Hide friend action controls from guests #32

New issue

Closed

opened 2024-01-14 14:35:36 -06:00 by jimmyb · 1 comment

jimmyb commented

2024-01-14 14:35:36 -06:00

Owner

Copy link

Friend action visibility needs to be rebuilt so guests can view public profile/friend surfaces without seeing Add Friend or Remove Friend controls.

The original issue referenced friend actions appearing on a user’s Friend tab while logged out. In the current Laravel checkout, the broader friends feature is still incomplete, but profile stats already reserve Friends and Friends Of rows and notification settings already include friend_added_you. This issue tracks the guest/authenticated visibility and authorization rules that must be enforced when friend actions and friend list pages are rebuilt.

Scope

Public profile friend action state.
Friends and Friends Of list pages or tabs, where implemented.
Add Friend and Remove Friend controls/forms/links.
Guest, authenticated, self-profile, already-friend, and not-yet-friend viewer states.
Server-side authorization for friend mutations.

Acceptance Criteria

Guests never see Add Friend or Remove Friend controls on public profiles, Friends pages, Friends Of pages, or friend tabs.
Guests can view public friend list content where the broader friends feature allows it, but cannot see mutating friend forms, buttons, or URLs.
Guest attempts to add or remove a friend are blocked by auth middleware and redirected to login.
Authenticated users see Add Friend only when viewing another active user they have not already added.
Authenticated users see Remove Friend only when viewing another active user they have already added.
Users never see Add Friend or Remove Friend controls on their own profile.
Friend action controls are not rendered for banned, deleted, soft-deleted, or missing target users.
Friend action visibility is consistent between desktop/mobile/profile/friend-list surfaces.
User-facing UI supports light/dark mode and follows the existing Laravel/Tailwind site layout patterns.

Test Coverage Required

Feature tests confirming guests do not see Add Friend or Remove Friend on profiles and friend list surfaces.
Feature tests confirming guest add/remove friend POST requests require authentication.
Feature tests for authenticated Add Friend, Remove Friend, self-profile, already-friend, and not-yet-friend UI states.
Regression tests confirming banned, deleted, soft-deleted, or missing users do not expose friend action controls.
Regression tests confirming the rendered guest HTML does not include hidden friend mutation forms or action URLs.
Tests should use Pest and focused feature coverage.
Run the focused affected tests, then run vendor/bin/pint --dirty before closing the issue.

Progress Checklist

Public profile page exists
Profile stats reserve Friends and Friends Of rows
Notification settings include friend_added_you
Add or confirm friend persistence and action routes
Add server-side auth protection for add/remove friend actions
Add profile Add Friend/Remove Friend visibility rules
Hide friend mutation controls from guest profile views
Hide friend mutation controls from guest Friends/Friends Of views
Handle self-profile, already-friend, not-yet-friend, deleted-user, and banned-user states
Add tests for guest visibility, authenticated visibility, and authorization
Confirm friend action UI matches expected public/private profile behavior

Friend action visibility needs to be rebuilt so guests can view public profile/friend surfaces without seeing Add Friend or Remove Friend controls. The original issue referenced friend actions appearing on a user’s Friend tab while logged out. In the current Laravel checkout, the broader friends feature is still incomplete, but profile stats already reserve Friends and Friends Of rows and notification settings already include `friend_added_you`. This issue tracks the guest/authenticated visibility and authorization rules that must be enforced when friend actions and friend list pages are rebuilt. ## Scope - Public profile friend action state. - Friends and Friends Of list pages or tabs, where implemented. - Add Friend and Remove Friend controls/forms/links. - Guest, authenticated, self-profile, already-friend, and not-yet-friend viewer states. - Server-side authorization for friend mutations. ## Acceptance Criteria - Guests never see Add Friend or Remove Friend controls on public profiles, Friends pages, Friends Of pages, or friend tabs. - Guests can view public friend list content where the broader friends feature allows it, but cannot see mutating friend forms, buttons, or URLs. - Guest attempts to add or remove a friend are blocked by auth middleware and redirected to login. - Authenticated users see Add Friend only when viewing another active user they have not already added. - Authenticated users see Remove Friend only when viewing another active user they have already added. - Users never see Add Friend or Remove Friend controls on their own profile. - Friend action controls are not rendered for banned, deleted, soft-deleted, or missing target users. - Friend action visibility is consistent between desktop/mobile/profile/friend-list surfaces. - User-facing UI supports light/dark mode and follows the existing Laravel/Tailwind site layout patterns. ## Test Coverage Required - Feature tests confirming guests do not see Add Friend or Remove Friend on profiles and friend list surfaces. - Feature tests confirming guest add/remove friend POST requests require authentication. - Feature tests for authenticated Add Friend, Remove Friend, self-profile, already-friend, and not-yet-friend UI states. - Regression tests confirming banned, deleted, soft-deleted, or missing users do not expose friend action controls. - Regression tests confirming the rendered guest HTML does not include hidden friend mutation forms or action URLs. - Tests should use Pest and focused feature coverage. - Run the focused affected tests, then run `vendor/bin/pint --dirty` before closing the issue. ## Progress Checklist - [x] Public profile page exists - [x] Profile stats reserve Friends and Friends Of rows - [x] Notification settings include `friend_added_you` - [x] Add or confirm friend persistence and action routes - [x] Add server-side auth protection for add/remove friend actions - [x] Add profile Add Friend/Remove Friend visibility rules - [x] Hide friend mutation controls from guest profile views - [x] Hide friend mutation controls from guest Friends/Friends Of views - [x] Handle self-profile, already-friend, not-yet-friend, deleted-user, and banned-user states - [x] Add tests for guest visibility, authenticated visibility, and authorization - [x] Confirm friend action UI matches expected public/private profile behavior

e26c4800-309c-11ea-8556-99c886f1e335.png

80 KiB