From 33c16fcf467915611a90ac7b59ecdf6bb77e45a2 Mon Sep 17 00:00:00 2001
From: Miguel Nogueira <miguel456@spacejewel-hosting.com>
Date: Sat, 27 Jun 2020 19:15:33 +0100
Subject: [PATCH] Add user directory & isolate authorisation

---
 .../Controllers/ApplicationController.php     |   5 +
 .../Controllers/AppointmentController.php     |   7 +-
 app/Http/Controllers/BanController.php        |   3 +
 app/Http/Controllers/CommentController.php    |  13 +--
 app/Http/Controllers/FormController.php       |  10 +-
 app/Http/Controllers/HomeController.php       |   2 +-
 app/Http/Controllers/ProfileController.php    |   8 ++
 app/Http/Controllers/UserController.php       |  68 +++++------
 app/Http/Controllers/VacancyController.php    |   5 +
 app/Http/Controllers/VoteController.php       |   1 +
 app/Policies/ApplicationPolicy.php            |  15 +++
 app/Policies/AppointmentPolicy.php            |  94 +++++++++++++++
 app/Policies/BanPolicy.php                    |  94 +++++++++++++++
 app/Policies/CommentPolicy.php                |  99 ++++++++++++++++
 app/Policies/FormPolicy.php                   |  98 ++++++++++++++++
 app/Policies/VacancyPolicy.php                |  94 +++++++++++++++
 app/Policies/VotePolicy.php                   |  94 +++++++++++++++
 app/Providers/AuthServiceProvider.php         |  25 +++-
 config/adminlte.php                           |   6 +
 public/css/directory.css                      |   3 +
 .../administration/players.blade.php          |   8 +-
 .../administration/staff-members.blade.php    |   7 +-
 .../views/dashboard/user/directory.blade.php  | 107 ++++++++++++++++++
 .../user/profile/displayprofile.blade.php     |   2 +-
 routes/web.php                                |   3 +
 25 files changed, 812 insertions(+), 59 deletions(-)
 create mode 100644 app/Policies/AppointmentPolicy.php
 create mode 100644 app/Policies/BanPolicy.php
 create mode 100644 app/Policies/CommentPolicy.php
 create mode 100644 app/Policies/FormPolicy.php
 create mode 100644 app/Policies/VacancyPolicy.php
 create mode 100644 app/Policies/VotePolicy.php
 create mode 100644 public/css/directory.css
 create mode 100644 resources/views/dashboard/user/directory.blade.php

diff --git a/app/Http/Controllers/ApplicationController.php b/app/Http/Controllers/ApplicationController.php
index 98e7d51..acb4020 100644
--- a/app/Http/Controllers/ApplicationController.php
+++ b/app/Http/Controllers/ApplicationController.php
@@ -80,6 +80,8 @@ class ApplicationController extends Controller
 
     public function showAllPendingApps()
     {
+        $this->authorize('viewAny', Application::class);
+
         return view('dashboard.appmanagement.outstandingapps')
             ->with('applications', Application::where('applicationStatus', 'STAGE_SUBMITTED')->get());
     }
@@ -90,6 +92,7 @@ class ApplicationController extends Controller
 
     public function showPendingInterview()
     {
+        $this->authorize('viewAny', Application::class);
         $applications = Application::with('appointment', 'user')->get();
         $count = 0;
 
@@ -131,6 +134,7 @@ class ApplicationController extends Controller
 
     public function showPeerReview()
     {
+        $this->authorize('viewAny', Application::class);
         return view('dashboard.appmanagement.peerreview')
             ->with('applications', Application::where('applicationStatus', 'STAGE_PEERAPPROVAL')->get());
 
@@ -246,6 +250,7 @@ class ApplicationController extends Controller
     public function updateApplicationStatus(Request $request, $applicationID, $newStatus)
     {
         $application = Application::find($applicationID);
+        $this->authorize('update', Application::class);
 
         if (!is_null($application))
         {
diff --git a/app/Http/Controllers/AppointmentController.php b/app/Http/Controllers/AppointmentController.php
index ccb5789..662f2a0 100644
--- a/app/Http/Controllers/AppointmentController.php
+++ b/app/Http/Controllers/AppointmentController.php
@@ -28,6 +28,8 @@ class AppointmentController extends Controller
     {
         // Unrelated TODO: change if's in application page to a switch statement, & have the row encompass it
 
+        $this->authorize('create', Appointment::class);
+
         $app = Application::find($applicationID);
 
         if (!is_null($app))
@@ -49,7 +51,7 @@ class AppointmentController extends Controller
                 'datetime' => $appointmentDate->toDateTimeString(),
                 'scheduled' => now()
             ]);
-            
+
             $app->user->notify(new AppointmentScheduled($appointment));
             $request->session()->flash('success', 'Appointment successfully scheduled @ ' . $appointmentDate->toDateTimeString());
 
@@ -64,6 +66,9 @@ class AppointmentController extends Controller
 
     public function updateAppointment(Request $request, $applicationID, $status)
     {
+
+      $this->authorize('update', Appointment::class);
+
         $application = Application::find($applicationID);
         $validStatuses = [
           'SCHEDULED',
diff --git a/app/Http/Controllers/BanController.php b/app/Http/Controllers/BanController.php
index 332601c..a0182bd 100644
--- a/app/Http/Controllers/BanController.php
+++ b/app/Http/Controllers/BanController.php
@@ -76,6 +76,9 @@ class BanController extends Controller
 
     public function delete(Request $request, User $user)
     {
+
+        $this->authorize('delete', $user->bans);
+
         if (!is_null($user->bans))
         {
             $user->bans->delete();
diff --git a/app/Http/Controllers/CommentController.php b/app/Http/Controllers/CommentController.php
index fd281bb..a26cb37 100644
--- a/app/Http/Controllers/CommentController.php
+++ b/app/Http/Controllers/CommentController.php
@@ -21,8 +21,8 @@ class CommentController extends Controller
 
     public function insert(NewCommentRequest $request, Application $application)
     {
-        // Type hinting makes laravel automatically validate everything
-
+        $this->authorize('create', Comment::class);
+        
         $comment = Comment::create([
             'authorID' => Auth::user()->id,
             'applicationID' => $application->id,
@@ -53,13 +53,10 @@ class CommentController extends Controller
 
     public function delete(Request $request, Comment $comment)
     {
-        if (Auth::user()->is($comment->user) || Auth::user()->hasRole('admin'))
-        {
-            $comment->delete();
-            $request->session()->flash('success', 'Comment deleted!');
-        }
+        $this->authorize('delete', $comment);
 
-        $request->session()->flash('error', 'You do not have permission to delete this comment!');
+        $comment->delete();
+        $request->session()->flash('success', 'Comment deleted!');
 
         return redirect()->back();
 
diff --git a/app/Http/Controllers/FormController.php b/app/Http/Controllers/FormController.php
index f2fb854..6d63742 100644
--- a/app/Http/Controllers/FormController.php
+++ b/app/Http/Controllers/FormController.php
@@ -5,24 +5,31 @@ namespace App\Http\Controllers;
 use App\Form;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Validator;
+use Illuminate\Support\Facades\Auth;
 
 class FormController extends Controller
 {
 
     public function index()
     {
+        $forms = Form::all();
+        $this->authorize('viewAny', Form::class);
+
         return view('dashboard.administration.forms')
-            ->with('forms', Form::all());
+            ->with('forms', $forms);
     }
 
     public function showFormBuilder()
     {
+        $this->authorize('viewFormbuilder', Form::class);
         return view('dashboard.administration.formbuilder');
     }
 
     public function saveForm(Request $request)
     {
 
+        $this->authorize('create', Form::class);
+
         $formFields = $request->all();
 
         $formStructure = [];
@@ -72,6 +79,7 @@ class FormController extends Controller
     {
 
         $form = Form::find($id);
+        $this->authorize('delete', $form);
 
         // TODO: Check if form is linked to vacancies before allowing deletion
         if (!is_null($form))
diff --git a/app/Http/Controllers/HomeController.php b/app/Http/Controllers/HomeController.php
index f6d62ec..6a4f48e 100644
--- a/app/Http/Controllers/HomeController.php
+++ b/app/Http/Controllers/HomeController.php
@@ -18,7 +18,7 @@ class HomeController extends Controller
         // TODO: Relationships for Applications, Users and Responses
         // Also prevent apps if user already has one in the space of 30d
         // Display apps in the relevant menus
-
+        
         $positions = DB::table('vacancies')
                         ->where('vacancyStatus', 'OPEN')
                         ->where('vacancyCount', '!=', 0)
diff --git a/app/Http/Controllers/ProfileController.php b/app/Http/Controllers/ProfileController.php
index 4d5f4af..7a35d1c 100644
--- a/app/Http/Controllers/ProfileController.php
+++ b/app/Http/Controllers/ProfileController.php
@@ -14,6 +14,14 @@ use Spatie\Permission\Models\Role;
 
 class ProfileController extends Controller
 {
+
+  public function index()
+  {
+
+    return view('dashboard.user.directory')
+          ->with('users', User::with('profile', 'bans')->paginate(9));
+  }
+
     public function showProfile()
     {
 
diff --git a/app/Http/Controllers/UserController.php b/app/Http/Controllers/UserController.php
index 6f6d0df..2cb19e9 100644
--- a/app/Http/Controllers/UserController.php
+++ b/app/Http/Controllers/UserController.php
@@ -24,50 +24,48 @@ use Spatie\Permission\Models\Role;
 class UserController extends Controller
 {
 
+
     public function showStaffMembers()
     {
+        $this->authorize('viewStaff', User::class);
 
         $staffRoles = [
             'reviewer',
             'hiringManager',
             'admin'
         ]; // TODO: Un-hardcode this, move to config/roles.php
+        $users = User::with('roles')->get();
+        $staffMembers = collect([]);
 
-        if (Auth::user()->can('admin.stafflist'))
+        foreach($users as $user)
         {
-            $users = User::with('roles')->get();
-            $staffMembers = collect([]);
-
-            foreach($users as $user)
+            if (empty($user->roles))
             {
-                if (empty($user->roles))
-                {
-                    Log::debug($user->role->name);
-                    Log::debug('Staff list: User without role detected; Ignoring');
-                    continue;
-                }
-
-                foreach($user->roles as $role)
-                {
-                    if (in_array($role->name, $staffRoles))
-                    {
-                        $staffMembers->push($user);
-                        continue 2; // Skip directly to the next user instead of comparing more roles for the current user
-                    }
-                }
+                Log::debug($user->role->name);
+                Log::debug('Staff list: User without role detected; Ignoring');
+                continue;
             }
 
-            return view('dashboard.administration.staff-members')
-                ->with([
-                    'users' => $staffMembers
-                ]);
+            foreach($user->roles as $role)
+            {
+                if (in_array($role->name, $staffRoles))
+                {
+                    $staffMembers->push($user);
+                    continue 2; // Skip directly to the next user instead of comparing more roles for the current user
+                }
+            }
         }
 
-        abort(403, 'Forbidden');
+        return view('dashboard.administration.staff-members')
+            ->with([
+                'users' => $staffMembers
+            ]);
     }
 
     public function showPlayers()
     {
+        $this->authorize('viewPlayers', User::class);
+
         $users = User::with('roles')->get();
         $players = collect([]);
 
@@ -80,23 +78,19 @@ class UserController extends Controller
             }
         }
 
-        if (Auth::user()->can('admin.userlist'))
-        {
-            return view('dashboard.administration.players')
-                ->with([
-                    'users' => $players,
-                    'bannedUserCount' => Ban::all()->count()
-                ]);
-        }
-
-        abort(403, 'Forbidden');
+        return view('dashboard.administration.players')
+            ->with([
+                'users' => $players,
+                'bannedUserCount' => Ban::all()->count()
+            ]);
     }
 
 
     public function showPlayersLike(SearchPlayerRequest $request)
     {
-        $searchTerm = $request->searchTerm;
+        $this->authorize('viewPlayers', User::class);
 
+        $searchTerm = $request->searchTerm;
         $matchingUsers = User::query()
             ->where('name', 'LIKE', "%{$searchTerm}%")
             ->orWhere('email', 'LIKE', "%{$searchTerm}%")
@@ -250,7 +244,7 @@ class UserController extends Controller
 
     public function terminate(Request $request, User $user)
     {
-        $this->authorize('terminate', Auth::user());
+        $this->authorize('terminate', User::class);
 
         if (!$user->isStaffMember() || $user->is(Auth::user()))
         {
diff --git a/app/Http/Controllers/VacancyController.php b/app/Http/Controllers/VacancyController.php
index 0e11f3a..1b6bafd 100644
--- a/app/Http/Controllers/VacancyController.php
+++ b/app/Http/Controllers/VacancyController.php
@@ -10,11 +10,13 @@ use App\Form;
 use App\Notifications\VacancyClosed;
 use Illuminate\Http\Request;
 use Illuminate\Support\Str;
+use Illuminate\Support\Facades\Auth;
 
 class VacancyController extends Controller
 {
     public function index()
     {
+      $this->authorize('viewAny', Vacancy::class);
         return view('dashboard.administration.positions')
             ->with([
                 'forms' => Form::all(),
@@ -24,6 +26,7 @@ class VacancyController extends Controller
 
     public function store(VacancyRequest $request)
     {
+        $this->authorize('create', Vacancy::class);
         $form = Form::find($request->vacancyFormID);
 
         if (!is_null($form))
@@ -53,7 +56,9 @@ class VacancyController extends Controller
 
     public function updatePositionAvailability(Request $request, $status, $id)
     {
+
         $vacancy = Vacancy::find($id);
+        $this->authorize('update', $vacancy);
 
         if (!is_null($vacancy))
         {
diff --git a/app/Http/Controllers/VoteController.php b/app/Http/Controllers/VoteController.php
index 56fcb6d..31b8acd 100644
--- a/app/Http/Controllers/VoteController.php
+++ b/app/Http/Controllers/VoteController.php
@@ -16,6 +16,7 @@ class VoteController extends Controller
     public function vote(VoteRequest $voteRequest, $applicationID)
     {
         $application = Application::find($applicationID);
+        $this->authorize('create', Vote::class);
 
         if (!is_null($application))
         {
diff --git a/app/Policies/ApplicationPolicy.php b/app/Policies/ApplicationPolicy.php
index 267c8c8..8a771ea 100644
--- a/app/Policies/ApplicationPolicy.php
+++ b/app/Policies/ApplicationPolicy.php
@@ -21,6 +21,16 @@ class ApplicationPolicy
         //
     }
 
+    public function viewAny(User $user)
+    {
+      if ($user->can('applications.view.all'))
+      {
+        return Response::allow();
+      }
+
+      return Response::deny('Forbidden');
+    }
+
     public function view(User $user, Application $application)
     {
        if ($user->is($application->user) && $user->can('applications.view.own') || $user->can('applications.view.all'))
@@ -30,4 +40,9 @@ class ApplicationPolicy
 
        return Response::deny('You are not authorised to view this application');
     }
+
+    public function update(User $user)
+    {
+        return $user->hasAnyRole('admin', 'hiringManager');
+    }
 }
diff --git a/app/Policies/AppointmentPolicy.php b/app/Policies/AppointmentPolicy.php
new file mode 100644
index 0000000..fc5636b
--- /dev/null
+++ b/app/Policies/AppointmentPolicy.php
@@ -0,0 +1,94 @@
+<?php
+
+namespace App\Policies;
+
+use App\Appointment;
+use App\User;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class AppointmentPolicy
+{
+    use HandlesAuthorization;
+
+    /**
+     * Determine whether the user can view any models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function viewAny(User $user)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Appointment  $appointment
+     * @return mixed
+     */
+    public function view(User $user, Appointment $appointment)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can create models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function create(User $user)
+    {
+        return $user->can('appointments.schedule');
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Appointment  $appointment
+     * @return mixed
+     */
+    public function update(User $user, Appointment $appointment)
+    {
+        return $user->can('appointments.schedule.edit');
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Appointment  $appointment
+     * @return mixed
+     */
+    public function delete(User $user, Appointment $appointment)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Appointment  $appointment
+     * @return mixed
+     */
+    public function restore(User $user, Appointment $appointment)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Appointment  $appointment
+     * @return mixed
+     */
+    public function forceDelete(User $user, Appointment $appointment)
+    {
+        //
+    }
+}
diff --git a/app/Policies/BanPolicy.php b/app/Policies/BanPolicy.php
new file mode 100644
index 0000000..d93adab
--- /dev/null
+++ b/app/Policies/BanPolicy.php
@@ -0,0 +1,94 @@
+<?php
+
+namespace App\Policies;
+
+use App\Ban;
+use App\User;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class BanPolicy
+{
+    use HandlesAuthorization;
+
+    /**
+     * Determine whether the user can view any models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function viewAny(User $user)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Ban  $ban
+     * @return mixed
+     */
+    public function view(User $user, Ban $ban)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can create models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function create(User $user)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Ban  $ban
+     * @return mixed
+     */
+    public function update(User $user, Ban $ban)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Ban  $ban
+     * @return mixed
+     */
+    public function delete(User $user, Ban $ban)
+    {
+        return $user->hasRole('admin');
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Ban  $ban
+     * @return mixed
+     */
+    public function restore(User $user, Ban $ban)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Ban  $ban
+     * @return mixed
+     */
+    public function forceDelete(User $user, Ban $ban)
+    {
+        //
+    }
+}
diff --git a/app/Policies/CommentPolicy.php b/app/Policies/CommentPolicy.php
new file mode 100644
index 0000000..477b445
--- /dev/null
+++ b/app/Policies/CommentPolicy.php
@@ -0,0 +1,99 @@
+<?php
+
+namespace App\Policies;
+
+use App\Comment;
+use App\User;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class CommentPolicy
+{
+    use HandlesAuthorization;
+
+    /**
+     * Determine whether the user can view any models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function viewAny(User $user)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Comment  $comment
+     * @return mixed
+     */
+    public function view(User $user, Comment $comment)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can create models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function create(User $user)
+    {
+        return $user->isStaffMember();
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Comment  $comment
+     * @return mixed
+     */
+    public function update(User $user, Comment $comment)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Comment  $comment
+     * @return mixed
+     */
+    public function delete(User $user, Comment $comment)
+    {
+        if ($user->is($comment->user) || $user->hasRole('admin'))
+        {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Comment  $comment
+     * @return mixed
+     */
+    public function restore(User $user, Comment $comment)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Comment  $comment
+     * @return mixed
+     */
+    public function forceDelete(User $user, Comment $comment)
+    {
+        //
+    }
+}
diff --git a/app/Policies/FormPolicy.php b/app/Policies/FormPolicy.php
new file mode 100644
index 0000000..eb7b90f
--- /dev/null
+++ b/app/Policies/FormPolicy.php
@@ -0,0 +1,98 @@
+<?php
+
+namespace App\Policies;
+
+use App\Form;
+use App\User;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class FormPolicy
+{
+    use HandlesAuthorization;
+
+    /**
+     * Determine whether the user can view any models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function viewAny(User $user)
+    {
+        return $user->can('admin.hiring.forms');
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Form  $form
+     * @return mixed
+     */
+    public function view(User $user, Form $form)
+    {
+        return $user->can('admin.hiring.forms');
+    }
+
+    public function viewFormbuilder(User $user)
+    {
+      return $user->can('admin.hiring.formbuilder');
+    }
+    /**
+     * Determine whether the user can create models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function create(User $user)
+    {
+        return $this->user->can('admin.hiring.forms');
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Form  $form
+     * @return mixed
+     */
+    public function update(User $user, Form $form)
+    {
+        // unused
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Form  $form
+     * @return mixed
+     */
+    public function delete(User $user, Form $form)
+    {
+        return $this->user->can('admin.hiring.forms');
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Form  $form
+     * @return mixed
+     */
+    public function restore(User $user, Form $form)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Form  $form
+     * @return mixed
+     */
+    public function forceDelete(User $user, Form $form)
+    {
+        //
+    }
+}
diff --git a/app/Policies/VacancyPolicy.php b/app/Policies/VacancyPolicy.php
new file mode 100644
index 0000000..12c0b45
--- /dev/null
+++ b/app/Policies/VacancyPolicy.php
@@ -0,0 +1,94 @@
+<?php
+
+namespace App\Policies;
+
+use App\User;
+use App\Vacancy;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class VacancyPolicy
+{
+    use HandlesAuthorization;
+    // TODO: Switch to permissions (there are no specific permissions yet)
+    /**
+     * Determine whether the user can view any models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function viewAny(User $user)
+    {
+        return $user->hasAnyRole('admin', 'hiringManager');
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vacancy  $vacancy
+     * @return mixed
+     */
+    public function view(User $user, Vacancy $vacancy)
+    {
+        // unused
+    }
+
+    /**
+     * Determine whether the user can create models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function create(User $user)
+    {
+        return $user->hasAnyRole('admin', 'hiringManager');
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vacancy  $vacancy
+     * @return mixed
+     */
+    public function update(User $user, Vacancy $vacancy)
+    {
+        return $user->hasRole('admin', 'hiringManager');
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vacancy  $vacancy
+     * @return mixed
+     */
+    public function delete(User $user, Vacancy $vacancy)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vacancy  $vacancy
+     * @return mixed
+     */
+    public function restore(User $user, Vacancy $vacancy)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vacancy  $vacancy
+     * @return mixed
+     */
+    public function forceDelete(User $user, Vacancy $vacancy)
+    {
+        //
+    }
+}
diff --git a/app/Policies/VotePolicy.php b/app/Policies/VotePolicy.php
new file mode 100644
index 0000000..9337aa4
--- /dev/null
+++ b/app/Policies/VotePolicy.php
@@ -0,0 +1,94 @@
+<?php
+
+namespace App\Policies;
+
+use App\User;
+use App\Vote;
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class VotePolicy
+{
+    use HandlesAuthorization;
+
+    /**
+     * Determine whether the user can view any models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function viewAny(User $user)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can view the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vote  $vote
+     * @return mixed
+     */
+    public function view(User $user, Vote $vote)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can create models.
+     *
+     * @param  \App\User  $user
+     * @return mixed
+     */
+    public function create(User $user)
+    {
+        return $user->can('applications.vote');
+    }
+
+    /**
+     * Determine whether the user can update the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vote  $vote
+     * @return mixed
+     */
+    public function update(User $user, Vote $vote)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vote  $vote
+     * @return mixed
+     */
+    public function delete(User $user, Vote $vote)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can restore the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vote  $vote
+     * @return mixed
+     */
+    public function restore(User $user, Vote $vote)
+    {
+        //
+    }
+
+    /**
+     * Determine whether the user can permanently delete the model.
+     *
+     * @param  \App\User  $user
+     * @param  \App\Vote  $vote
+     * @return mixed
+     */
+    public function forceDelete(User $user, Vote $vote)
+    {
+        //
+    }
+}
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 1479cf6..7d3a4b8 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -2,10 +2,22 @@
 
 namespace App\Providers;
 
+use App\Http\Controllers\BanController;
+use App\Http\Controllers\VoteController;
 use App\Http\Controllers\ProfileController;
+use App\Http\Controllers\AppointmentController;
 use App\Policies\ProfilePolicy;
+use App\Policies\VacancyPolicy;
 use App\Policies\UserPolicy;
+use App\Policies\FormPolicy;
+use App\Policies\ApplicationPolicy;
 use App\User;
+use App\Form;
+use App\Vote;
+use App\Vacancy;
+use App\Application;
+use App\Appointment;
+use App\Ban;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
 use Illuminate\Support\Facades\Gate;
 
@@ -18,9 +30,15 @@ class AuthServiceProvider extends ServiceProvider
      */
     protected $policies = [
         // 'App\Model' => 'App\Policies\ModelPolicy',
-        'App\Application' => 'App\Policies\ApplicationPolicy',
-        ProfileController::class => ProfilePolicy::class,
-        User::class => UserPolicy::class
+        Application::class => ApplicationPolicy::class,
+        Profile::class => ProfilePolicy::class,
+        User::class => UserPolicy::class,
+        Vacancy::class => VacancyPolicy::class,
+        //Form::class => FormPolicy::class
+        'App\Form' => 'App\Policies\FormPolicy',
+        Vote::class => VoteController::class,
+        Ban::class => BanController::class,
+        Appointment::class => AppointmentController::class
     ];
 
     /**
@@ -31,7 +49,6 @@ class AuthServiceProvider extends ServiceProvider
     public function boot()
     {
         $this->registerPolicies();
-
         //
     }
 }
diff --git a/config/adminlte.php b/config/adminlte.php
index ad07b8e..decfdab 100644
--- a/config/adminlte.php
+++ b/config/adminlte.php
@@ -213,6 +213,12 @@ return [
           'icon' => 'fas fa-home',
           'url' => 'dashboard'
         ],
+        [
+          'text' => 'Directory',
+          'icon' => 'fas fa-users',
+          'url' => 'users/directory',
+          'can' => 'profiles.view.others'
+        ],
         [
             'header' => 'Applications',
             'can' => 'applications.view.own'
diff --git a/public/css/directory.css b/public/css/directory.css
new file mode 100644
index 0000000..1fb7561
--- /dev/null
+++ b/public/css/directory.css
@@ -0,0 +1,3 @@
+.links nav  {
+  display: inline-block;
+}
diff --git a/resources/views/dashboard/administration/players.blade.php b/resources/views/dashboard/administration/players.blade.php
index 2b01e01..10de156 100644
--- a/resources/views/dashboard/administration/players.blade.php
+++ b/resources/views/dashboard/administration/players.blade.php
@@ -63,7 +63,7 @@ I
                     <form name="search" method="POST" action="{{route('searchRegisteredPLayerList')}}">
                         @csrf
                         <div class="input-group">
-                            <input type="text" name="searchTerm" class="form-control" placeholder="Username/email search">
+                            <input type="text" name="searchTerm" class="form-control" placeholder="Full/partial email search">
                             <span class="input-group-btn">
                                 <button class="btn btn-default" type="submit">
                                     <i class="fa fa-search"></i>
@@ -116,6 +116,7 @@ I
                           <th>#</th>
                           <th>IGN</th>
                           <th>UUID</th>
+                          <th>Email</th>
                           <th>Status</th>
                           <th>Registration Date</th>
                           <th>Actions</th>
@@ -125,11 +126,12 @@ I
                       <tbody>
 
                           @foreach($users as $user)
-                            
+
                             <tr>
                                 <td>{{$user->id}}</td>
                                 <td>{{UUID::toUsername($user->uuid)}}</td>
                                 <td>{{$user->uuid}}</td>
+                                <td>{{ $user->email }}</td>
                                 <td>
                                     @if ($user->isBanned())
                                         <span class="badge badge-danger"><i class="fa fa-ban"></i> Banned</span>
@@ -150,7 +152,7 @@ I
                   </table>
                 @else
                     <div class="alert alert-secondary">
-                    
+
                         <i class="fas fa-question"></i><span> There are no registered players!</span>
                         <p>
                             Registered players are those without a staff role in the team management application.
diff --git a/resources/views/dashboard/administration/staff-members.blade.php b/resources/views/dashboard/administration/staff-members.blade.php
index 3e50efb..fb86acb 100644
--- a/resources/views/dashboard/administration/staff-members.blade.php
+++ b/resources/views/dashboard/administration/staff-members.blade.php
@@ -49,6 +49,7 @@
                           <th>Full Name</th>
                           <th>UUID</th>
                           <th>Rank</th>
+                          <th>Email</th>
                           <th>Status</th>
                           <th>Join Date</th>
                           <th>Actions</th>
@@ -60,7 +61,7 @@
                       @foreach($users as $user)
 
                         <tr>
-                            <td>1</td>
+                            <td>{{ $user->id }}</td>
                             <td>{{$user->name}}</td>
                             <td>{{UUID::toUsername($user->uuid)}}</td>
                             <td>
@@ -68,16 +69,16 @@
                                     <span class="badge badge-info badge-sm">{{$role->name}}</span>
                                 @endforeach
                             </td>
+                            <td>{{ $user->email }}</td>
                             <td><span class="badge badge-success">Active</span></td>
                             <td>{{$user->created_at}}</td>
                             <td>
                                 <button type="button" class="btn btn-sm btn-success mr-2" onclick="window.location.href='{{route('showSingleProfile', ['user' => $user->id])}}'"><i class="fa fa-eye"></i></button>
-                                <button type="button" class="btn btn-sm btn-warning mr-2"><i class="fas fa-pencil-alt"></i></button>
                             </td>
                         </tr>
 
                       @endforeach
-                      
+
                       </tbody>
 
                   </table>
diff --git a/resources/views/dashboard/user/directory.blade.php b/resources/views/dashboard/user/directory.blade.php
new file mode 100644
index 0000000..4c1f795
--- /dev/null
+++ b/resources/views/dashboard/user/directory.blade.php
@@ -0,0 +1,107 @@
+@extends('adminlte::page')
+
+@section('title', 'Raspberry Network | User Directory')
+
+@section('content_header')
+
+    <h4>Users / Directory</h4>
+
+@stop
+
+@section('js')
+    <script src="/js/app.js"></script>
+    <x-global-errors></x-global-errors>
+@stop
+
+@section('css')
+
+  <link rel="stylesheet" href="/css/directory.css" />
+
+@stop
+
+
+@section('content')
+
+  @if (Auth::user()->can('profiles.view.others'))
+
+
+      <div class="row">
+
+        @foreach ($users as $user)
+              <div class="col-md-4">
+                  <!-- Widget: user widget style 1 -->
+                  <div class="card card-widget widget-user">
+                    <div class="widget-user-header bg-secondary">
+                        <h3 class="widget-user-username">{{ $user->name }}</h3>
+                      <h5 class="widget-user-desc">{{ $user->profile->profileShortBio }}</h5>
+                    </div>
+                    <div class="widget-user-image">
+                      @if($user->profile->avatarPreference == 'gravatar')
+                          <img class="profile-user-img elevation-2 img-fluid img-circle" src="https://gravatar.com/avatar/{{md5($user->email)}}" alt="User profile picture">
+                      @else
+                          <img class="profile-user-img elevation-2 img-fluid img-circle" src="https://crafatar.com/avatars/{{$user->uuid}}" alt="User profile picture">
+                      @endif
+                    </div>
+                    <div class="card-footer text-center">
+
+                      @if (Auth::user()->is($user))
+
+                        <div class="user-indicator mb-2">
+
+                            <span class="badge badge-success">It's you!</span>
+
+                        </div>
+
+                      @endif
+
+                      <div class="roles mb-2">
+
+                        @foreach ($user->roles as $role)
+
+                            <span class="badge badge-secondary mr-2">{{ucfirst($role->name)}}</span>
+
+                        @endforeach
+
+                      </div>
+
+                        <button type="button" class="btn btn-sm btn-primary" onclick="window.location.href='{{ route('showSingleProfile', ['user' => $user->id]) }}'"><i class="fa fa-eye"></i> Profile</button>
+
+                    </div>
+                  </div>
+                  <!-- /.widget-user -->
+                </div>
+        @endforeach
+
+      </div>
+
+      <div clsas="row mt-4">
+
+        <div class="col">
+
+            <div class="card">
+
+                <div class="card-body text-center">
+
+                    <div class="links">
+                      {{ $users->links() }}
+                    </div>
+
+                </div>
+
+            </div>
+
+        </div>
+
+      </div>
+
+  @else
+      <div class="alert alert-danger">
+
+        <p>
+          You do not have permission to view this page.
+        </p>
+
+      </div>
+  @endif
+
+@stop
diff --git a/resources/views/dashboard/user/profile/displayprofile.blade.php b/resources/views/dashboard/user/profile/displayprofile.blade.php
index c26e16d..cac85c2 100644
--- a/resources/views/dashboard/user/profile/displayprofile.blade.php
+++ b/resources/views/dashboard/user/profile/displayprofile.blade.php
@@ -4,7 +4,7 @@
 
 @section('content_header')
 
-    <h4>Profile</h4>
+    <h4>Users / Profile / {{ $profile->user->name }}</h4>
 
 @stop
 
diff --git a/routes/web.php b/routes/web.php
index 1ba72ab..4494cea 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -31,6 +31,9 @@ Route::group(['middleware' => ['auth', 'forcelogout']], function(){
         ->name('dashboard')
         ->middleware('eligibility');
 
+    Route::get('users/directory', 'ProfileController@index')
+          ->name('directory');
+
     Route::group(['prefix' => '/applications'], function (){
 
         Route::get('/my-applications', 'ApplicationController@showUserApps')