fix: permission check issue

Closes #42
BenHUET · Aug 25, 2020 · 8c14183 · 8c14183
1 parent ef239b3
commit 8c14183
Show file tree

Hide file tree

Showing 5 changed files with 31 additions and 14 deletions.
diff --git a/src/Http/Controllers/AjaxController.php b/src/Http/Controllers/AjaxController.php
@@ -27,6 +27,12 @@ public function getOngoing()
                                    $query->where('end_at', '>', carbon()->now());
                                    $query->orWhereNull('end_at');
                                })
+                               ->where(function ($query) {
+                                   if (! auth()->user()->isAdmin()) {
+                                       $query->whereIn('role_name', auth()->user()->roles->pluck('title')->toArray());
+                                       $query->orWhereNull('role_name');
+                                   }
+                               })
                                ->where('is_cancelled', false);
 
         return $this->buildOperationDataTable($operations);
@@ -38,6 +44,12 @@ public function getOngoing()
     public function getIncoming()
     {
         $operations = Operation::with('tags', 'fleet_commander', 'attendees', 'staging')
+            ->where(function ($query) {
+                if (! auth()->user()->isAdmin()) {
+                    $query->whereIn('role_name', auth()->user()->roles->pluck('title')->toArray());
+                    $query->orWhereNull('role_name');
+                }
+            })
             ->where('start_at', '>', carbon()->now())
             ->where('is_cancelled', false);
 
@@ -54,9 +66,14 @@ public function getFaded()
                                    $query->where('start_at', '<', carbon()->now())
                                          ->where('end_at', '<', carbon()->now());
                                })
+                               ->where(function ($query) {
+                                   if (! auth()->user()->isAdmin()) {
+                                       $query->whereIn('role_name', auth()->user()->roles->pluck('title')->toArray());
+                                       $query->orWhereNull('role_name');
+                                   }
+                               })
                                ->orWhere('is_cancelled', true);
 
-
         return $this->buildOperationDataTable($operations);
     }
 
@@ -66,7 +83,7 @@ public function getFaded()
      */
     public function getDetail($operation_id)
     {
-        if (auth()->user()->can('calendar.view', false)) {
+        if (auth()->user()->can('calendar.view')) {
             $op = Operation::with('tags')->find($operation_id);
             return view('calendar::operation.modals/details.content', compact('op'));
         }

diff --git a/src/Http/Controllers/OperationController.php b/src/Http/Controllers/OperationController.php
@@ -126,7 +126,7 @@ public function update(Request $request)
         $operation = Operation::find($request->operation_id);
         $tags = array();
 
-        if (auth()->user()->can('calendar.update_all', false) || $operation->user->id == auth()->user()->id) {
+        if (auth()->user()->can('calendar.update_all') || $operation->user->id == auth()->user()->id) {
 
             foreach ($request->toArray() as $name => $value) {
                 if (empty($value))
@@ -181,7 +181,7 @@ public function update(Request $request)
     public function delete(Request $request)
     {
         $operation = Operation::find($request->operation_id);
-        if (auth()->user()->can('calendar.delete_all', false) || $operation->user->id == auth()->user()->id) {
+        if (auth()->user()->can('calendar.delete_all') || $operation->user->id == auth()->user()->id) {
             if ($operation != null) {
 
                 if (! $operation->isUserGranted(auth()->user()))
@@ -204,7 +204,7 @@ public function delete(Request $request)
     public function close(Request $request)
     {
         $operation = Operation::find($request->operation_id);
-        if (auth()->user()->can('calendar.close_all', false) || $operation->user->id == auth()->user()->id) {
+        if (auth()->user()->can('calendar.close_all') || $operation->user->id == auth()->user()->id) {
 
             if ($operation != null) {
                 $operation->end_at = Carbon::now('UTC');
@@ -225,7 +225,7 @@ public function close(Request $request)
     public function cancel(Request $request)
     {
         $operation = Operation::find($request->operation_id);
-        if (auth()->user()->can('calendar.close_all', false) || $operation->user->id == auth()->user()->id) {
+        if (auth()->user()->can('calendar.close_all') || $operation->user->id == auth()->user()->id) {
             if ($operation != null) {
 
                 $operation->timestamps = false;
@@ -250,7 +250,7 @@ public function cancel(Request $request)
     public function activate(Request $request)
     {
         $operation = Operation::find($request->operation_id);
-        if (auth()->user()->can('calendar.close_all', false) || $operation->user->id == auth()->user()->id) {
+        if (auth()->user()->can('calendar.close_all') || $operation->user->id == auth()->user()->id) {
             if ($operation != null) {
                 $operation->timestamps = false;
                 $operation->is_cancelled = false;
@@ -306,7 +306,7 @@ public function subscribe(Request $request)
      * @return \Illuminate\Http\JsonResponse|\Illuminate\Http\RedirectResponse
      */
     public function find($operation_id) {
-        if (auth()->user()->can('calendar.view', false)) {
+        if (auth()->user()->can('calendar.view')) {
             $operation = Operation::find($operation_id)->load('tags');
 
             if (! $operation->isUserGranted(auth()->user()))

diff --git a/src/Models/Operation.php b/src/Models/Operation.php
@@ -247,6 +247,6 @@ public function isUserGranted(User $user) : bool
         if (is_null($this->role_name))
             return true;
 
-        return $user->hasRole($this->role_name);
+        return $user->roles->where('title', $this->role_name)->isNotEmpty() || auth()->user()->isAdmin();
     }
 }
diff --git a/src/resources/views/operation/index.blade.php b/src/resources/views/operation/index.blade.php
@@ -5,7 +5,7 @@
 
 @section('full')
 
-    @if(auth()->user()->can('calendar.create', false))
+    @if(auth()->user()->can('calendar.create'))
     <div class="row margin-bottom">
         <div class="col-md-offset-8 col-md-4">
             <div class="pull-right">

diff --git a/src/resources/views/operation/partials/actions/actions.blade.php b/src/resources/views/operation/partials/actions/actions.blade.php
@@ -4,18 +4,18 @@
   @if(! $op->is_cancelled)
     @include('calendar::operation.partials.actions.subscribe')
   @endif
-  @if(auth()->user()->can('calendar.update_all', false) || $op->user->id == auth()->user()->id)
+  @if(auth()->user()->can('calendar.update_all') || $op->user->id == auth()->user()->id)
       @include('calendar::operation.partials.actions.edit')
   @endif
 @endif
 
 @if(carbon()->now()->gt($op->start_at) && in_array($op->end_at, [null, carbon()->now()]))
-  @if(auth()->user()->can('calendar.close_all', false) || $op->user->id == auth()->user()->id)
+  @if(auth()->user()->can('calendar.close_all') || $op->user->id == auth()->user()->id)
     @include('calendar::operation.partials.actions.close')
   @endif
 @endif
 
-@if(auth()->user()->can('calendar.cancel_all', false) || $op->user->id == auth()->user()->id)
+@if(auth()->user()->can('calendar.cancel_all') || $op->user->id == auth()->user()->id)
   @if($op->is_cancelled)
     @include('calendar::operation.partials.actions.enable')
   @else
@@ -25,6 +25,6 @@
   @endif
 @endif
 
-@if(auth()->user()->can('calendar.delete_all', false) || $op->user->id == auth()->user()->id)
+@if(auth()->user()->can('calendar.delete_all') || $op->user->id == auth()->user()->id)
   @include('calendar::operation.partials.actions.destroy')
 @endif