Permission fixes. (#2407)

* Patch for permissions * fixes for production * fix for doc uploads
2025-07-09 03:14:30 -04:00 · 2018-10-05 00:19:01 +10:00 · 2018-10-05 00:19:01 +10:00 · cd10003d64
commit cd10003d64
parent e2d8ba4b60
5 changed files with 36 additions and 15 deletions
--- a/app/Http/Requests/CreateDocumentRequest.php
+++ b/app/Http/Requests/CreateDocumentRequest.php
@ -19,19 +19,8 @@ class CreateDocumentRequest extends DocumentRequest
     */
    public function authorize()
    {
-        if (! $this->user()->hasFeature(FEATURE_DOCUMENTS)) {
-            return false;
-        }
-        
-        if ($this->invoice && $this->user()->cannot('edit', $this->invoice)) {
-            return false;
-        }
-
-        if ($this->expense && $this->user()->cannot('edit', $this->expense)) {
-            return false;
-        }
-
-        return $this->user()->can('create', ENTITY_DOCUMENT);
+        if($this->user()->hasFeature(FEATURE_DOCUMENTS))
+            return true;
    }

    /**
--- a/app/Http/Requests/InvoiceRequest.php
+++ b/app/Http/Requests/InvoiceRequest.php
@ -25,6 +25,15 @@ class InvoiceRequest extends EntityRequest
        else
            $standardOrRecurringInvoice = ENTITY_INVOICE;

+        if(request()->is('invoices/*/edit') && request()->isMethod('get') && $this->user()->can('edit', $invoice))
+            return true;
+
+        if(request()->is('quotes/*/edit') && request()->isMethod('get') && $this->user()->can('edit', $invoice))
+            return true;
+
+        if(request()->is('invoices/create') && $this->user()->can('create', ENTITY_INVOICE))
+            return true;
+
        if(request()->is('invoices/create') && !$this->user()->can('create', ENTITY_INVOICE))
            return false;

--- a/app/Models/User.php
+++ b/app/Models/User.php
@ -364,6 +364,17 @@ class User extends Authenticatable
        return false;
    }

+
+    public function viewModel($model, $entityType)
+    {
+        if($this->hasPermission('view_'.$entityType))
+            return true;
+        elseif($model->user_id == $this->id)
+            return true;
+        else
+            return false;
+    }
+
    /**
     * @param $entity
     *
--- a/app/Ninja/Datatables/InvoiceDatatable.php
+++ b/app/Ninja/Datatables/InvoiceDatatable.php
@ -20,7 +20,7 @@ class InvoiceDatatable extends EntityDatatable
            [
                $entityType == ENTITY_INVOICE ? 'invoice_number' : 'quote_number',
                function ($model) use ($entityType) {
-                    if(Auth::user()->can('view', [$this->entityType, $model])) {
+                    if(Auth::user()->viewModel($model, $entityType)) {
                        $str = link_to("{$entityType}s/{$model->public_id}/edit", $model->invoice_number, ['class' => Utils::getEntityRowClass($model)])->toHtml();
                        return $this->addNote($str, $model->private_notes);
                    }
--- a/app/Policies/GenericEntityPolicy.php
+++ b/app/Policies/GenericEntityPolicy.php
@ -57,12 +57,18 @@ class GenericEntityPolicy
     */
    public static function create(User $user, $entityType)
    {
+        /*
        $className = static::className($entityType);
        if (method_exists($className, 'create')) {
            return call_user_func([$className, 'create'], $user, $entityType);
        }

        return false;
+        */
+        if($user->hasPermission('create_'.$entityType))
+            return true;
+        else
+            return false;
    }

    /**
@ -73,11 +79,17 @@ class GenericEntityPolicy
     */
    public static function view(User $user, $entityType)
    {
+        /*
        $className = static::className($entityType);
        if (method_exists($className, 'view')) {
            return call_user_func([$className, 'view'], $user, $entityType);
        }

+        return false;*/
+
+        if($user->hasPermission('view_'.$entityType))
+            return true;
+        else
            return false;
    }