mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 05:36:00 +00:00
Tied entity restriction system into userCan checks
This commit is contained in:
parent
7f5872372d
commit
985d2f1c2c
@ -68,7 +68,7 @@ abstract class Controller extends BaseController
|
||||
protected function showPermissionError()
|
||||
{
|
||||
Session::flash('error', trans('errors.permission'));
|
||||
$response = request()->wantsJson() ? response()->json(['error' => trans('errors.permissionJson')], 403) : redirect('/', 403);
|
||||
$response = request()->wantsJson() ? response()->json(['error' => trans('errors.permissionJson')], 403) : redirect('/');
|
||||
throw new HttpResponseException($response);
|
||||
}
|
||||
|
||||
@ -93,10 +93,8 @@ abstract class Controller extends BaseController
|
||||
*/
|
||||
protected function checkOwnablePermission($permission, Ownable $ownable)
|
||||
{
|
||||
$permissionBaseName = strtolower($permission) . '-';
|
||||
if (userCan($permissionBaseName . 'all')) return true;
|
||||
if (userCan($permissionBaseName . 'own') && $ownable->createdBy->id === $this->currentUser->id) return true;
|
||||
$this->showPermissionError();
|
||||
if (userCan($permission, $ownable)) return true;
|
||||
return $this->showPermissionError();
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -1,5 +1,7 @@
|
||||
<?php namespace BookStack\Services;
|
||||
|
||||
use BookStack\Entity;
|
||||
|
||||
class RestrictionService
|
||||
{
|
||||
|
||||
@ -12,8 +14,24 @@ class RestrictionService
|
||||
*/
|
||||
public function __construct()
|
||||
{
|
||||
$this->userRoles = auth()->user()->roles->pluck('id');
|
||||
$this->isAdmin = auth()->user()->hasRole('admin');
|
||||
$user = auth()->user();
|
||||
$this->userRoles = $user ? auth()->user()->roles->pluck('id') : false;
|
||||
$this->isAdmin = $user ? auth()->user()->hasRole('admin') : false;
|
||||
}
|
||||
|
||||
public function checkIfEntityRestricted(Entity $entity, $action)
|
||||
{
|
||||
if ($this->isAdmin) return true;
|
||||
$this->currentAction = $action;
|
||||
$baseQuery = $entity->where('id', '=', $entity->id);
|
||||
if ($entity->isA('page')) {
|
||||
return $this->pageRestrictionQuery($baseQuery)->count() > 0;
|
||||
} elseif ($entity->isA('chapter')) {
|
||||
return $this->chapterRestrictionQuery($baseQuery)->count() > 0;
|
||||
} elseif ($entity->isA('book')) {
|
||||
return $this->bookRestrictionQuery($baseQuery)->count() > 0;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -43,8 +43,18 @@ function userCan($permission, \BookStack\Ownable $ownable = null)
|
||||
return auth()->user() && auth()->user()->can($permission);
|
||||
}
|
||||
|
||||
// Check permission on ownable item
|
||||
$permissionBaseName = strtolower($permission) . '-';
|
||||
if (userCan($permissionBaseName . 'all')) return true;
|
||||
if (userCan($permissionBaseName . 'own') && $ownable->createdBy->id === auth()->user()->id) return true;
|
||||
return false;
|
||||
$hasPermission = false;
|
||||
if (auth()->user()->can($permissionBaseName . 'all')) $hasPermission = true;
|
||||
if (auth()->user()->can($permissionBaseName . 'own') && $ownable->createdBy->id === auth()->user()->id) $hasPermission = true;
|
||||
|
||||
if(!$ownable instanceof \BookStack\Entity) return $hasPermission;
|
||||
|
||||
// Check restrictions on the entitiy
|
||||
$restrictionService = app('BookStack\Services\RestrictionService');
|
||||
$explodedPermission = explode('-', $permission);
|
||||
$action = end($explodedPermission);
|
||||
$hasAccess = $restrictionService->checkIfEntityRestricted($ownable, $action);
|
||||
return $hasAccess && $hasPermission;
|
||||
}
|
Loading…
Reference in New Issue
Block a user