rbrecruiter/app/Policies/BanPolicy.php

<?php

namespace App\Policies;

use App\Ban;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Log;

class BanPolicy
{
    use HandlesAuthorization;

    /**
     * Determine whether the user can view any models.
     *
     * @param  \App\User  $user
     * @return mixed
     */
    public function viewAny(User $user)
    {
        //
    }

    /**
     * Determine whether the user can view the model.
     *
     * @param  \App\User  $user
     * @param  \App\Ban  $ban
     * @return mixed
     */
    public function view(User $user, Ban $ban)
    {
        //
    }

    /**
     * Determine whether the user can create models.
     *
     * @param \App\User $user
     * @param User $targetUser
     * @return mixed
     */
    public function create(User $user, User $targetUser)
    {
        Log::debug("Authorization check started", [
            'requiredRoles' => 'admin',
            'hasRequiredRole' => $user->hasRole('admin'),
            'targetUser' => $targetUser->username,
            'isCurrentUser' => Auth::user()->is($user)
        ]);
        return $user->hasRole('admin') && $user->isNot($targetUser);
    }

    /**
     * Determine whether the user can update the model.
     *
     * @param  \App\User  $user
     * @param  \App\Ban  $ban
     * @return mixed
     */
    public function update(User $user, Ban $ban)
    {
        return $user->hasRole('admin');
    }

    /**
     * Determine whether the user can delete the model.
     *
     * @param  \App\User  $user
     * @param  \App\Ban  $ban
     * @return mixed
     */
    public function delete(User $user, Ban $ban)
    {
        return $user->hasRole('admin');
    }

    /**
     * Determine whether the user can restore the model.
     *
     * @param  \App\User  $user
     * @param  \App\Ban  $ban
     * @return mixed
     */
    public function restore(User $user, Ban $ban)
    {
        //
    }

    /**
     * Determine whether the user can permanently delete the model.
     *
     * @param  \App\User  $user
     * @param  \App\Ban  $ban
     * @return mixed
     */
    public function forceDelete(User $user, Ban $ban)
    {
        //
    }
}
Add user directory & isolate authorisation 2020-06-27 18:15:33 +00:00			`<?php`

			`namespace App\Policies;`

			`use App\Ban;`
			`use App\User;`
			`use Illuminate\Auth\Access\HandlesAuthorization;`
Fixed broken banning logic 2020-08-13 21:12:17 +00:00			`use Illuminate\Support\Facades\Auth;`
			`use Illuminate\Support\Facades\Log;`
Add user directory & isolate authorisation 2020-06-27 18:15:33 +00:00
			`class BanPolicy`
			`{`
			`use HandlesAuthorization;`

			`/**`
			`* Determine whether the user can view any models.`
			`*`
			`* @param \App\User $user`
			`* @return mixed`
			`*/`
			`public function viewAny(User $user)`
			`{`
			`//`
			`}`

			`/**`
			`* Determine whether the user can view the model.`
			`*`
			`* @param \App\User $user`
			`* @param \App\Ban $ban`
			`* @return mixed`
			`*/`
			`public function view(User $user, Ban $ban)`
			`{`
			`//`
			`}`

			`/**`
			`* Determine whether the user can create models.`
			`*`
Update ban time logic 2020-09-07 22:38:25 +00:00			`* @param \App\User $user`
			`* @param User $targetUser`
Add user directory & isolate authorisation 2020-06-27 18:15:33 +00:00			`* @return mixed`
			`*/`
Update ban logic 2020-09-07 22:33:35 +00:00			`public function create(User $user, User $targetUser)`
Add user directory & isolate authorisation 2020-06-27 18:15:33 +00:00			`{`
Fixed broken banning logic 2020-08-13 21:12:17 +00:00			`Log::debug("Authorization check started", [`
			`'requiredRoles' => 'admin',`
			`'hasRequiredRole' => $user->hasRole('admin'),`
Update target user in logs 2020-09-07 23:07:50 +00:00			`'targetUser' => $targetUser->username,`
Fixed broken banning logic 2020-08-13 21:12:17 +00:00			`'isCurrentUser' => Auth::user()->is($user)`
			`]);`
Update ban logic 2020-09-07 22:33:35 +00:00			`return $user->hasRole('admin') && $user->isNot($targetUser);`
Add user directory & isolate authorisation 2020-06-27 18:15:33 +00:00			`}`

			`/**`
			`* Determine whether the user can update the model.`
			`*`
			`* @param \App\User $user`
			`* @param \App\Ban $ban`
			`* @return mixed`
			`*/`
			`public function update(User $user, Ban $ban)`
			`{`
Code review This commit fixes some superficial instances of Broken Access Control (https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/Top_10-2017_A5-Broken_Access_Control). There may be some more instances of this, as authorization was only done after most of the controllers were done (big mistake). Some refactoring was also performed, where Route Model Binding with DI (dependency injection) was used whenever possible, to increase testability of the codebase. Some reused code was also moved to Helper classes as to enforce DRY; There may be some lines of code that are still copy-pasted from other parts of the codebase for reuse. Non-breaking refactoring changes were made, but the app as a whole still needs full manual testing, and customised responses to HTTP 500 responses. Some errors are also not handled gracefully and this wasn't checked in this commit. 2020-07-16 20:21:28 +00:00			`return $user->hasRole('admin');`
Add user directory & isolate authorisation 2020-06-27 18:15:33 +00:00			`}`

			`/**`
			`* Determine whether the user can delete the model.`
			`*`
			`* @param \App\User $user`
			`* @param \App\Ban $ban`
			`* @return mixed`
			`*/`
			`public function delete(User $user, Ban $ban)`
			`{`
			`return $user->hasRole('admin');`
			`}`

			`/**`
			`* Determine whether the user can restore the model.`
			`*`
			`* @param \App\User $user`
			`* @param \App\Ban $ban`
			`* @return mixed`
			`*/`
			`public function restore(User $user, Ban $ban)`
			`{`
			`//`
			`}`

			`/**`
			`* Determine whether the user can permanently delete the model.`
			`*`
			`* @param \App\User $user`
			`* @param \App\Ban $ban`
			`* @return mixed`
			`*/`
			`public function forceDelete(User $user, Ban $ban)`
			`{`
			`//`
			`}`
			`}`