Merge pull request #21 from RedberryProducts/feat/redirect-url

nikajorjika · web-flow · commit 57b93b65683a · 2025-09-30T16:37:05.000+04:00
Feat/redirect url
diff --git a/README.md b/README.md
@@ -40,9 +40,9 @@ A Laravel package that captures outgoing mail and stores it for in-app viewing.
 The published `config/inbox.php` file exposes several options:
 
 - `INBOX_ENABLED` &mdash; enable the inbox even in production (defaults to non-production only).
-- `INBOX_PUBLIC` &mdash; bypass authorization and allow public access.
 - `INBOX_GATE` &mdash; ability checked by the `mailbox.authorize` middleware (defaults to `viewMailbox`).
 - `INBOX_DASHBOARD_ROUTE` &mdash; URI where the dashboard is mounted (`/mailbox` by default).
+- `INBOX_REDIRECT` &mdash; URI where the user is redirected when they are unauthorized (defaults to Laravel's Forbidden Page).
 - `INBOX_STORE_DRIVER` & `INBOX_FILE_PATH` &mdash; storage driver and path for captured messages.
 - `INBOX_RETENTION` &mdash; number of seconds before stored messages are purged.
 
diff --git a/config/inbox.php b/config/inbox.php
@@ -2,7 +2,6 @@
 
 return [
     'enabled' => env('INBOX_ENABLED', env('APP_ENV') !== 'production'),
-    'public' => env('INBOX_PUBLIC', false),
     'store' => [
         'driver' => env('INBOX_STORE_DRIVER', 'file'),
         'resolvers' => [
@@ -17,6 +16,7 @@
         'seconds' => (int) env('INBOX_RETENTION', 60 * 60 * 24),
     ],
     'gate' => env('INBOX_GATE', 'viewMailbox'),
+    'unauthorized_redirect' => env('INBOX_REDIRECT', null),
     'route' => env('INBOX_DASHBOARD_ROUTE', 'mailbox'),
     'middleware' => ['web'],
 ];
diff --git a/src/Http/Middleware/AuthorizeInboxMiddleware.php b/src/Http/Middleware/AuthorizeInboxMiddleware.php
@@ -9,16 +9,17 @@ class AuthorizeInboxMiddleware
 {
     public function handle($request, Closure $next)
     {
-        if (config('inbox.public', false)) {
-            return $next($request);
-        }
-
         $ability = config('inbox.gate', 'viewMailbox');
-        // Let Gate decide (works with or without authenticated user; $user can be null)
-        if (Gate::allows($ability)) {
-            return $next($request);
+
+        if (! Gate::allows($ability)) {
+            $redirect = config('inbox.unauthorized_redirect');
+
+            if ($redirect) {
+                return redirect($redirect);
+            }
+            abort(403);
         }
 
-        abort(403);
+        return $next($request);
     }
 }
diff --git a/tests/Feature/AssetControllerTest.php b/tests/Feature/AssetControllerTest.php
@@ -1,6 +1,5 @@
 <?php
 
-use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Route;
 use Redberry\MailboxForLaravel\CaptureService;
 use Redberry\MailboxForLaravel\Http\Controllers\AssetController;
@@ -50,13 +49,6 @@ function storeMessage(): array
         $this->get("/mailbox/messages/{$key}/attachments/missing.txt")->assertNotFound();
     });
 
-    it('rejects unauthorized access when middleware denies', function () {
-        Gate::shouldReceive('allows')->with('viewMailbox')->andReturn(false);
-        config()->set('inbox.public', false);
-
-        $this->get('/mailbox/messages/abc/attachments/file.txt')->assertForbidden();
-    });
-
     it('streams large assets without loading entire file into memory', function () {
         $file = tempnam(sys_get_temp_dir(), 'inbox-');
         file_put_contents($file, str_repeat('A', 1024 * 1024));
diff --git a/tests/Feature/AuthorizeInboxMiddlewareTest.php b/tests/Feature/AuthorizeInboxMiddlewareTest.php
@@ -21,11 +21,18 @@
         $this->get('/mailbox-test')->assertForbidden();
     });
 
-    it('allows access when config(inbox.public)=true', function () {
-        config()->set('inbox.public', true);
-        Gate::shouldReceive('allows')->never();
+    it('redirects to 403 page when no inbox.unauthorized_redirect config is set', function () {
+        config()->set('inbox.unauthorized_redirect', null);
+        Gate::shouldReceive('allows')->with('viewMailbox')->andReturn(false);
 
-        $this->get('/mailbox-test')->assertOk();
+        $this->get('/mailbox-test')->assertForbidden();
+    });
+
+    it('redirects to inbox.unauthorized_redirect page when set in config', function () {
+        config()->set('inbox.unauthorized_redirect', '/custom-unauthorized');
+        Gate::shouldReceive('allows')->with('viewMailbox')->andReturn(false);
+
+        $this->get('/mailbox-test')->assertRedirect('/custom-unauthorized');
     });
 
     it('denies access in production when config forbids public access', function () {
diff --git a/tests/Unit/InboxServiceProviderTest.php b/tests/Unit/InboxServiceProviderTest.php
@@ -53,6 +53,5 @@
     it('merges default config values correctly', function () {
         expect(config('inbox.store.driver'))->toBe('file');
         expect(config('inbox.middleware'))->toBe(['web']);
-        expect(config('inbox.public'))->toBeFalse();
     });
 });

Original file line number	Diff line number	Diff line change
`@@ -9,16 +9,17 @@ class AuthorizeInboxMiddleware`
`9`	`9`	`{`
`10`	`10`	`public function handle($request, Closure $next)`
`11`	`11`	`{`
`12`		`- if (config('inbox.public', false)) {`
`13`		`- return $next($request);`
`14`		`- }`
`15`		`-`
`16`	`12`	`$ability = config('inbox.gate', 'viewMailbox');`
`17`		`- // Let Gate decide (works with or without authenticated user; $user can be null)`
`18`		`- if (Gate::allows($ability)) {`
`19`		`- return $next($request);`
	`13`	`+`
	`14`	`+ if (! Gate::allows($ability)) {`
	`15`	`+ $redirect = config('inbox.unauthorized_redirect');`
	`16`	`+`
	`17`	`+ if ($redirect) {`
	`18`	`+ return redirect($redirect);`
	`19`	`+ }`
	`20`	`+ abort(403);`
`20`	`21`	`}`
`21`	`22`
`22`		`- abort(403);`
	`23`	`+ return $next($request);`
`23`	`24`	`}`
`24`	`25`	`}`