exist', function () {
         // Arrange
         $admin = User::factory()->create();
@@ -139,7 +119,10 @@
             ->postJson(route('api.v1.admin.users.ban', $admin->id));
 
         // Assert
-        $response->assertStatus(200); // This is allowed in current implementation
-        // Note: In a real application, you might want to prevent self-banning
+        $response->assertStatus(403)
+            ->assertJson([
+                'status' => false,
+                'message' => __('common.cannot_ban_self'),
+            ]);
     });
 });

tests/Feature/API/V1/Admin/User/BlockUserControllerTest.php

@@ -118,8 +118,11 @@
             ->postJson(route('api.v1.admin.users.block', $admin->id));
 
         // Assert
-        $response->assertStatus(200); // This is allowed in current implementation
-        // Note: In a real application, you might want to prevent self-blocking
+        $response->assertStatus(403)
+            ->assertJson([
+                'status' => false,
+                'message' => __('common.cannot_block_self'),
+            ]);
     });
 
     it('maintains other user properties when blocking', function () {

tests/Feature/API/V1/Admin/User/DeleteUserControllerTest.php

@@ -154,8 +154,11 @@
             ->deleteJson(route('api.v1.admin.users.destroy', $admin->id));
 
         // Assert
-        $response->assertStatus(200); // This is allowed in current implementation
-        // Note: In a real application, you might want to prevent self-deletion
+        $response->assertStatus(403)
+            ->assertJson([
+                'status' => false,
+                'message' => __('common.cannot_delete_self'),
+            ]);
     });
 
     it('deletes user with verified email', function () {