From 31f45c4af525a1ee77fa1f4458509f8aecb5d53e Mon Sep 17 00:00:00 2001 From: ro Date: Sun, 29 Sep 2024 15:55:55 -0600 Subject: [PATCH] add role checks for admin function admin functions are not shown to member with incorrect roles, but added a bit more padding in the controller itself to check if the role is correct before running an admin action for a little extra security --- app/Http/Controllers/LocationController.php | 52 ++++++++++++++------- app/Http/Controllers/MemberController.php | 47 +++++++++++++------ 2 files changed, 67 insertions(+), 32 deletions(-) diff --git a/app/Http/Controllers/LocationController.php b/app/Http/Controllers/LocationController.php index 292fbb0..0f660d9 100644 --- a/app/Http/Controllers/LocationController.php +++ b/app/Http/Controllers/LocationController.php @@ -5,6 +5,7 @@ namespace App\Http\Controllers; use Illuminate\Http\Request; use App\Services\UpdateService; use App\Repositories\LocationRepository; +use Illuminate\Support\Facades\Auth; class LocationController extends Controller { @@ -18,34 +19,51 @@ class LocationController extends Controller $this->location = $locationRepository; } + //actions public function updateLocations() { - $result = $this->update->data(); - - return back()->with( - 'message', - $result - ); + //role check + $member = Auth::user(); + if ($member->role == 0) { + $result = $this->update->data(); + return back()->with( + 'message', + $result + ); + } else { + return back()->withErrors('message', 'Nah, you don\'t have permission to do this'); + } } public function compileLocations() { - $result = $this->update->list(); - - return back()->with( - 'message', - $result - ); + //role check + $member = Auth::user(); + if ($member->role == 0) { + $result = $this->update->list(); + return back()->with( + 'message', + $result + ); + } else { + return back()->withErrors('message', 'Nah, you don\'t have permission to do this'); + } } public function editLocation(Request $request) { - $token = csrf_token(); - $response = $this->location->editLocation($request); - if ($response['status']) { - return back()->with('message', $response['message']); + $token = csrf_token(); + //role check + $member = Auth::user(); + if ($member->role == 0 || $member->role == 1) { + $response = $this->location->editLocation($request); + if ($response['status']) { + return back()->with('message', $response['message']); + } else { + return back()->withErrors('message', $response['message']); + } } else { - return back()->withErrors('message', $response['message']); + return back()->withErrors('message', 'Nah, you don\'t have permission to do this'); } } } diff --git a/app/Http/Controllers/MemberController.php b/app/Http/Controllers/MemberController.php index 50db498..60d7890 100644 --- a/app/Http/Controllers/MemberController.php +++ b/app/Http/Controllers/MemberController.php @@ -72,34 +72,51 @@ class MemberController extends Controller //actions public function profileEdit(Request $request) { - $token = csrf_token(); - $response = $this->member->editProfile($request); - if ($response['status'] == true) { - return back()->with('message', $response['message']); + $token = csrf_token(); + //check if logged in member id matches profile request id + $member = Auth::user(); + if ($member->uuid == $request->id) { + $response = $this->member->editProfile($request); + if ($response['status'] == true) { + return back()->with('message', $response['message']); + } else { + return back()->withErrors([$response['message']]); + } } else { - return back()->withErrors([$response['message']]); + return back()->withErrors(['This is not your profile to edit.']); } } public function memberEdit(Request $request) { - $token = csrf_token(); - $response = $this->member->edit($request); - if ($response['status'] == true) { - return back()->with('message', $response['message']); + $token = csrf_token(); + //role check + $member = Auth::user(); + if ($member->role == 0 || $member->role == 1) { + $response = $this->member->edit($request); + if ($response['status'] == true) { + return back()->with('message', $response['message']); + } else { + return back()->withErrors([$response['message']]); + } } else { - return back()->withErrors([$response['message']]); + return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']); } } public function memberCreate(Request $request) { - $token = csrf_token(); - $response = $this->member->add($request); - if ($response['status'] == true) { - return redirect('/den/member')->with('message', $response['message']); + $token = csrf_token(); + $member = Auth::user(); + if ($member->role == 0 || $member->role == 1) { + $response = $this->member->add($request); + if ($response['status'] == true) { + return redirect('/den/member')->with('message', $response['message']); + } else { + return back()->withErrors([$response['message']]); + } } else { - return back()->withErrors([$response['message']]); + return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']); } } }