mirror of
https://github.com/invoiceninja/invoiceninja.git
synced 2024-09-19 16:01:34 +02:00
Begin adding authorization policies
This commit is contained in:
Joshua Dwire
parent
f9c36fd761
commit
fdf1b25b16
@ -22,39 +22,15 @@ class BaseController extends Controller
|
||||
}
|
||||
}
|
||||
|
||||
protected function checkViewPermission($object, &$response = null){
|
||||
if(!$object->canView()){
|
||||
$response = response('Unauthorized.', 401);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
protected function checkEditPermission($object, &$response = null){
|
||||
if(!$object->canEdit()){
|
||||
$response = response('Unauthorized.', 401);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
protected function checkCreatePermission(&$response = null){
|
||||
if(!call_user_func(array($this->model, 'canCreate'))){
|
||||
$response = response('Unauthorized.', 401);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
protected function checkUpdatePermission($input, &$response = null){
|
||||
protected function authorizeUpdate($input){
|
||||
$creating = empty($input['public_id']) || $input['public_id'] == '-1';
|
||||
|
||||
if($creating){
|
||||
return $this->checkCreatePermission($response);
|
||||
$this->authorize('create', $this->model);
|
||||
}
|
||||
else{
|
||||
$object = call_user_func(array($this->model, 'scope'), $input['public_id'])->firstOrFail();
|
||||
return $this->checkEditPermission($object, $response);
|
||||
$this->authorize('edit', $object);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -96,9 +96,7 @@ class InvoiceController extends BaseController
|
||||
->withTrashed()
|
||||
->firstOrFail();
|
||||
|
||||
if(!$this->checkEditPermission($invoice, $response)){
|
||||
return $response;
|
||||
}
|
||||
$this->authorize('edit', $invoice)
|
||||
|
||||
$entityType = $invoice->getEntityType();
|
||||
|
||||
|
||||
@ -118,56 +118,4 @@ class EntityModel extends Eloquent
|
||||
$name = $parts[count($parts)-1];
|
||||
return strtolower($name) . '_id';
|
||||
}
|
||||
|
||||
public static function canCreate() {
|
||||
return Auth::user()->hasPermission('create_all');
|
||||
}
|
||||
|
||||
public function canEdit() {
|
||||
return static::canEditItem($this);
|
||||
}
|
||||
|
||||
public static function canEditItem($item) {
|
||||
return Auth::user()->hasPermission('edit_all') || (isset($item->user_id) && Auth::user()->id == $item->user_id);
|
||||
}
|
||||
|
||||
public static function canEditItemById($item_id) {
|
||||
if(Auth::user()->hasPermission('edit_all')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return static::whereId($item_id)->first()->user_id == Auth::user()->id;
|
||||
}
|
||||
|
||||
public static function canEditItemByOwner($user_id) {
|
||||
if(Auth::user()->hasPermission('edit_all')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return Auth::user()->id == $user_id;
|
||||
}
|
||||
|
||||
public function canView() {
|
||||
return static::canViewItem($this);
|
||||
}
|
||||
|
||||
public static function canViewItem($item) {
|
||||
return Auth::user()->hasPermission('view_all') || (isset($item->user_id) && Auth::user()->id == $item->user_id);
|
||||
}
|
||||
|
||||
public static function canViewItemById($item_id) {
|
||||
if(Auth::user()->hasPermission('view_all')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return static::whereId($item_id)->first()->user_id == Auth::user()->id;
|
||||
}
|
||||
|
||||
public static function canViewItemByOwner($user_id) {
|
||||
if(Auth::user()->hasPermission('view_all')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
return Auth::user()->id == $user_id;
|
||||
}
|
||||
}
|
||||
|
||||
@ -326,6 +326,10 @@ class User extends Model implements AuthenticatableContract, CanResetPasswordCon
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public function owns($entity) {
|
||||
return !empty($entity->user_id) && $entity->user_id == $this->id;
|
||||
}
|
||||
}
|
||||
|
||||
User::updating(function ($user) {
|
||||
|
||||
25
app/Policies/EntityPolicy.php
Normal file
25
app/Policies/EntityPolicy.php
Normal file
@ -0,0 +1,25 @@
|
||||
<?php
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\User;
|
||||
use App\Models\EntityModel;
|
||||
|
||||
use Illuminate\Auth\Access\HandlesAuthorization;
|
||||
|
||||
class InvoicePolicy extends EntityPolicy
|
||||
{
|
||||
use HandlesAuthorization;
|
||||
|
||||
public static function canCreate() {
|
||||
return Auth::user()->hasPermission('create_all');
|
||||
}
|
||||
|
||||
public static function edit($user, $item) {
|
||||
$user->hasPermission('edit_all') || $user->owns($item);
|
||||
}
|
||||
|
||||
public static function view($user, $item) {
|
||||
$user->hasPermission('view_all') || $user->owns($item);
|
||||
}
|
||||
}
|
||||
23
app/Policies/InvoicePolicy.php
Normal file
23
app/Policies/InvoicePolicy.php
Normal file
@ -0,0 +1,23 @@
|
||||
<?php
|
||||
|
||||
namespace App\Policies;
|
||||
|
||||
use App\Models\User;
|
||||
use App\Post;
|
||||
|
||||
use Illuminate\Auth\Access\HandlesAuthorization;
|
||||
|
||||
class InvoicePolicy extends EntityPolicy
|
||||
{
|
||||
use HandlesAuthorization;
|
||||
|
||||
/**
|
||||
* Create a new policy instance.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
//
|
||||
}
|
||||
}
|
||||
29
app/Providers/AuthServiceProvider.php
Normal file
29
app/Providers/AuthServiceProvider.php
Normal file
@ -0,0 +1,29 @@
|
||||
<?php
|
||||
|
||||
namespace App\Providers;
|
||||
|
||||
use Illuminate\Contracts\Auth\Access\Gate as GateContract;
|
||||
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
|
||||
|
||||
class AuthServiceProvider extends ServiceProvider
|
||||
{
|
||||
/**
|
||||
* The policy mappings for the application.
|
||||
*
|
||||
* @var array
|
||||
*/
|
||||
protected $policies = [
|
||||
Invoice::class => InvoicePolicy::class,
|
||||
];
|
||||
|
||||
/**
|
||||
* Register any application authentication / authorization services.
|
||||
*
|
||||
* @param \Illuminate\Contracts\Auth\Access\Gate $gate
|
||||
* @return void
|
||||
*/
|
||||
public function boot(GateContract $gate)
|
||||
{
|
||||
$this->registerPolicies($gate);
|
||||
}
|
||||
}
|
||||
@ -157,6 +157,7 @@ return [
|
||||
/*
|
||||
* Application Service Providers...
|
||||
*/
|
||||
'App\Providers\AuthServiceProvider',
|
||||
'App\Providers\AppServiceProvider',
|
||||
//'App\Providers\BusServiceProvider',
|
||||
'App\Providers\ConfigServiceProvider',
|
||||
|
||||
Loading…
Reference in New Issue
Block a user