forked from miguel456/rbrecruiter
Miguel Nogueira
5f1f92a9ce
This commit fixes some superficial instances of Broken Access Control (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control). There may be some more instances of this, as authorization was only done after most of the controllers were done (big mistake). Some refactoring was also performed, where Route Model Binding with DI (dependency injection) was used whenever possible, to increase testability of the codebase. Some reused code was also moved to Helper classes as to enforce DRY; There may be some lines of code that are still copy-pasted from other parts of the codebase for reuse. Non-breaking refactoring changes were made, but the app as a whole still needs full manual testing, and customised responses to HTTP 500 responses. Some errors are also not handled gracefully and this wasn't checked in this commit.
139 lines
4.1 KiB
PHP
139 lines
4.1 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Controllers;
|
|
|
|
use App\Http\Requests\VacancyRequest;
|
|
use App\Http\Requests\VacancyEditRequest;
|
|
|
|
use App\Vacancy;
|
|
use App\User;
|
|
use App\Form;
|
|
|
|
use App\Notifications\VacancyClosed;
|
|
|
|
use Illuminate\Http\Request;
|
|
use Illuminate\Support\Str;
|
|
use Illuminate\Support\Facades\Auth;
|
|
|
|
|
|
class VacancyController extends Controller
|
|
{
|
|
public function index()
|
|
{
|
|
$this->authorize('viewAny', Vacancy::class);
|
|
return view('dashboard.administration.positions')
|
|
->with([
|
|
'forms' => Form::all(),
|
|
'vacancies' => Vacancy::all()
|
|
]);
|
|
}
|
|
|
|
public function store(VacancyRequest $request)
|
|
{
|
|
$this->authorize('create', Vacancy::class);
|
|
$form = Form::find($request->vacancyFormID);
|
|
|
|
if (!is_null($form))
|
|
{
|
|
/* note: since we can't convert HTML back to Markdown, we'll have to do the converting when the user requests a page,
|
|
* and leave the database with Markdown only so it can be used and edited everywhere.
|
|
* for several vacancies, this would require looping through all of them and replacing MD with HTML, which is obviously not the most clean solution;
|
|
* however, the Model can be configured to return MD instead of HTML on that specific field saving us from looping.
|
|
*/
|
|
Vacancy::create([
|
|
|
|
'vacancyName' => $request->vacancyName,
|
|
'vacancyDescription' => $request->vacancyDescription,
|
|
'vacancyFullDescription' => $request->vacancyFullDescription,
|
|
'vacancySlug' => Str::slug($request->vacancyName),
|
|
'permissionGroupName' => $request->permissionGroup,
|
|
'discordRoleID' => $request->discordRole,
|
|
'vacancyFormID' => $request->vacancyFormID,
|
|
'vacancyCount' => $request->vacancyCount
|
|
|
|
]);
|
|
|
|
$request->session()->flash('success', 'Vacancy successfully opened. It will now show in the home page.');
|
|
}
|
|
else
|
|
{
|
|
$request->session()->flash('error', 'You cannot create a vacancy without a valid form.');
|
|
}
|
|
|
|
return redirect()->back();
|
|
|
|
}
|
|
|
|
public function updatePositionAvailability(Request $request, $status, Vacancy $vacancy)
|
|
{
|
|
|
|
$this->authorize('update', $vacancy);
|
|
|
|
if (!is_null($vacancy))
|
|
{
|
|
$type = 'success';
|
|
|
|
switch ($status)
|
|
{
|
|
case 'open':
|
|
$vacancy->open();
|
|
$message = "Position successfully opened!";
|
|
|
|
break;
|
|
|
|
case 'close':
|
|
$vacancy->close();
|
|
$message = "Position successfully closed!";
|
|
|
|
foreach(User::all() as $user)
|
|
{
|
|
if ($user->isStaffMember())
|
|
{
|
|
$user->notify(new VacancyClosed($vacancy));
|
|
}
|
|
}
|
|
break;
|
|
|
|
default:
|
|
$message = "Please do not tamper with the button's URLs. To report a bug, please contact an administrator.";
|
|
$type = 'error';
|
|
|
|
}
|
|
}
|
|
else
|
|
{
|
|
$message = "The position you're trying to update doesn't exist!";
|
|
$type = "error";
|
|
}
|
|
|
|
$request->session()->flash($type, $message);
|
|
return redirect()->back();
|
|
}
|
|
|
|
|
|
public function edit(Request $request, Vacancy $position)
|
|
{
|
|
$this->authorize('update', $vacancy);
|
|
return view('dashboard.administration.editposition')
|
|
->with('vacancy', $position);
|
|
}
|
|
|
|
|
|
|
|
public function update(VacancyEditRequest $request, Vacancy $position)
|
|
{
|
|
$this->authorize('update', $vacancy);
|
|
|
|
$position->vacancyFullDescription = $request->vacancyFullDescription;
|
|
$position->vacancyDescription = $request->vacancyDescription;
|
|
$position->vacancyCount = $request->vacancyCount;
|
|
|
|
$position->save();
|
|
|
|
$request->session()->flash('success', 'Vacancy successfully updated.');
|
|
return redirect()->back();
|
|
|
|
}
|
|
|
|
}
|