From b7f0d2a33f8872a6b61c80dfa29ec83cb1bcb56e Mon Sep 17 00:00:00 2001
From: Joshua Dwire <joshua@joshuadwire.com>
Date: Thu, 24 Mar 2016 18:33:28 -0400
Subject: [PATCH] More intuitive document permissions

---
 app/Models/Document.php                      | 15 +++++++++++++++
 app/Ninja/Repositories/ExpenseRepository.php |  6 ++----
 app/Ninja/Repositories/InvoiceRepository.php |  9 ++++-----
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/app/Models/Document.php b/app/Models/Document.php
index 0d822ea4d18e..96051d9db1b2 100644
--- a/app/Models/Document.php
+++ b/app/Models/Document.php
@@ -2,6 +2,7 @@
 
 use Illuminate\Support\Facades\Storage;
 use DB;
+use Auth;
 
 class Document extends EntityModel
 {
@@ -221,6 +222,20 @@ class Document extends EntityModel
         
         return $document;
     }
+    
+    public static function canCreate(){
+        return true;
+    }
+    
+    public static function canViewItem($document){
+        if(Auth::user()->hasPermission('view_all'))return true;
+        if($document->expense){
+            if($document->expense->invoice)return $document->expense->invoice->canView();
+            return $document->expense->canView();
+        }
+        if($document->invoice)return $document->invoice->canView();
+        return Auth::user()->id == $item->user_id;
+    }
 }
 
 Document::deleted(function ($document) {
diff --git a/app/Ninja/Repositories/ExpenseRepository.php b/app/Ninja/Repositories/ExpenseRepository.php
index db39857bcf4b..046b4a1cb943 100644
--- a/app/Ninja/Repositories/ExpenseRepository.php
+++ b/app/Ninja/Repositories/ExpenseRepository.php
@@ -185,10 +185,8 @@ class ExpenseRepository extends BaseRepository
         
         foreach ($expense->documents as $document){
             if(!in_array($document->public_id, $document_ids)){
-                // Removed
-                if(!$checkSubPermissions || $document->canEdit()){
-                    $document->delete();
-                }
+                // Not checking permissions; deleting a document is just editing the invoice
+                $document->delete();
             }
         }
         
diff --git a/app/Ninja/Repositories/InvoiceRepository.php b/app/Ninja/Repositories/InvoiceRepository.php
index 686f9573d12d..f78815c27e7d 100644
--- a/app/Ninja/Repositories/InvoiceRepository.php
+++ b/app/Ninja/Repositories/InvoiceRepository.php
@@ -442,11 +442,10 @@ class InvoiceRepository extends BaseRepository
         foreach ($invoice->documents as $document){
             if(!in_array($document->public_id, $document_ids)){
                 // Removed
-                if(!$checkSubPermissions || $document->canEdit()){
-                    if($document->invoice_id == $invoice->id){
-                        // Make sure the document isn't on a clone
-                        $document->delete();
-                    }
+                // Not checking permissions; deleting a document is just editing the invoice
+                if($document->invoice_id == $invoice->id){
+                    // Make sure the document isn't on a clone
+                    $document->delete();
                 }
             }
         }