forked from projects/thebadspace
add role checks for admin function
admin functions are not shown to member with incorrect roles, but added a bit more padding in the controller itself to check if the role is correct before running an admin action for a little extra security
This commit is contained in:
parent
3c0762344e
commit
31f45c4af5
2 changed files with 67 additions and 32 deletions
|
@ -5,6 +5,7 @@ namespace App\Http\Controllers;
|
|||
use Illuminate\Http\Request;
|
||||
use App\Services\UpdateService;
|
||||
use App\Repositories\LocationRepository;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
|
||||
class LocationController extends Controller
|
||||
{
|
||||
|
@ -18,34 +19,51 @@ class LocationController extends Controller
|
|||
$this->location = $locationRepository;
|
||||
}
|
||||
|
||||
//actions
|
||||
public function updateLocations()
|
||||
{
|
||||
$result = $this->update->data();
|
||||
|
||||
return back()->with(
|
||||
'message',
|
||||
$result
|
||||
);
|
||||
//role check
|
||||
$member = Auth::user();
|
||||
if ($member->role == 0) {
|
||||
$result = $this->update->data();
|
||||
return back()->with(
|
||||
'message',
|
||||
$result
|
||||
);
|
||||
} else {
|
||||
return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
|
||||
}
|
||||
}
|
||||
|
||||
public function compileLocations()
|
||||
{
|
||||
$result = $this->update->list();
|
||||
|
||||
return back()->with(
|
||||
'message',
|
||||
$result
|
||||
);
|
||||
//role check
|
||||
$member = Auth::user();
|
||||
if ($member->role == 0) {
|
||||
$result = $this->update->list();
|
||||
return back()->with(
|
||||
'message',
|
||||
$result
|
||||
);
|
||||
} else {
|
||||
return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
|
||||
}
|
||||
}
|
||||
|
||||
public function editLocation(Request $request)
|
||||
{
|
||||
$token = csrf_token();
|
||||
$response = $this->location->editLocation($request);
|
||||
if ($response['status']) {
|
||||
return back()->with('message', $response['message']);
|
||||
$token = csrf_token();
|
||||
//role check
|
||||
$member = Auth::user();
|
||||
if ($member->role == 0 || $member->role == 1) {
|
||||
$response = $this->location->editLocation($request);
|
||||
if ($response['status']) {
|
||||
return back()->with('message', $response['message']);
|
||||
} else {
|
||||
return back()->withErrors('message', $response['message']);
|
||||
}
|
||||
} else {
|
||||
return back()->withErrors('message', $response['message']);
|
||||
return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -72,34 +72,51 @@ class MemberController extends Controller
|
|||
//actions
|
||||
public function profileEdit(Request $request)
|
||||
{
|
||||
$token = csrf_token();
|
||||
$response = $this->member->editProfile($request);
|
||||
if ($response['status'] == true) {
|
||||
return back()->with('message', $response['message']);
|
||||
$token = csrf_token();
|
||||
//check if logged in member id matches profile request id
|
||||
$member = Auth::user();
|
||||
if ($member->uuid == $request->id) {
|
||||
$response = $this->member->editProfile($request);
|
||||
if ($response['status'] == true) {
|
||||
return back()->with('message', $response['message']);
|
||||
} else {
|
||||
return back()->withErrors([$response['message']]);
|
||||
}
|
||||
} else {
|
||||
return back()->withErrors([$response['message']]);
|
||||
return back()->withErrors(['This is not your profile to edit.']);
|
||||
}
|
||||
}
|
||||
|
||||
public function memberEdit(Request $request)
|
||||
{
|
||||
$token = csrf_token();
|
||||
$response = $this->member->edit($request);
|
||||
if ($response['status'] == true) {
|
||||
return back()->with('message', $response['message']);
|
||||
$token = csrf_token();
|
||||
//role check
|
||||
$member = Auth::user();
|
||||
if ($member->role == 0 || $member->role == 1) {
|
||||
$response = $this->member->edit($request);
|
||||
if ($response['status'] == true) {
|
||||
return back()->with('message', $response['message']);
|
||||
} else {
|
||||
return back()->withErrors([$response['message']]);
|
||||
}
|
||||
} else {
|
||||
return back()->withErrors([$response['message']]);
|
||||
return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']);
|
||||
}
|
||||
}
|
||||
|
||||
public function memberCreate(Request $request)
|
||||
{
|
||||
$token = csrf_token();
|
||||
$response = $this->member->add($request);
|
||||
if ($response['status'] == true) {
|
||||
return redirect('/den/member')->with('message', $response['message']);
|
||||
$token = csrf_token();
|
||||
$member = Auth::user();
|
||||
if ($member->role == 0 || $member->role == 1) {
|
||||
$response = $this->member->add($request);
|
||||
if ($response['status'] == true) {
|
||||
return redirect('/den/member')->with('message', $response['message']);
|
||||
} else {
|
||||
return back()->withErrors([$response['message']]);
|
||||
}
|
||||
} else {
|
||||
return back()->withErrors([$response['message']]);
|
||||
return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue