Trinity/thebadspace
1
0
Fork 0
forked from projects/thebadspace
Code Pull requests Activity

add role checks for admin function

Browse source 
admin functions are not shown to member with incorrect roles, but added
a bit more padding in the controller itself to check if the role is
correct before running an admin action for a little extra security
This commit is contained in:
ro 2024-09-29 15:55:55 -06:00
parent 3c0762344e
commit 31f45c4af5
2 changed files with 67 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
app/Http/Controllers/LocationController.php
View file

@ -5,6 +5,7 @@ namespace App\Http\Controllers;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use App\Services\UpdateService; use App\Services\UpdateService;
use App\Repositories\LocationRepository; use App\Repositories\LocationRepository;
use Illuminate\Support\Facades\Auth;
class LocationController extends Controller class LocationController extends Controller
{ {
@ -18,34 +19,51 @@ class LocationController extends Controller
$this->location = $locationRepository; $this->location = $locationRepository;
} }
//actions
public function updateLocations() public function updateLocations()
{ {
$result = $this->update->data(); //role check
$member = Auth::user();
return back()->with( if ($member->role == 0) {
'message', $result = $this->update->data();
$result return back()->with(
); 'message',
$result
);
} else {
return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
}
} }
public function compileLocations() public function compileLocations()
{ {
$result = $this->update->list(); //role check
$member = Auth::user();
return back()->with( if ($member->role == 0) {
'message', $result = $this->update->list();
$result return back()->with(
); 'message',
$result
);
} else {
return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
}
} }
public function editLocation(Request $request) public function editLocation(Request $request)
{ {
$token = csrf_token(); $token = csrf_token();
$response = $this->location->editLocation($request); //role check
if ($response['status']) { $member = Auth::user();
return back()->with('message', $response['message']); if ($member->role == 0 || $member->role == 1) {
$response = $this->location->editLocation($request);
if ($response['status']) {
return back()->with('message', $response['message']);
} else {
return back()->withErrors('message', $response['message']);
}
} else { } else {
return back()->withErrors('message', $response['message']); return back()->withErrors('message', 'Nah, you don\'t have permission to do this');
} }
} }
} }

47
app/Http/Controllers/MemberController.php
View file

@ -72,34 +72,51 @@ class MemberController extends Controller
//actions //actions
public function profileEdit(Request $request) public function profileEdit(Request $request)
{ {
$token = csrf_token(); $token = csrf_token();
$response = $this->member->editProfile($request); //check if logged in member id matches profile request id
if ($response['status'] == true) { $member = Auth::user();
return back()->with('message', $response['message']); if ($member->uuid == $request->id) {
$response = $this->member->editProfile($request);
if ($response['status'] == true) {
return back()->with('message', $response['message']);
} else {
return back()->withErrors([$response['message']]);
}
} else { } else {
return back()->withErrors([$response['message']]); return back()->withErrors(['This is not your profile to edit.']);
} }
} }
public function memberEdit(Request $request) public function memberEdit(Request $request)
{ {
$token = csrf_token(); $token = csrf_token();
$response = $this->member->edit($request); //role check
if ($response['status'] == true) { $member = Auth::user();
return back()->with('message', $response['message']); if ($member->role == 0 || $member->role == 1) {
$response = $this->member->edit($request);
if ($response['status'] == true) {
return back()->with('message', $response['message']);
} else {
return back()->withErrors([$response['message']]);
}
} else { } else {
return back()->withErrors([$response['message']]); return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']);
} }
} }
public function memberCreate(Request $request) public function memberCreate(Request $request)
{ {
$token = csrf_token(); $token = csrf_token();
$response = $this->member->add($request); $member = Auth::user();
if ($response['status'] == true) { if ($member->role == 0 || $member->role == 1) {
return redirect('/den/member')->with('message', $response['message']); $response = $this->member->add($request);
if ($response['status'] == true) {
return redirect('/den/member')->with('message', $response['message']);
} else {
return back()->withErrors([$response['message']]);
}
} else { } else {
return back()->withErrors([$response['message']]); return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']);
} }
} }
} }