Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-11-04 02:47:34 -05:00
Code Issues Packages Projects Releases Wiki Activity

Update permissions logic

Browse Source
This commit is contained in:
David Bomba 2023-01-23 11:01:27 +11:00
parent 2203403818
commit 3312e7ce12
3 changed files with 48 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
app/Http/Controllers/ActivityController.php
View File

@ -87,13 +87,15 @@ class ActivityController extends BaseController
{
$default_activities = $request->has('rows') ? $request->input('rows') : 50;
$activities = Activity::orderBy('created_at', 'DESC')->company()
$activities = Activity::orderBy('created_at', 'DESC')
->company()
->take($default_activities);
if ($request->has('react')) {
if(!auth()->user()->isAdmin())
return response()->json(['data' => []], 200);
$activities->where('user_id', auth()->user()->id);
// return response()->json(['data' => []], 200);
$system = ctrans('texts.system');

13
app/Models/User.php
View File

@ -358,18 +358,21 @@ class User extends Authenticatable implements MustVerifyEmail
public function hasPermission($permission) : bool
{
$parts = explode('_', $permission);
$all_permission = '';
$all_permission = false;
if (count($parts) > 1) {
$all_permission = $parts[0].'_all';
}
//empty $all_permissions leads to stripos returning true;
return $this->isOwner() ||
$this->isAdmin() ||
(is_int(stripos($this->token()->cu->permissions, $all_permission))) ||
(is_int(stripos($this->token()->cu->permissions, $permission)));
(stripos($all_permission, $this->token()->cu->permissions) !== false) ||
(stripos($permission, $this->token()->cu->permissions) !== false);
// return $this->isOwner() ||
// $this->isAdmin() ||
// (is_int(stripos($this->token()->cu->permissions, $all_permission))) ||
// (is_int(stripos($this->token()->cu->permissions, $permission)));
}

38
tests/Unit/PermissionsTest.php
View File

@ -159,6 +159,40 @@ class PermissionsTest extends TestCase
}
public function testReturnTypesOfStripos()
{
$this->assertEquals(0, stripos("view_client", ''));
$all_permission = '[]';
$this->assertFalse(stripos($all_permission, "view_client") !== false);
$this->assertTrue(stripos($all_permission, "view_client") == 0);
$this->assertFalse(is_int(stripos($all_permission, "view_client")));
$all_permission = ' ';
$this->assertFalse(stripos($all_permission, "view_client") !== false);
$this->assertFalse(is_int(stripos($all_permission, "view_client")));
$all_permission = "";//problems are empty strings
$this->assertTrue(empty($all_permission));
$this->assertFalse( stripos($all_permission, "view_client") !== false);
$this->assertFalse( is_int(stripos($all_permission, "view_client")));
$all_permission = 'view';//will always pass currently
$this->assertFalse( stripos($all_permission, "view_client") !== false);
$this->assertFalse(is_int(stripos($all_permission, "view_client")));
$all_permission = "view_client";
$this->assertTrue(stripos($all_permission, "view_client") !== false);
$this->assertTrue(is_int(stripos($all_permission, "view_client")) !== false);
$this->assertTrue(is_int(stripos($all_permission, "view_client")));
}
public function testViewClientPermission()
{
@ -166,8 +200,8 @@ class PermissionsTest extends TestCase
$low_cu->permissions = '["view_client"]';
$low_cu->save();
//this is aberrant
$this->assertTrue($this->user->hasPermission("viewclient"));
// this is aberrant
$this->assertFalse($this->user->hasPermission("view____client"));
}