staffmanager/app/Policies/UserPolicy.php

<?php

/*
 * Copyright © 2020 Miguel Nogueira
 *
 *   This file is part of Raspberry Staff Manager.
 *
 *     Raspberry Staff Manager is free software: you can redistribute it and/or modify
 *     it under the terms of the GNU General Public License as published by
 *     the Free Software Foundation, either version 3 of the License, or
 *     (at your option) any later version.
 *
 *     Raspberry Staff Manager is distributed in the hope that it will be useful,
 *     but WITHOUT ANY WARRANTY; without even the implied warranty of
 *     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *     GNU General Public License for more details.
 *
 *     You should have received a copy of the GNU General Public License
 *     along with Raspberry Staff Manager.  If not, see <https://www.gnu.org/licenses/>.
 */

namespace App\Policies;

use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;

class UserPolicy
{
    use HandlesAuthorization;

    /**
     * Create a new policy instance.
     *
     * @return void
     */
    public function __construct()
    {
    }

    public function edit(User $authUser, User $user)
    {
        return $authUser->is($user) || $authUser->hasRole('admin');
    }

    // This refers to the admin tools that let staff update more information than users themselves can
    public function adminEdit(User $authUser, User $user)
    {
        return $authUser->hasRole('admin') && $authUser->isNot($user);
    }

    public function viewStaff(User $user)
    {
        return $user->can('admin.stafflist');
    }

    public function viewPlayers(User $user)
    {
        return $user->can('admin.userlist');
    }

    public function terminate(User $authUser)
    {
        return $authUser->hasRole('admin');
    }

    public function delete(User $authUser, User $subject)
    {
        return $authUser->hasRole('admin') && $authUser->isNot($subject);
    }
}
Beta version This commit is too large to list all changes. 2020-06-26 23:32:33 +00:00			`<?php`

Apply fixes from StyleCI 2020-10-10 16:30:26 +00:00			`/*`
			`* Copyright © 2020 Miguel Nogueira`
			`*`
			`* This file is part of Raspberry Staff Manager.`
			`*`
			`* Raspberry Staff Manager is free software: you can redistribute it and/or modify`
			`* it under the terms of the GNU General Public License as published by`
			`* the Free Software Foundation, either version 3 of the License, or`
			`* (at your option) any later version.`
			`*`
			`* Raspberry Staff Manager is distributed in the hope that it will be useful,`
			`* but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`* GNU General Public License for more details.`
			`*`
			`* You should have received a copy of the GNU General Public License`
			`* along with Raspberry Staff Manager. If not, see <https://www.gnu.org/licenses/>.`
			`*/`

Beta version This commit is too large to list all changes. 2020-06-26 23:32:33 +00:00			`namespace App\Policies;`

			`use App\User;`
			`use Illuminate\Auth\Access\HandlesAuthorization;`

			`class UserPolicy`
			`{`
			`use HandlesAuthorization;`

			`/**`
			`* Create a new policy instance.`
			`*`
			`* @return void`
			`*/`
			`public function __construct()`
			`{`
			`}`

			`public function edit(User $authUser, User $user)`
			`{`
			`return $authUser->is($user) \|\| $authUser->hasRole('admin');`
			`}`

Code review This commit fixes some superficial instances of Broken Access Control (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control). There may be some more instances of this, as authorization was only done after most of the controllers were done (big mistake). Some refactoring was also performed, where Route Model Binding with DI (dependency injection) was used whenever possible, to increase testability of the codebase. Some reused code was also moved to Helper classes as to enforce DRY; There may be some lines of code that are still copy-pasted from other parts of the codebase for reuse. Non-breaking refactoring changes were made, but the app as a whole still needs full manual testing, and customised responses to HTTP 500 responses. Some errors are also not handled gracefully and this wasn't checked in this commit. 2020-07-16 20:21:28 +00:00			`// This refers to the admin tools that let staff update more information than users themselves can`
			`public function adminEdit(User $authUser, User $user)`
			`{`
Apply fixes from StyleCI 2020-10-10 16:30:26 +00:00			`return $authUser->hasRole('admin') && $authUser->isNot($user);`
Code review This commit fixes some superficial instances of Broken Access Control (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control). There may be some more instances of this, as authorization was only done after most of the controllers were done (big mistake). Some refactoring was also performed, where Route Model Binding with DI (dependency injection) was used whenever possible, to increase testability of the codebase. Some reused code was also moved to Helper classes as to enforce DRY; There may be some lines of code that are still copy-pasted from other parts of the codebase for reuse. Non-breaking refactoring changes were made, but the app as a whole still needs full manual testing, and customised responses to HTTP 500 responses. Some errors are also not handled gracefully and this wasn't checked in this commit. 2020-07-16 20:21:28 +00:00			`}`

Beta version This commit is too large to list all changes. 2020-06-26 23:32:33 +00:00			`public function viewStaff(User $user)`
			`{`
			`return $user->can('admin.stafflist');`
			`}`

			`public function viewPlayers(User $user)`
			`{`
			`return $user->can('admin.userlist');`
			`}`

			`public function terminate(User $authUser)`
			`{`
Apply fixes from StyleCI 2020-10-10 16:30:26 +00:00			`return $authUser->hasRole('admin');`
Beta version This commit is too large to list all changes. 2020-06-26 23:32:33 +00:00			`}`
Code review This commit fixes some superficial instances of Broken Access Control (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control). There may be some more instances of this, as authorization was only done after most of the controllers were done (big mistake). Some refactoring was also performed, where Route Model Binding with DI (dependency injection) was used whenever possible, to increase testability of the codebase. Some reused code was also moved to Helper classes as to enforce DRY; There may be some lines of code that are still copy-pasted from other parts of the codebase for reuse. Non-breaking refactoring changes were made, but the app as a whole still needs full manual testing, and customised responses to HTTP 500 responses. Some errors are also not handled gracefully and this wasn't checked in this commit. 2020-07-16 20:21:28 +00:00
			`public function delete(User $authUser, User $subject)`
			`{`
Apply fixes from StyleCI 2020-10-10 16:30:26 +00:00			`return $authUser->hasRole('admin') && $authUser->isNot($subject);`
Code review This commit fixes some superficial instances of Broken Access Control (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control). There may be some more instances of this, as authorization was only done after most of the controllers were done (big mistake). Some refactoring was also performed, where Route Model Binding with DI (dependency injection) was used whenever possible, to increase testability of the codebase. Some reused code was also moved to Helper classes as to enforce DRY; There may be some lines of code that are still copy-pasted from other parts of the codebase for reuse. Non-breaking refactoring changes were made, but the app as a whole still needs full manual testing, and customised responses to HTTP 500 responses. Some errors are also not handled gracefully and this wasn't checked in this commit. 2020-07-16 20:21:28 +00:00			`}`
Beta version This commit is too large to list all changes. 2020-06-26 23:32:33 +00:00			`}`