From 07b4b81117d73cd012b059e7b8f1e7bcd25c01ba Mon Sep 17 00:00:00 2001
From: David Bomba <davidbomba@Davids-iMac.local>
Date: Wed, 26 Jun 2019 07:55:04 +1000
Subject: [PATCH] company policy

---
 app/Policies/CompanyPolicy.php | 71 ++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 app/Policies/CompanyPolicy.php

diff --git a/app/Policies/CompanyPolicy.php b/app/Policies/CompanyPolicy.php
new file mode 100644
index 000000000000..698139b820bf
--- /dev/null
+++ b/app/Policies/CompanyPolicy.php
@@ -0,0 +1,71 @@
+<?php
+/**
+ * Invoice Ninja (https://invoiceninja.com)
+ *
+ * @link https://github.com/invoiceninja/invoiceninja source repository
+ *
+ * @copyright Copyright (c) 2019. Invoice Ninja LLC (https://invoiceninja.com)
+ *
+ * @license https://opensource.org/licenses/AAL
+ */
+
+namespace App\Policies;
+
+use App\Models\Company;
+use App\Models\User;
+use Illuminate\Support\Facades\Log;
+
+/**
+ * Class CompanyPolicy
+ * @package App\Policies
+ */
+class CompanyPolicy extends EntityPolicy
+{
+	/**
+	 *  Checks if the user has create permissions
+	 *  
+	 * @param  User $user
+	 * @return bool
+	 */
+	public function create(User $user) : bool
+	{
+
+		return $user->isAdmin() || $user->hasPermission('create_company');
+
+	}
+
+	/**
+	 *  Checks if the user has view permissions
+	 *
+	 * We MUST also check that the user can both view a entity and also check the entity belongs to the users company!!!!!!
+	 * @param  User $user
+	 * @param  $entity
+	 * @return bool
+	 */
+	public function view(User $user, $entity) : bool
+	{
+
+			return ($user->isAdmin() && $entity->id == $user->companyId()) 
+			|| ($user->hasPermission('view_' . strtolower(class_basename($entity))) && $entity->id == $user->companyId()) 
+			|| $user->owns($entity);
+	}
+
+
+	/**
+	 * Checks if the user has edit permissions
+	 *
+	 * We MUST also check that the user can both edit a entity and also check the entity belongs to the users company!!!!!!
+	 * 
+	 * @param  User $user
+	 * @param  $entity
+	 * @return bool
+	 */
+	public function edit(User $user, $entity) : bool
+	{
+
+			return ($user->isAdmin() && $entity->id == $user->companyId()) 
+			|| ($user->hasPermission('edit_' . strtolower(class_basename($entity))) && $entity->id == $user->companyId())
+			|| $user->owns($entity);
+    
+	}
+}