miguel456/rbrecruiter
1
0
Fork 1
Code Issues Pull Requests 1 Projects Releases 2 Wiki Activity

Add user directory & isolate authorisation

Browse Source
This commit is contained in:
Miguel Nogueira
2020-06-27 19:15:33 +01:00
parent 71efdf93d8
commit 33c16fcf46
25 changed files with 812 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/Http/Controllers/ApplicationController.php
View File

@@ -80,6 +80,8 @@ class ApplicationController extends Controller
public function showAllPendingApps()
{
$this->authorize('viewAny', Application::class);
return view('dashboard.appmanagement.outstandingapps')
->with('applications', Application::where('applicationStatus', 'STAGE_SUBMITTED')->get());
}
@@ -90,6 +92,7 @@ class ApplicationController extends Controller
public function showPendingInterview()
{
$this->authorize('viewAny', Application::class);
$applications = Application::with('appointment', 'user')->get();
$count = 0;
@@ -131,6 +134,7 @@ class ApplicationController extends Controller
public function showPeerReview()
{
$this->authorize('viewAny', Application::class);
return view('dashboard.appmanagement.peerreview')
->with('applications', Application::where('applicationStatus', 'STAGE_PEERAPPROVAL')->get());
@@ -246,6 +250,7 @@ class ApplicationController extends Controller
public function updateApplicationStatus(Request $request, $applicationID, $newStatus)
{
$application = Application::find($applicationID);
$this->authorize('update', Application::class);
if (!is_null($application))
{

7
app/Http/Controllers/AppointmentController.php
View File

@@ -28,6 +28,8 @@ class AppointmentController extends Controller
{
// Unrelated TODO: change if's in application page to a switch statement, & have the row encompass it
$this->authorize('create', Appointment::class);
$app = Application::find($applicationID);
if (!is_null($app))
@@ -49,7 +51,7 @@ class AppointmentController extends Controller
'datetime' => $appointmentDate->toDateTimeString(),
'scheduled' => now()
]);
$app->user->notify(new AppointmentScheduled($appointment));
$request->session()->flash('success', 'Appointment successfully scheduled @ ' . $appointmentDate->toDateTimeString());
@@ -64,6 +66,9 @@ class AppointmentController extends Controller
public function updateAppointment(Request $request, $applicationID, $status)
{
$this->authorize('update', Appointment::class);
$application = Application::find($applicationID);
$validStatuses = [
'SCHEDULED',

3
app/Http/Controllers/BanController.php
View File

@@ -76,6 +76,9 @@ class BanController extends Controller
public function delete(Request $request, User $user)
{
$this->authorize('delete', $user->bans);
if (!is_null($user->bans))
{
$user->bans->delete();

13
app/Http/Controllers/CommentController.php
View File

@@ -21,8 +21,8 @@ class CommentController extends Controller
public function insert(NewCommentRequest $request, Application $application)
{
// Type hinting makes laravel automatically validate everything
$this->authorize('create', Comment::class);
$comment = Comment::create([
'authorID' => Auth::user()->id,
'applicationID' => $application->id,
@@ -53,13 +53,10 @@ class CommentController extends Controller
public function delete(Request $request, Comment $comment)
{
if (Auth::user()->is($comment->user) || Auth::user()->hasRole('admin'))
{
$comment->delete();
$request->session()->flash('success', 'Comment deleted!');
}
$this->authorize('delete', $comment);
$request->session()->flash('error', 'You do not have permission to delete this comment!');
$comment->delete();
$request->session()->flash('success', 'Comment deleted!');
return redirect()->back();

10
app/Http/Controllers/FormController.php
View File

@@ -5,24 +5,31 @@ namespace App\Http\Controllers;
use App\Form;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Validator;
use Illuminate\Support\Facades\Auth;
class FormController extends Controller
{
public function index()
{
$forms = Form::all();
$this->authorize('viewAny', Form::class);
return view('dashboard.administration.forms')
->with('forms', Form::all());
->with('forms', $forms);
}
public function showFormBuilder()
{
$this->authorize('viewFormbuilder', Form::class);
return view('dashboard.administration.formbuilder');
}
public function saveForm(Request $request)
{
$this->authorize('create', Form::class);
$formFields = $request->all();
$formStructure = [];
@@ -72,6 +79,7 @@ class FormController extends Controller
{
$form = Form::find($id);
$this->authorize('delete', $form);
// TODO: Check if form is linked to vacancies before allowing deletion
if (!is_null($form))

2
app/Http/Controllers/HomeController.php
View File

@@ -18,7 +18,7 @@ class HomeController extends Controller
// TODO: Relationships for Applications, Users and Responses
// Also prevent apps if user already has one in the space of 30d
// Display apps in the relevant menus
$positions = DB::table('vacancies')
->where('vacancyStatus', 'OPEN')
->where('vacancyCount', '!=', 0)

8
app/Http/Controllers/ProfileController.php
View File

@@ -14,6 +14,14 @@ use Spatie\Permission\Models\Role;
class ProfileController extends Controller
{
public function index()
{
return view('dashboard.user.directory')
->with('users', User::with('profile', 'bans')->paginate(9));
}
public function showProfile()
{

68
app/Http/Controllers/UserController.php
View File

@@ -24,50 +24,48 @@ use Spatie\Permission\Models\Role;
class UserController extends Controller
{
public function showStaffMembers()
{
$this->authorize('viewStaff', User::class);
$staffRoles = [
'reviewer',
'hiringManager',
'admin'
]; // TODO: Un-hardcode this, move to config/roles.php
$users = User::with('roles')->get();
$staffMembers = collect([]);
if (Auth::user()->can('admin.stafflist'))
foreach($users as $user)
{
$users = User::with('roles')->get();
$staffMembers = collect([]);
foreach($users as $user)
if (empty($user->roles))
{
if (empty($user->roles))
{
Log::debug($user->role->name);
Log::debug('Staff list: User without role detected; Ignoring');
continue;
}
foreach($user->roles as $role)
{
if (in_array($role->name, $staffRoles))
{
$staffMembers->push($user);
continue 2; // Skip directly to the next user instead of comparing more roles for the current user
}
}
Log::debug($user->role->name);
Log::debug('Staff list: User without role detected; Ignoring');
continue;
}
return view('dashboard.administration.staff-members')
->with([
'users' => $staffMembers
]);
foreach($user->roles as $role)
{
if (in_array($role->name, $staffRoles))
{
$staffMembers->push($user);
continue 2; // Skip directly to the next user instead of comparing more roles for the current user
}
}
}
abort(403, 'Forbidden');
return view('dashboard.administration.staff-members')
->with([
'users' => $staffMembers
]);
}
public function showPlayers()
{
$this->authorize('viewPlayers', User::class);
$users = User::with('roles')->get();
$players = collect([]);
@@ -80,23 +78,19 @@ class UserController extends Controller
}
}
if (Auth::user()->can('admin.userlist'))
{
return view('dashboard.administration.players')
->with([
'users' => $players,
'bannedUserCount' => Ban::all()->count()
]);
}
abort(403, 'Forbidden');
return view('dashboard.administration.players')
->with([
'users' => $players,
'bannedUserCount' => Ban::all()->count()
]);
}
public function showPlayersLike(SearchPlayerRequest $request)
{
$searchTerm = $request->searchTerm;
$this->authorize('viewPlayers', User::class);
$searchTerm = $request->searchTerm;
$matchingUsers = User::query()
->where('name', 'LIKE', "%{$searchTerm}%")
->orWhere('email', 'LIKE', "%{$searchTerm}%")
@@ -250,7 +244,7 @@ class UserController extends Controller
public function terminate(Request $request, User $user)
{
$this->authorize('terminate', Auth::user());
$this->authorize('terminate', User::class);
if (!$user->isStaffMember() || $user->is(Auth::user()))
{

5
app/Http/Controllers/VacancyController.php
View File

@@ -10,11 +10,13 @@ use App\Form;
use App\Notifications\VacancyClosed;
use Illuminate\Http\Request;
use Illuminate\Support\Str;
use Illuminate\Support\Facades\Auth;
class VacancyController extends Controller
{
public function index()
{
$this->authorize('viewAny', Vacancy::class);
return view('dashboard.administration.positions')
->with([
'forms' => Form::all(),
@@ -24,6 +26,7 @@ class VacancyController extends Controller
public function store(VacancyRequest $request)
{
$this->authorize('create', Vacancy::class);
$form = Form::find($request->vacancyFormID);
if (!is_null($form))
@@ -53,7 +56,9 @@ class VacancyController extends Controller
public function updatePositionAvailability(Request $request, $status, $id)
{
$vacancy = Vacancy::find($id);
$this->authorize('update', $vacancy);
if (!is_null($vacancy))
{

1
app/Http/Controllers/VoteController.php
View File

@@ -16,6 +16,7 @@ class VoteController extends Controller
public function vote(VoteRequest $voteRequest, $applicationID)
{
$application = Application::find($applicationID);
$this->authorize('create', Vote::class);
if (!is_null($application))
{

15
app/Policies/ApplicationPolicy.php
View File

@@ -21,6 +21,16 @@ class ApplicationPolicy
//
}
public function viewAny(User $user)
{
if ($user->can('applications.view.all'))
{
return Response::allow();
}
return Response::deny('Forbidden');
}
public function view(User $user, Application $application)
{
if ($user->is($application->user) && $user->can('applications.view.own') || $user->can('applications.view.all'))
@@ -30,4 +40,9 @@ class ApplicationPolicy
return Response::deny('You are not authorised to view this application');
}
public function update(User $user)
{
return $user->hasAnyRole('admin', 'hiringManager');
}
}

94
app/Policies/AppointmentPolicy.php Normal file
View File

@@ -0,0 +1,94 @@
<?php
namespace App\Policies;
use App\Appointment;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class AppointmentPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
//
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function view(User $user, Appointment $appointment)
{
//
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->can('appointments.schedule');
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function update(User $user, Appointment $appointment)
{
return $user->can('appointments.schedule.edit');
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function delete(User $user, Appointment $appointment)
{
//
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function restore(User $user, Appointment $appointment)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Appointment $appointment
* @return mixed
*/
public function forceDelete(User $user, Appointment $appointment)
{
//
}
}

94
app/Policies/BanPolicy.php Normal file
View File

@@ -0,0 +1,94 @@
<?php
namespace App\Policies;
use App\Ban;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class BanPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
//
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function view(User $user, Ban $ban)
{
//
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
//
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function update(User $user, Ban $ban)
{
//
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function delete(User $user, Ban $ban)
{
return $user->hasRole('admin');
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function restore(User $user, Ban $ban)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Ban $ban
* @return mixed
*/
public function forceDelete(User $user, Ban $ban)
{
//
}
}

99
app/Policies/CommentPolicy.php Normal file
View File

@@ -0,0 +1,99 @@
<?php
namespace App\Policies;
use App\Comment;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class CommentPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
//
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function view(User $user, Comment $comment)
{
//
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->isStaffMember();
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function update(User $user, Comment $comment)
{
//
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function delete(User $user, Comment $comment)
{
if ($user->is($comment->user) || $user->hasRole('admin'))
{
return true;
}
return false;
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function restore(User $user, Comment $comment)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Comment $comment
* @return mixed
*/
public function forceDelete(User $user, Comment $comment)
{
//
}
}

98
app/Policies/FormPolicy.php Normal file
View File

@@ -0,0 +1,98 @@
<?php
namespace App\Policies;
use App\Form;
use App\User;
use Illuminate\Auth\Access\HandlesAuthorization;
class FormPolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
return $user->can('admin.hiring.forms');
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function view(User $user, Form $form)
{
return $user->can('admin.hiring.forms');
}
public function viewFormbuilder(User $user)
{
return $user->can('admin.hiring.formbuilder');
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $this->user->can('admin.hiring.forms');
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function update(User $user, Form $form)
{
// unused
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function delete(User $user, Form $form)
{
return $this->user->can('admin.hiring.forms');
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function restore(User $user, Form $form)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Form $form
* @return mixed
*/
public function forceDelete(User $user, Form $form)
{
//
}
}

94
app/Policies/VacancyPolicy.php Normal file
View File

@@ -0,0 +1,94 @@
<?php
namespace App\Policies;
use App\User;
use App\Vacancy;
use Illuminate\Auth\Access\HandlesAuthorization;
class VacancyPolicy
{
use HandlesAuthorization;
// TODO: Switch to permissions (there are no specific permissions yet)
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
return $user->hasAnyRole('admin', 'hiringManager');
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function view(User $user, Vacancy $vacancy)
{
// unused
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->hasAnyRole('admin', 'hiringManager');
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function update(User $user, Vacancy $vacancy)
{
return $user->hasRole('admin', 'hiringManager');
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function delete(User $user, Vacancy $vacancy)
{
//
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function restore(User $user, Vacancy $vacancy)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Vacancy $vacancy
* @return mixed
*/
public function forceDelete(User $user, Vacancy $vacancy)
{
//
}
}

94
app/Policies/VotePolicy.php Normal file
View File

@@ -0,0 +1,94 @@
<?php
namespace App\Policies;
use App\User;
use App\Vote;
use Illuminate\Auth\Access\HandlesAuthorization;
class VotePolicy
{
use HandlesAuthorization;
/**
* Determine whether the user can view any models.
*
* @param \App\User $user
* @return mixed
*/
public function viewAny(User $user)
{
//
}
/**
* Determine whether the user can view the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function view(User $user, Vote $vote)
{
//
}
/**
* Determine whether the user can create models.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->can('applications.vote');
}
/**
* Determine whether the user can update the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function update(User $user, Vote $vote)
{
//
}
/**
* Determine whether the user can delete the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function delete(User $user, Vote $vote)
{
//
}
/**
* Determine whether the user can restore the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function restore(User $user, Vote $vote)
{
//
}
/**
* Determine whether the user can permanently delete the model.
*
* @param \App\User $user
* @param \App\Vote $vote
* @return mixed
*/
public function forceDelete(User $user, Vote $vote)
{
//
}
}

25
app/Providers/AuthServiceProvider.php
View File

@@ -2,10 +2,22 @@
namespace App\Providers;
use App\Http\Controllers\BanController;
use App\Http\Controllers\VoteController;
use App\Http\Controllers\ProfileController;
use App\Http\Controllers\AppointmentController;
use App\Policies\ProfilePolicy;
use App\Policies\VacancyPolicy;
use App\Policies\UserPolicy;
use App\Policies\FormPolicy;
use App\Policies\ApplicationPolicy;
use App\User;
use App\Form;
use App\Vote;
use App\Vacancy;
use App\Application;
use App\Appointment;
use App\Ban;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;
@@ -18,9 +30,15 @@ class AuthServiceProvider extends ServiceProvider
*/
protected $policies = [
// 'App\Model' => 'App\Policies\ModelPolicy',
'App\Application' => 'App\Policies\ApplicationPolicy',
ProfileController::class => ProfilePolicy::class,
User::class => UserPolicy::class
Application::class => ApplicationPolicy::class,
Profile::class => ProfilePolicy::class,
User::class => UserPolicy::class,
Vacancy::class => VacancyPolicy::class,
//Form::class => FormPolicy::class
'App\Form' => 'App\Policies\FormPolicy',
Vote::class => VoteController::class,
Ban::class => BanController::class,
Appointment::class => AppointmentController::class
];
/**
@@ -31,7 +49,6 @@ class AuthServiceProvider extends ServiceProvider
public function boot()
{
$this->registerPolicies();
//
}
}