From 27699aa99c473b897186f5fd1cc6684ef55bd593 Mon Sep 17 00:00:00 2001 From: Till Deeke Date: Fri, 13 Jul 2018 03:28:20 +0200 Subject: [PATCH] Adds permission checks for custom fields and custom fieldsets (#5645) (#5795) * adds permission checks to custom fields * adds permission checks to custom fieldsets * adds separate permissions for custom fieldsets * check for permissions in views * Removes custom fieldsets from permissions config * Proxy the authorization for custom fieldsets down to custom fields. This allows us to use the existing permissions in use and have more semantically correct authorization checks for custom fieldsets. * simplifies the authorization check for the custom fields overview * removes special handling of custom fieldsets in base policy I just realised that this code duplicates the logic from the custom fieldset policy. Since we are checking for the authorization of custom fields anyway, we can just use the columnName for the fields. * cleanup of unused imports --- .../Controllers/CustomFieldsController.php | 14 +++++++++++++ .../Controllers/CustomFieldsetsController.php | 10 ++++++++++ app/Policies/CustomFieldsetPolicy.php | 20 +++++++++++++++++++ app/Providers/AuthServiceProvider.php | 4 ++++ config/permissions.php | 4 +--- .../custom_fields/fieldsets/view.blade.php | 15 +++++++++++++- resources/views/custom_fields/index.blade.php | 19 ++++++++++++++---- resources/views/layouts/default.blade.php | 4 ++-- 8 files changed, 80 insertions(+), 10 deletions(-) create mode 100644 app/Policies/CustomFieldsetPolicy.php diff --git a/app/Http/Controllers/CustomFieldsController.php b/app/Http/Controllers/CustomFieldsController.php index 9b74c040d1..cd446d4a65 100644 --- a/app/Http/Controllers/CustomFieldsController.php +++ b/app/Http/Controllers/CustomFieldsController.php @@ -37,6 +37,7 @@ class CustomFieldsController extends Controller */ public function index() { + $this->authorize('view', CustomField::class); $fieldsets = CustomFieldset::with("fields", "models")->get(); $fields = CustomField::with("fieldset")->get(); @@ -57,6 +58,7 @@ class CustomFieldsController extends Controller */ public function create() { + $this->authorize('create', CustomField::class); return view("custom_fields.fields.edit")->with('field', new CustomField()); } @@ -72,6 +74,8 @@ class CustomFieldsController extends Controller */ public function store(CustomFieldRequest $request) { + $this->authorize('create', CustomField::class); + $field = new CustomField([ "name" => $request->get("name"), "element" => $request->get("element"), @@ -110,6 +114,8 @@ class CustomFieldsController extends Controller { $field = CustomField::find($field_id); + $this->authorize('update', $field); + if ($field->fieldset()->detach($fieldset_id)) { return redirect()->route('fieldsets.show', ['fieldset' => $fieldset_id])->with("success", trans('admin/custom_fields/message.field.delete.success')); } @@ -128,6 +134,8 @@ class CustomFieldsController extends Controller { $field = CustomField::find($field_id); + $this->authorize('delete', $field); + if ($field->fieldset->count()>0) { return redirect()->back()->withErrors(['message' => "Field is in-use"]); } else { @@ -149,6 +157,9 @@ class CustomFieldsController extends Controller public function edit($id) { $field = CustomField::find($id); + + $this->authorize('update', $field); + return view("custom_fields.fields.edit")->with('field', $field); } @@ -166,6 +177,9 @@ class CustomFieldsController extends Controller public function update(CustomFieldRequest $request, $id) { $field = CustomField::find($id); + + $this->authorize('update', $field); + $field->name = e($request->get("name")); $field->element = e($request->get("element")); $field->field_values = e($request->get("field_values")); diff --git a/app/Http/Controllers/CustomFieldsetsController.php b/app/Http/Controllers/CustomFieldsetsController.php index 4ec4a90e70..fa46263487 100644 --- a/app/Http/Controllers/CustomFieldsetsController.php +++ b/app/Http/Controllers/CustomFieldsetsController.php @@ -38,6 +38,8 @@ class CustomFieldsetsController extends Controller { $cfset = CustomFieldset::with('fields')->where('id', '=', $id)->orderBy('id', 'ASC')->first(); + $this->authorize('view', $cfset); + if ($cfset) { $custom_fields_list = ["" => "Add New Field to Fieldset"] + CustomField::pluck("name", "id")->toArray(); @@ -68,6 +70,8 @@ class CustomFieldsetsController extends Controller */ public function create() { + $this->authorize('create', CustomFieldset::class); + return view("custom_fields.fieldsets.edit"); } @@ -81,6 +85,8 @@ class CustomFieldsetsController extends Controller */ public function store(Request $request) { + $this->authorize('create', CustomFieldset::class); + $cfset = new CustomFieldset( [ "name" => e($request->get("name")), @@ -141,6 +147,8 @@ class CustomFieldsetsController extends Controller { $fieldset = CustomFieldset::find($id); + $this->authorize('delete', $fieldset); + if ($fieldset) { $models = AssetModel::where("fieldset_id", "=", $id); if ($models->count() == 0) { @@ -169,6 +177,8 @@ class CustomFieldsetsController extends Controller $set = CustomFieldset::find($id); + $this->authorize('update', $set); + foreach ($set->fields as $field) { if ($field->id == Input::get('field_id')) { return redirect()->route("fieldsets.show", [$id])->withInput()->withErrors(['field_id' => trans('admin/custom_fields/message.field.already_added')]); diff --git a/app/Policies/CustomFieldsetPolicy.php b/app/Policies/CustomFieldsetPolicy.php new file mode 100644 index 0000000000..ca7bd4bb30 --- /dev/null +++ b/app/Policies/CustomFieldsetPolicy.php @@ -0,0 +1,20 @@ + ComponentPolicy::class, Consumable::class => ConsumablePolicy::class, CustomField::class => CustomFieldPolicy::class, + CustomFieldset::class => CustomFieldsetPolicy::class, Department::class => DepartmentPolicy::class, Depreciation::class => DepreciationPolicy::class, License::class => LicensePolicy::class, @@ -143,6 +146,7 @@ class AuthServiceProvider extends ServiceProvider || $user->can('view', Company::class) || $user->can('view', Manufacturer::class) || $user->can('view', CustomField::class) + || $user->can('view', CustomFieldset::class) || $user->can('view', Depreciation::class); }); } diff --git a/config/permissions.php b/config/permissions.php index cc51b955d8..0d432b8c95 100644 --- a/config/permissions.php +++ b/config/permissions.php @@ -415,9 +415,7 @@ return array( 'note' => '', 'display' => true, ), - ), - - + ), 'Suppliers' => array( array( diff --git a/resources/views/custom_fields/fieldsets/view.blade.php b/resources/views/custom_fields/fieldsets/view.blade.php index b4570718b1..e45ab2d8a4 100644 --- a/resources/views/custom_fields/fieldsets/view.blade.php +++ b/resources/views/custom_fields/fieldsets/view.blade.php @@ -25,7 +25,10 @@ name="fieldsets" id="sort" class="table table-responsive todo-list"> + {{-- Hide the sorting handle if we can't update the fieldset --}} + @can('update', $custom_fieldset) + @endcan {{ trans('admin/custom_fields/general.order') }} {{ trans('admin/custom_fields/general.field_name') }} {{ trans('admin/custom_fields/general.field_format') }} @@ -37,7 +40,9 @@ @foreach($custom_fieldset->fields as $field) - + + {{-- Hide the sorting handle if we can't update the fieldset --}} + @can('update', $custom_fieldset) @@ -45,6 +50,7 @@ + @endcan {{$field->pivot->order}} {{$field->name}} {{$field->format}} @@ -52,7 +58,9 @@ {{ $field->field_encrypted=='1' ? trans('general.yes') : trans('general.no') }} {{$field->pivot->required ? "REQUIRED" : "OPTIONAL"}} + @can('update', $custom_fieldset) Remove + @endcan @endforeach @@ -60,6 +68,7 @@ + @can('update', $custom_fieldset) {{ Form::open(['route' => ["fieldsets.associate",$custom_fieldset->id], 'class'=>'form-horizontal', @@ -70,6 +79,7 @@ {{ Form::select("field_id",$custom_fields_list,"",["onchange" => "$('#ordering').submit()"]) }} first('field_id'); ?> {{ Form::close() }} + @endcan @@ -82,6 +92,8 @@ @stop @section('moar_scripts') + @can('update', $custom_fieldset) + + @endcan @stop diff --git a/resources/views/custom_fields/index.blade.php b/resources/views/custom_fields/index.blade.php index a180acb2a0..3ecbc6635d 100644 --- a/resources/views/custom_fields/index.blade.php +++ b/resources/views/custom_fields/index.blade.php @@ -8,6 +8,7 @@ @section('content') +@can('view', \App\Models\CustomFieldset::class)
@@ -15,7 +16,9 @@

{{ trans('admin/custom_fields/general.fieldsets') }}

+ @can('create', \App\Models\CustomFieldset::class) {{ trans('admin/custom_fields/general.create_fieldset') }} + @endcan
@@ -62,6 +65,7 @@ @endforeach + @can('delete', $fieldset) {{ Form::open(['route' => array('fieldsets.destroy', $fieldset->id), 'method' => 'delete']) }} @if($fieldset->models->count() > 0) @@ -69,6 +73,7 @@ @endif {{ Form::close() }} + @endcan @endforeach @@ -85,14 +90,17 @@

{{ trans('admin/custom_fields/general.about_fieldsets_text') }}

- +@endcan +@can('view', \App\Models\CustomField::class)

{{ trans('admin/custom_fields/general.custom_fields') }}

+ @can('create', \App\Models\CustomField::class) {{ trans('admin/custom_fields/general.create_field') }} + @endcan
@@ -147,17 +155,19 @@ @endforeach - {{ Form::open(array('route' => array('fields.destroy', $field->id), 'method' => 'delete')) }} + @can('update', $field) - - + @endcan + @can('delete', $field) + {{ Form::open(array('route' => array('fields.destroy', $field->id), 'method' => 'delete', 'style' => 'display:inline-block')) }} @if($field->fieldset->count()>0) @else @endif {{ Form::close() }} + @endcan @@ -169,6 +179,7 @@
+@endcan @stop @section('moar_scripts') diff --git a/resources/views/layouts/default.blade.php b/resources/views/layouts/default.blade.php index 93ff490258..78adec2d8b 100644 --- a/resources/views/layouts/default.blade.php +++ b/resources/views/layouts/default.blade.php @@ -534,13 +534,13 @@