From 6fb39b52b9cf2ff1052de8a69b6f6761cc3b2c7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Denis=20Duli=C3=A7i?= <denisdulici@gmail.com>
Date: Sun, 21 Jun 2020 18:48:05 +0300
Subject: [PATCH] fixed profile permissions

---
 app/Http/Controllers/Auth/Users.php           | 19 +++++++++++++++++++
 resources/views/auth/users/edit.blade.php     |  2 +-
 .../views/partials/admin/navbar.blade.php     |  2 +-
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/app/Http/Controllers/Auth/Users.php b/app/Http/Controllers/Auth/Users.php
index f68cb3603..df594b495 100644
--- a/app/Http/Controllers/Auth/Users.php
+++ b/app/Http/Controllers/Auth/Users.php
@@ -16,6 +16,17 @@ class Users extends Controller
 {
     use Uploads;
 
+    public function __construct()
+    {
+        $this->middleware('permission:create-auth-users')->only('create', 'store', 'duplicate', 'import');
+        $this->middleware('permission:read-auth-users')->only('index', 'show', 'export');
+        $this->middleware('permission:update-auth-users')->only('enable', 'disable');
+        $this->middleware('permission:delete-auth-users')->only('destroy');
+
+        $this->middleware('permission:read-auth-users|read-auth-profile')->only('edit');
+        $this->middleware('permission:update-auth-users|update-auth-profile')->only('update');
+    }
+
     /**
      * Display a listing of the resource.
      *
@@ -101,6 +112,10 @@ class Users extends Controller
      */
     public function edit(User $user)
     {
+        if (user()->cannot('read-auth-users') && ($user->id != user()->id)) {
+            abort(403);
+        }
+
         $routes = [
             'dashboard' => trans_choice('general.dashboards', 1),
             'items.index' => trans_choice('general.items', 2),
@@ -148,6 +163,10 @@ class Users extends Controller
      */
     public function update(User $user, Request $request)
     {
+        if (user()->cannot('update-auth-users') && ($user->id != user()->id)) {
+            abort(403);
+        }
+
         $response = $this->ajaxDispatch(new UpdateUser($user, $request));
 
         if ($response['success']) {
diff --git a/resources/views/auth/users/edit.blade.php b/resources/views/auth/users/edit.blade.php
index 1141d4cfd..71f024014 100644
--- a/resources/views/auth/users/edit.blade.php
+++ b/resources/views/auth/users/edit.blade.php
@@ -60,7 +60,7 @@
                 </div>
             </div>
 
-            @permission('update-auth-users')
+            @permission(['update-auth-users', 'update-auth-profile'])
                 <div class="card-footer">
                     <div class="row save-buttons">
                         {{ Form::saveButtons('users.index') }}
diff --git a/resources/views/partials/admin/navbar.blade.php b/resources/views/partials/admin/navbar.blade.php
index e3192d2ba..dfe84cbe6 100644
--- a/resources/views/partials/admin/navbar.blade.php
+++ b/resources/views/partials/admin/navbar.blade.php
@@ -251,7 +251,7 @@
 
                         @stack('navbar_profile_edit')
 
-                        @permission('update-auth-users')
+                        @permission(['read-auth-users', 'read-auth-profile'])
                             <a href="{{ route('users.edit', $user->id) }}" class="dropdown-item">
                                 <i class="fas fa-user"></i>
                                 <span>{{ trans('auth.profile') }}</span>