Add user directory & isolate authorisation

This commit is contained in:
Miguel Nogueira 2020-06-27 19:15:33 +01:00
parent 71efdf93d8
commit 33c16fcf46
25 changed files with 812 additions and 59 deletions

View File

@ -80,6 +80,8 @@ class ApplicationController extends Controller
public function showAllPendingApps()
{
$this->authorize('viewAny', Application::class);
return view('dashboard.appmanagement.outstandingapps')
->with('applications', Application::where('applicationStatus', 'STAGE_SUBMITTED')->get());
}
@ -90,6 +92,7 @@ class ApplicationController extends Controller
public function showPendingInterview()
{
$this->authorize('viewAny', Application::class);
$applications = Application::with('appointment', 'user')->get();
$count = 0;
@ -131,6 +134,7 @@ class ApplicationController extends Controller
public function showPeerReview()
{
$this->authorize('viewAny', Application::class);
return view('dashboard.appmanagement.peerreview')
->with('applications', Application::where('applicationStatus', 'STAGE_PEERAPPROVAL')->get());
@ -246,6 +250,7 @@ class ApplicationController extends Controller
public function updateApplicationStatus(Request $request, $applicationID, $newStatus)
{
$application = Application::find($applicationID);
$this->authorize('update', Application::class);
if (!is_null($application))
{

View File

@ -28,6 +28,8 @@ class AppointmentController extends Controller
{
// Unrelated TODO: change if's in application page to a switch statement, & have the row encompass it
$this->authorize('create', Appointment::class);
$app = Application::find($applicationID);
if (!is_null($app))
@ -64,6 +66,9 @@ class AppointmentController extends Controller
public function updateAppointment(Request $request, $applicationID, $status)
{
$this->authorize('update', Appointment::class);
$application = Application::find($applicationID);
$validStatuses = [
'SCHEDULED',

View File

@ -76,6 +76,9 @@ class BanController extends Controller
public function delete(Request $request, User $user)
{
$this->authorize('delete', $user->bans);
if (!is_null($user->bans))
{
$user->bans->delete();

View File

@ -21,7 +21,7 @@ class CommentController extends Controller
public function insert(NewCommentRequest $request, Application $application)
{
// Type hinting makes laravel automatically validate everything
$this->authorize('create', Comment::class);
$comment = Comment::create([
'authorID' => Auth::user()->id,
@ -53,13 +53,10 @@ class CommentController extends Controller
public function delete(Request $request, Comment $comment)
{
if (Auth::user()->is($comment->user) || Auth::user()->hasRole('admin'))
{
$this->authorize('delete', $comment);
$comment->delete();
$request->session()->flash('success', 'Comment deleted!');
}
$request->session()->flash('error', 'You do not have permission to delete this comment!');
return redirect()->back();

View File

@ -5,24 +5,31 @@ namespace App\Http\Controllers;
use App\Form;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Validator;
use Illuminate\Support\Facades\Auth;
class FormController extends Controller
{
public function index()
{
$forms = Form::all();
$this->authorize('viewAny', Form::class);
return view('dashboard.administration.forms')
->with('forms', Form::all());
->with('forms', $forms);
}
public function showFormBuilder()
{
$this->authorize('viewFormbuilder', Form::class);
return view('dashboard.administration.formbuilder');
}
public function saveForm(Request $request)
{
$this->authorize('create', Form::class);
$formFields = $request->all();
$formStructure = [];
@ -72,6 +79,7 @@ class FormController extends Controller
{
$form = Form::find($id);
$this->authorize('delete', $form);
// TODO: Check if form is linked to vacancies before allowing deletion
if (!is_null($form))

View File

@ -14,6 +14,14 @@ use Spatie\Permission\Models\Role;
class ProfileController extends Controller
{
public function index()
{
return view('dashboard.user.directory')
->with('users', User::with('profile', 'bans')->paginate(9));
}
public function showProfile()
{

View File

@ -24,17 +24,16 @@ use Spatie\Permission\Models\Role;
class UserController extends Controller
{
public function showStaffMembers()
{
$this->authorize('viewStaff', User::class);
$staffRoles = [
'reviewer',
'hiringManager',
'admin'
]; // TODO: Un-hardcode this, move to config/roles.php
if (Auth::user()->can('admin.stafflist'))
{
$users = User::with('roles')->get();
$staffMembers = collect([]);
@ -63,11 +62,10 @@ class UserController extends Controller
]);
}
abort(403, 'Forbidden');
}
public function showPlayers()
{
$this->authorize('viewPlayers', User::class);
$users = User::with('roles')->get();
$players = collect([]);
@ -80,8 +78,6 @@ class UserController extends Controller
}
}
if (Auth::user()->can('admin.userlist'))
{
return view('dashboard.administration.players')
->with([
'users' => $players,
@ -89,14 +85,12 @@ class UserController extends Controller
]);
}
abort(403, 'Forbidden');
}
public function showPlayersLike(SearchPlayerRequest $request)
{
$searchTerm = $request->searchTerm;
$this->authorize('viewPlayers', User::class);
$searchTerm = $request->searchTerm;
$matchingUsers = User::query()
->where('name', 'LIKE', "%{$searchTerm}%")
->orWhere('email', 'LIKE', "%{$searchTerm}%")
@ -250,7 +244,7 @@ class UserController extends Controller
public function terminate(Request $request, User $user)
{
$this->authorize('terminate', Auth::user());
$this->authorize('terminate', User::class);
if (!$user->isStaffMember() || $user->is(Auth::user()))
{

View File

@ -10,11 +10,13 @@ use App\Form;
use App\Notifications\VacancyClosed;
use Illuminate\Http\Request;
use Illuminate\Support\Str;
use Illuminate\Support\Facades\Auth;
class VacancyController extends Controller
{
public function index()
{
$this->authorize('viewAny', Vacancy::class);
return view('dashboard.administration.positions')
->with([
'forms' => Form::all(),
@ -24,6 +26,7 @@ class VacancyController extends Controller
public function store(VacancyRequest $request)
{
$this->authorize('create', Vacancy::class);
$form = Form::find($request->vacancyFormID);
if (!is_null($form))
@ -53,7 +56,9 @@ class VacancyController extends Controller
public function updatePositionAvailability(Request $request, $status, $id)
{
$vacancy = Vacancy::find($id);
$this->authorize('update', $vacancy);
if (!is_null($vacancy))
{

View File

@ -16,6 +16,7 @@ class VoteController extends Controller
public function vote(VoteRequest $voteRequest, $applicationID)
{
$application = Application::find($applicationID);
$this->authorize('create', Vote::class);
if (!is_null($application))
{

View File

@ -21,6 +21,16 @@ class ApplicationPolicy
//
}
public function viewAny(User $user)
{
if ($user->can('applications.view.all'))
{
return Response::allow();
}
return Response::deny('Forbidden');
}
public function view(User $user, Application $application)
{
if ($user->is($application->user) && $user->can('applications.view.own') || $user->can('applications.view.all'))
@ -30,4 +40,9 @@ class ApplicationPolicy
return Response::deny('You are not authorised to view this application');
}
public function update(User $user)
{
return $user->hasAnyRole('admin', 'hiringManager');
}
}

View File

@ -0,0 +1,94 @@
<?php
namespace App\Policies;
use App\Appointment;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class AppointmentPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
//
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function view(User $user, Appointment $appointment)
{
//
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->can('appointments.schedule');
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function update(User $user, Appointment $appointment)
{
return $user->can('appointments.schedule.edit');
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function delete(User $user, Appointment $appointment)
{
//
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function restore(User $user, Appointment $appointment)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function forceDelete(User $user, Appointment $appointment)
{
//
}
}

View File

@ -0,0 +1,94 @@
<?php
namespace App\Policies;
use App\Ban;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class BanPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
//
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function view(User $user, Ban $ban)
{
//
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
//
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function update(User $user, Ban $ban)
{
//
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function delete(User $user, Ban $ban)
{
return $user->hasRole('admin');
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function restore(User $user, Ban $ban)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function forceDelete(User $user, Ban $ban)
{
//
}
}

View File

@ -0,0 +1,99 @@
<?php
namespace App\Policies;
use App\Comment;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class CommentPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
//
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function view(User $user, Comment $comment)
{
//
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->isStaffMember();
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function update(User $user, Comment $comment)
{
//
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function delete(User $user, Comment $comment)
{
if ($user->is($comment->user) || $user->hasRole('admin'))
{
return true;
}
return false;
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function restore(User $user, Comment $comment)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function forceDelete(User $user, Comment $comment)
{
//
}
}

View File

@ -0,0 +1,98 @@
<?php
namespace App\Policies;
use App\Form;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class FormPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
return $user->can('admin.hiring.forms');
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function view(User $user, Form $form)
{
return $user->can('admin.hiring.forms');
}
public function viewFormbuilder(User $user)
{
return $user->can('admin.hiring.formbuilder');
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $this->user->can('admin.hiring.forms');
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function update(User $user, Form $form)
{
// unused
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function delete(User $user, Form $form)
{
return $this->user->can('admin.hiring.forms');
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function restore(User $user, Form $form)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function forceDelete(User $user, Form $form)
{
//
}
}

View File

@ -0,0 +1,94 @@
<?php
namespace App\Policies;
use App\User;
use App\Vacancy;
use Illuminate\Auth\Access\HandlesAuthorization;
class VacancyPolicy
{
use HandlesAuthorization;
// TODO: Switch to permissions (there are no specific permissions yet)
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
return $user->hasAnyRole('admin', 'hiringManager');
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function view(User $user, Vacancy $vacancy)
{
// unused
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->hasAnyRole('admin', 'hiringManager');
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function update(User $user, Vacancy $vacancy)
{
return $user->hasRole('admin', 'hiringManager');
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function delete(User $user, Vacancy $vacancy)
{
//
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function restore(User $user, Vacancy $vacancy)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function forceDelete(User $user, Vacancy $vacancy)
{
//
}
}

View File

@ -0,0 +1,94 @@
<?php
namespace App\Policies;
use App\User;
use App\Vote;
use Illuminate\Auth\Access\HandlesAuthorization;
class VotePolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
//
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function view(User $user, Vote $vote)
{
//
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->can('applications.vote');
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function update(User $user, Vote $vote)
{
//
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function delete(User $user, Vote $vote)
{
//
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function restore(User $user, Vote $vote)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function forceDelete(User $user, Vote $vote)
{
//
}
}

View File

@ -2,10 +2,22 @@
namespace App\Providers;
use App\Http\Controllers\BanController;
use App\Http\Controllers\VoteController;
use App\Http\Controllers\ProfileController;
use App\Http\Controllers\AppointmentController;
use App\Policies\ProfilePolicy;
use App\Policies\VacancyPolicy;
use App\Policies\UserPolicy;
use App\Policies\FormPolicy;
use App\Policies\ApplicationPolicy;
use App\User;
use App\Form;
use App\Vote;
use App\Vacancy;
use App\Application;
use App\Appointment;
use App\Ban;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;
@ -18,9 +30,15 @@ class AuthServiceProvider extends ServiceProvider
*/
protected $policies = [
// 'App\Model' => 'App\Policies\ModelPolicy',
'App\Application' => 'App\Policies\ApplicationPolicy',
ProfileController::class => ProfilePolicy::class,
User::class => UserPolicy::class
Application::class => ApplicationPolicy::class,
Profile::class => ProfilePolicy::class,
User::class => UserPolicy::class,
Vacancy::class => VacancyPolicy::class,
//Form::class => FormPolicy::class
'App\Form' => 'App\Policies\FormPolicy',
Vote::class => VoteController::class,
Ban::class => BanController::class,
Appointment::class => AppointmentController::class
];
/**
@ -31,7 +49,6 @@ class AuthServiceProvider extends ServiceProvider
public function boot()
{
$this->registerPolicies();
//
}
}

View File

@ -213,6 +213,12 @@ return [
'icon' => 'fas fa-home',
'url' => 'dashboard'
],
[
'text' => 'Directory',
'icon' => 'fas fa-users',
'url' => 'users/directory',
'can' => 'profiles.view.others'
],
[
'header' => 'Applications',
'can' => 'applications.view.own'

3
public/css/directory.css vendored Normal file
View File

@ -0,0 +1,3 @@
.links nav {
display: inline-block;
}

View File

@ -63,7 +63,7 @@ I
<form name="search" method="POST" action="{{route('searchRegisteredPLayerList')}}">
@csrf
<div class="input-group">
<input type="text" name="searchTerm" class="form-control" placeholder="Username/email search">
<input type="text" name="searchTerm" class="form-control" placeholder="Full/partial email search">
<span class="input-group-btn">
<button class="btn btn-default" type="submit">
<i class="fa fa-search"></i>
@ -116,6 +116,7 @@ I
<th>#</th>
<th>IGN</th>
<th>UUID</th>
<th>Email</th>
<th>Status</th>
<th>Registration Date</th>
<th>Actions</th>
@ -130,6 +131,7 @@ I
<td>{{$user->id}}</td>
<td>{{UUID::toUsername($user->uuid)}}</td>
<td>{{$user->uuid}}</td>
<td>{{ $user->email }}</td>
<td>
@if ($user->isBanned())
<span class="badge badge-danger"><i class="fa fa-ban"></i> Banned</span>

View File

@ -49,6 +49,7 @@
<th>Full Name</th>
<th>UUID</th>
<th>Rank</th>
<th>Email</th>
<th>Status</th>
<th>Join Date</th>
<th>Actions</th>
@ -60,7 +61,7 @@
@foreach($users as $user)
<tr>
<td>1</td>
<td>{{ $user->id }}</td>
<td>{{$user->name}}</td>
<td>{{UUID::toUsername($user->uuid)}}</td>
<td>
@ -68,11 +69,11 @@
<span class="badge badge-info badge-sm">{{$role->name}}</span>
@endforeach
</td>
<td>{{ $user->email }}</td>
<td><span class="badge badge-success">Active</span></td>
<td>{{$user->created_at}}</td>
<td>
<button type="button" class="btn btn-sm btn-success mr-2" onclick="window.location.href='{{route('showSingleProfile', ['user' => $user->id])}}'"><i class="fa fa-eye"></i></button>
<button type="button" class="btn btn-sm btn-warning mr-2"><i class="fas fa-pencil-alt"></i></button>
</td>
</tr>

View File

@ -0,0 +1,107 @@
@extends('adminlte::page')
@section('title', 'Raspberry Network | User Directory')
@section('content_header')
<h4>Users / Directory</h4>
@stop
@section('js')
<script src="/js/app.js"></script>
<x-global-errors></x-global-errors>
@stop
@section('css')
<link rel="stylesheet" href="/css/directory.css" />
@stop
@section('content')
@if (Auth::user()->can('profiles.view.others'))
<div class="row">
@foreach ($users as $user)
<div class="col-md-4">
<!-- Widget: user widget style 1 -->
<div class="card card-widget widget-user">
<div class="widget-user-header bg-secondary">
<h3 class="widget-user-username">{{ $user->name }}</h3>
<h5 class="widget-user-desc">{{ $user->profile->profileShortBio }}</h5>
</div>
<div class="widget-user-image">
@if($user->profile->avatarPreference == 'gravatar')
<img class="profile-user-img elevation-2 img-fluid img-circle" src="https://gravatar.com/avatar/{{md5($user->email)}}" alt="User profile picture">
@else
<img class="profile-user-img elevation-2 img-fluid img-circle" src="https://crafatar.com/avatars/{{$user->uuid}}" alt="User profile picture">
@endif
</div>
<div class="card-footer text-center">
@if (Auth::user()->is($user))
<div class="user-indicator mb-2">
<span class="badge badge-success">It's you!</span>
</div>
@endif
<div class="roles mb-2">
@foreach ($user->roles as $role)
<span class="badge badge-secondary mr-2">{{ucfirst($role->name)}}</span>
@endforeach
</div>
<button type="button" class="btn btn-sm btn-primary" onclick="window.location.href='{{ route('showSingleProfile', ['user' => $user->id]) }}'"><i class="fa fa-eye"></i> Profile</button>
</div>
</div>
<!-- /.widget-user -->
</div>
@endforeach
</div>
<div clsas="row mt-4">
<div class="col">
<div class="card">
<div class="card-body text-center">
<div class="links">
{{ $users->links() }}
</div>
</div>
</div>
</div>
</div>
@else
<div class="alert alert-danger">
<p>
You do not have permission to view this page.
</p>
</div>
@endif
@stop

View File

@ -4,7 +4,7 @@
@section('content_header')
<h4>Profile</h4>
<h4>Users / Profile / {{ $profile->user->name }}</h4>
@stop

View File

@ -31,6 +31,9 @@ Route::group(['middleware' => ['auth', 'forcelogout']], function(){
->name('dashboard')
->middleware('eligibility');
Route::get('users/directory', 'ProfileController@index')
->name('directory');
Route::group(['prefix' => '/applications'], function (){
Route::get('/my-applications', 'ApplicationController@showUserApps')