shihaam/akaunting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed permissions

Browse Source
This commit is contained in:
Denis Duliçi 2021-01-29 21:38:10 +03:00
parent 62f1f4ce42
commit 26451e0ba8
2 changed files with 35 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Http/Controllers/Api/Common/Companies.php
View File

@ -38,7 +38,7 @@ class Companies extends ApiController
{ {
try { try {
// Check if user can access company // Check if user can access company
$this->owner($company); $this->canAccess($company);
return $this->response->item($company, new Transformer()); return $this->response->item($company, new Transformer());
} catch (\Exception $e) { } catch (\Exception $e) {
@ -135,9 +135,9 @@ class Companies extends ApiController
* *
* @return \Dingo\Api\Http\Response * @return \Dingo\Api\Http\Response
*/ */
public function owner(Company $company) public function canAccess($company)
{ {
if ($this->isUserCompany($company->id)) { if (!empty($company) && $this->isUserCompany($company->id)) {
return new Response(''); return new Response('');
} }

35
app/Http/Controllers/Api/Common/Dashboards.php
View File

@ -9,9 +9,13 @@ use App\Jobs\Common\DeleteDashboard;
use App\Jobs\Common\UpdateDashboard; use App\Jobs\Common\UpdateDashboard;
use App\Models\Common\Dashboard; use App\Models\Common\Dashboard;
use App\Transformers\Common\Dashboard as Transformer; use App\Transformers\Common\Dashboard as Transformer;
use App\Traits\Users;
use Dingo\Api\Http\Response;
class Dashboards extends ApiController class Dashboards extends ApiController
{ {
use Users;
/** /**
* Display a listing of the resource. * Display a listing of the resource.
* *
@ -19,7 +23,7 @@ class Dashboards extends ApiController
*/ */
public function index() public function index()
{ {
$dashboards = Dashboard::with('widgets')->collect(); $dashboards = user()->dashboards()->with('widgets')->collect();
return $this->response->paginator($dashboards, new Transformer()); return $this->response->paginator($dashboards, new Transformer());
} }
@ -32,9 +36,16 @@ class Dashboards extends ApiController
*/ */
public function show($id) public function show($id)
{ {
$dashboard = Dashboard::with('widgets')->find($id); try {
$dashboard = Dashboard::with('widgets')->find($id);
return $this->response->item($dashboard, new Transformer()); // Check if user can access dashboard
$this->canAccess($dashboard);
return $this->response->item($dashboard, new Transformer());
} catch (\Exception $e) {
$this->response->errorUnauthorized($e->getMessage());
}
} }
/** /**
@ -118,4 +129,22 @@ class Dashboards extends ApiController
$this->response->errorUnauthorized($e->getMessage()); $this->response->errorUnauthorized($e->getMessage());
} }
} }
/**
* Check user dashboard assignment
*
* @param Dashboard $dashboard
*
* @return \Dingo\Api\Http\Response
*/
public function canAccess($dashboard)
{
if (!empty($dashboard) && $this->isUserDashboard($dashboard->id)) {
return new Response('');
}
$message = trans('dashboards.error.not_user_dashboard');
$this->response->errorUnauthorized($message);
}
} }