From cd10003d646542b9f38c978c9f26ea11c90a5aec Mon Sep 17 00:00:00 2001
From: David Bomba <turbo124@gmail.com>
Date: Fri, 5 Oct 2018 00:19:01 +1000
Subject: [PATCH] Permission fixes. (#2407)

* Patch for permissions

* fixes for production

* fix for doc uploads
---
 app/Http/Requests/CreateDocumentRequest.php | 15 ++-------------
 app/Http/Requests/InvoiceRequest.php        |  9 +++++++++
 app/Models/User.php                         | 11 +++++++++++
 app/Ninja/Datatables/InvoiceDatatable.php   |  2 +-
 app/Policies/GenericEntityPolicy.php        | 14 +++++++++++++-
 5 files changed, 36 insertions(+), 15 deletions(-)

diff --git a/app/Http/Requests/CreateDocumentRequest.php b/app/Http/Requests/CreateDocumentRequest.php
index 5c7998b380d9..57b75e945fbd 100644
--- a/app/Http/Requests/CreateDocumentRequest.php
+++ b/app/Http/Requests/CreateDocumentRequest.php
@@ -19,19 +19,8 @@ class CreateDocumentRequest extends DocumentRequest
      */
     public function authorize()
     {
-        if (! $this->user()->hasFeature(FEATURE_DOCUMENTS)) {
-            return false;
-        }
-        
-        if ($this->invoice && $this->user()->cannot('edit', $this->invoice)) {
-            return false;
-        }
-
-        if ($this->expense && $this->user()->cannot('edit', $this->expense)) {
-            return false;
-        }
-
-        return $this->user()->can('create', ENTITY_DOCUMENT);
+        if($this->user()->hasFeature(FEATURE_DOCUMENTS))
+            return true;
     }
 
     /**
diff --git a/app/Http/Requests/InvoiceRequest.php b/app/Http/Requests/InvoiceRequest.php
index 06406ea97b35..60bb5a481e49 100644
--- a/app/Http/Requests/InvoiceRequest.php
+++ b/app/Http/Requests/InvoiceRequest.php
@@ -25,6 +25,15 @@ class InvoiceRequest extends EntityRequest
         else
             $standardOrRecurringInvoice = ENTITY_INVOICE;
 
+        if(request()->is('invoices/*/edit') && request()->isMethod('get') && $this->user()->can('edit', $invoice))
+            return true;
+
+        if(request()->is('quotes/*/edit') && request()->isMethod('get') && $this->user()->can('edit', $invoice))
+            return true;
+
+        if(request()->is('invoices/create') && $this->user()->can('create', ENTITY_INVOICE))
+            return true;
+
         if(request()->is('invoices/create') && !$this->user()->can('create', ENTITY_INVOICE))
             return false;
 
diff --git a/app/Models/User.php b/app/Models/User.php
index 7d44d49bf50e..81c9fef4cd15 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -364,6 +364,17 @@ class User extends Authenticatable
         return false;
     }
 
+
+    public function viewModel($model, $entityType)
+    {
+        if($this->hasPermission('view_'.$entityType))
+            return true;
+        elseif($model->user_id == $this->id)
+            return true;
+        else
+            return false;
+    }
+
     /**
      * @param $entity
      *
diff --git a/app/Ninja/Datatables/InvoiceDatatable.php b/app/Ninja/Datatables/InvoiceDatatable.php
index 11c385eb9afe..b647832bc9ce 100644
--- a/app/Ninja/Datatables/InvoiceDatatable.php
+++ b/app/Ninja/Datatables/InvoiceDatatable.php
@@ -20,7 +20,7 @@ class InvoiceDatatable extends EntityDatatable
             [
                 $entityType == ENTITY_INVOICE ? 'invoice_number' : 'quote_number',
                 function ($model) use ($entityType) {
-                    if(Auth::user()->can('view', [$this->entityType, $model])) {
+                    if(Auth::user()->viewModel($model, $entityType)) {
                         $str = link_to("{$entityType}s/{$model->public_id}/edit", $model->invoice_number, ['class' => Utils::getEntityRowClass($model)])->toHtml();
                         return $this->addNote($str, $model->private_notes);
                     }
diff --git a/app/Policies/GenericEntityPolicy.php b/app/Policies/GenericEntityPolicy.php
index c8a7750bbecf..b93c6b61a666 100644
--- a/app/Policies/GenericEntityPolicy.php
+++ b/app/Policies/GenericEntityPolicy.php
@@ -57,12 +57,18 @@ class GenericEntityPolicy
      */
     public static function create(User $user, $entityType)
     {
+        /*
         $className = static::className($entityType);
         if (method_exists($className, 'create')) {
             return call_user_func([$className, 'create'], $user, $entityType);
         }
 
         return false;
+        */
+        if($user->hasPermission('create_'.$entityType))
+            return true;
+        else
+            return false;
     }
 
     /**
@@ -73,12 +79,18 @@ class GenericEntityPolicy
      */
     public static function view(User $user, $entityType)
     {
+        /*
         $className = static::className($entityType);
         if (method_exists($className, 'view')) {
             return call_user_func([$className, 'view'], $user, $entityType);
         }
 
-        return false;
+        return false;*/
+
+        if($user->hasPermission('view_'.$entityType))
+            return true;
+        else
+            return false;
     }
 
     /**