From 412d935e794f9ee361e10c8b9ab072d80ba49d71 Mon Sep 17 00:00:00 2001
From: Hillel Coren <hillelcoren@gmail.com>
Date: Tue, 7 Feb 2017 17:23:55 +0200
Subject: [PATCH] Enable non-admin users with view all permissions to use the
 reports

---
 app/Http/Controllers/ReportController.php | 8 ++++++++
 app/Http/routes.php                       | 5 +++--
 resources/views/header.blade.php          | 2 +-
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/ReportController.php b/app/Http/Controllers/ReportController.php
index 4ca637fd0d..69d85eecc2 100644
--- a/app/Http/Controllers/ReportController.php
+++ b/app/Http/Controllers/ReportController.php
@@ -48,6 +48,10 @@ class ReportController extends BaseController
      */
     public function showReports()
     {
+        if (! Auth::user()->hasPermission('view_all')) {
+            return redirect('/');
+        }
+
         $action = Input::get('action');
 
         if (Input::get('report_type')) {
@@ -118,6 +122,10 @@ class ReportController extends BaseController
      */
     private function export($reportType, $data, $columns, $totals)
     {
+        if (! Auth::user()->hasPermission('view_all')) {
+            exit;
+        }
+
         $output = fopen('php://output', 'w') or Utils::fatalError();
         $reportType = trans("texts.{$reportType}s");
         $date = date('Y-m-d');
diff --git a/app/Http/routes.php b/app/Http/routes.php
index cf546f992e..9f13388e53 100644
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@@ -216,6 +216,9 @@ Route::group(['middleware' => 'auth:user'], function () {
     Route::get('bluevine/hide_message', 'BlueVineController@hideMessage');
     Route::get('bluevine/completed', 'BlueVineController@handleCompleted');
     Route::get('white_label/hide_message', 'NinjaController@hideWhiteLabelMessage');
+
+    Route::get('reports', 'ReportController@showReports');
+    Route::post('reports', 'ReportController@showReports');
 });
 
 Route::group([
@@ -244,8 +247,6 @@ Route::group([
     Route::post('settings/email_settings', 'AccountController@saveEmailSettings');
     Route::get('company/{section}/{subSection?}', 'AccountController@redirectLegacy');
     Route::get('settings/data_visualizations', 'ReportController@d3');
-    Route::get('reports', 'ReportController@showReports');
-    Route::post('reports', 'ReportController@showReports');
 
     Route::post('settings/change_plan', 'AccountController@changePlan');
     Route::post('settings/cancel_account', 'AccountController@cancelAccount');
diff --git a/resources/views/header.blade.php b/resources/views/header.blade.php
index 62576029de..70eb372824 100644
--- a/resources/views/header.blade.php
+++ b/resources/views/header.blade.php
@@ -521,7 +521,7 @@
                     ])
                 @endforeach
             @endif
-            @if (Auth::user()->is_admin)
+            @if (Auth::user()->hasPermission('view_all'))
                 @include('partials.navigation_option', ['option' => 'reports'])
             @endif
             @include('partials.navigation_option', ['option' => 'settings'])