forked from projects/thebadspace
add role checks for admin function
admin functions are not shown to member with incorrect roles, but added a bit more padding in the controller itself to check if the role is correct before running an admin action for a little extra security
This commit is contained in:
parent
3c0762344e
commit
31f45c4af5
2 changed files with 67 additions and 32 deletions
|
@ -5,6 +5,7 @@ namespace App\Http\Controllers;
|
||||||
use Illuminate\Http\Request;
|
use Illuminate\Http\Request;
|
||||||
use App\Services\UpdateService;
|
use App\Services\UpdateService;
|
||||||
use App\Repositories\LocationRepository;
|
use App\Repositories\LocationRepository;
|
||||||
|
use Illuminate\Support\Facades\Auth;
|
||||||
|
|
||||||
class LocationController extends Controller
|
class LocationController extends Controller
|
||||||
{
|
{
|
||||||
|
@ -18,34 +19,51 @@ class LocationController extends Controller
|
||||||
$this->location = $locationRepository;
|
$this->location = $locationRepository;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//actions
|
||||||
public function updateLocations()
|
public function updateLocations()
|
||||||
{
|
{
|
||||||
|
//role check
|
||||||
|
$member = Auth::user();
|
||||||
|
if ($member->role == 0) {
|
||||||
$result = $this->update->data();
|
$result = $this->update->data();
|
||||||
|
|
||||||
return back()->with(
|
return back()->with(
|
||||||
'message',
|
'message',
|
||||||
$result
|
$result
|
||||||
);
|
);
|
||||||
|
} else {
|
||||||
|
return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function compileLocations()
|
public function compileLocations()
|
||||||
{
|
{
|
||||||
|
//role check
|
||||||
|
$member = Auth::user();
|
||||||
|
if ($member->role == 0) {
|
||||||
$result = $this->update->list();
|
$result = $this->update->list();
|
||||||
|
|
||||||
return back()->with(
|
return back()->with(
|
||||||
'message',
|
'message',
|
||||||
$result
|
$result
|
||||||
);
|
);
|
||||||
|
} else {
|
||||||
|
return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function editLocation(Request $request)
|
public function editLocation(Request $request)
|
||||||
{
|
{
|
||||||
$token = csrf_token();
|
$token = csrf_token();
|
||||||
|
//role check
|
||||||
|
$member = Auth::user();
|
||||||
|
if ($member->role == 0 || $member->role == 1) {
|
||||||
$response = $this->location->editLocation($request);
|
$response = $this->location->editLocation($request);
|
||||||
if ($response['status']) {
|
if ($response['status']) {
|
||||||
return back()->with('message', $response['message']);
|
return back()->with('message', $response['message']);
|
||||||
} else {
|
} else {
|
||||||
return back()->withErrors('message', $response['message']);
|
return back()->withErrors('message', $response['message']);
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -73,33 +73,50 @@ class MemberController extends Controller
|
||||||
public function profileEdit(Request $request)
|
public function profileEdit(Request $request)
|
||||||
{
|
{
|
||||||
$token = csrf_token();
|
$token = csrf_token();
|
||||||
|
//check if logged in member id matches profile request id
|
||||||
|
$member = Auth::user();
|
||||||
|
if ($member->uuid == $request->id) {
|
||||||
$response = $this->member->editProfile($request);
|
$response = $this->member->editProfile($request);
|
||||||
if ($response['status'] == true) {
|
if ($response['status'] == true) {
|
||||||
return back()->with('message', $response['message']);
|
return back()->with('message', $response['message']);
|
||||||
} else {
|
} else {
|
||||||
return back()->withErrors([$response['message']]);
|
return back()->withErrors([$response['message']]);
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
return back()->withErrors(['This is not your profile to edit.']);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function memberEdit(Request $request)
|
public function memberEdit(Request $request)
|
||||||
{
|
{
|
||||||
$token = csrf_token();
|
$token = csrf_token();
|
||||||
|
//role check
|
||||||
|
$member = Auth::user();
|
||||||
|
if ($member->role == 0 || $member->role == 1) {
|
||||||
$response = $this->member->edit($request);
|
$response = $this->member->edit($request);
|
||||||
if ($response['status'] == true) {
|
if ($response['status'] == true) {
|
||||||
return back()->with('message', $response['message']);
|
return back()->with('message', $response['message']);
|
||||||
} else {
|
} else {
|
||||||
return back()->withErrors([$response['message']]);
|
return back()->withErrors([$response['message']]);
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function memberCreate(Request $request)
|
public function memberCreate(Request $request)
|
||||||
{
|
{
|
||||||
$token = csrf_token();
|
$token = csrf_token();
|
||||||
|
$member = Auth::user();
|
||||||
|
if ($member->role == 0 || $member->role == 1) {
|
||||||
$response = $this->member->add($request);
|
$response = $this->member->add($request);
|
||||||
if ($response['status'] == true) {
|
if ($response['status'] == true) {
|
||||||
return redirect('/den/member')->with('message', $response['message']);
|
return redirect('/den/member')->with('message', $response['message']);
|
||||||
} else {
|
} else {
|
||||||
return back()->withErrors([$response['message']]);
|
return back()->withErrors([$response['message']]);
|
||||||
}
|
}
|
||||||
|
} else {
|
||||||
|
return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue