fixed profile permissions

2020-06-21 18:48:05 +03:00 · 2020-06-21 18:48:05 +03:00 · 6fb39b52b9
commit 6fb39b52b9
parent 3aaf14d3d5
3 changed files with 21 additions and 2 deletions
--- a/app/Http/Controllers/Auth/Users.php
+++ b/app/Http/Controllers/Auth/Users.php
@ -16,6 +16,17 @@ class Users extends Controller
 {
    use Uploads;

+    public function __construct()
+    {
+        $this->middleware('permission:create-auth-users')->only('create', 'store', 'duplicate', 'import');
+        $this->middleware('permission:read-auth-users')->only('index', 'show', 'export');
+        $this->middleware('permission:update-auth-users')->only('enable', 'disable');
+        $this->middleware('permission:delete-auth-users')->only('destroy');
+
+        $this->middleware('permission:read-auth-users|read-auth-profile')->only('edit');
+        $this->middleware('permission:update-auth-users|update-auth-profile')->only('update');
+    }
+
    /**
     * Display a listing of the resource.
     *
@ -101,6 +112,10 @@ class Users extends Controller
     */
    public function edit(User $user)
    {
+        if (user()->cannot('read-auth-users') && ($user->id != user()->id)) {
+            abort(403);
+        }
+
        $routes = [
            'dashboard' => trans_choice('general.dashboards', 1),
            'items.index' => trans_choice('general.items', 2),
@ -148,6 +163,10 @@ class Users extends Controller
     */
    public function update(User $user, Request $request)
    {
+        if (user()->cannot('update-auth-users') && ($user->id != user()->id)) {
+            abort(403);
+        }
+
        $response = $this->ajaxDispatch(new UpdateUser($user, $request));

        if ($response['success']) {
--- a/resources/views/auth/users/edit.blade.php
+++ b/resources/views/auth/users/edit.blade.php
@ -60,7 +60,7 @@
                </div>
            </div>

-            @permission('update-auth-users')
+            @permission(['update-auth-users', 'update-auth-profile'])
                <div class="card-footer">
                    <div class="row save-buttons">
                        {{ Form::saveButtons('users.index') }}
--- a/resources/views/partials/admin/navbar.blade.php
+++ b/resources/views/partials/admin/navbar.blade.php
@ -251,7 +251,7 @@

                        @stack('navbar_profile_edit')

-                        @permission('update-auth-users')
+                        @permission(['read-auth-users', 'read-auth-profile'])
                            <a href="{{ route('users.edit', $user->id) }}" class="dropdown-item">
                                <i class="fas fa-user"></i>
                                <span>{{ trans('auth.profile') }}</span>