Cutlery/invoiceninja
1
0
Fork 0
mirror of https://github.com/invoiceninja/invoiceninja.git synced 2025-05-31 13:54:34 -04:00
Code Issues Packages Projects Releases Wiki Activity

Fixes for permissions (#3575)

Browse Source
This commit is contained in:
David Bomba 2020-04-01 23:34:50 +11:00 committed by GitHub
parent eba0c19824
commit ceb82ad275
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/Filters/ClientFilters.php
View File

@ -174,6 +174,7 @@ class ClientFilters extends QueryFilters
* limit the user to only the invoices they have created * limit the user to only the invoices they have created
*/ */
if (Gate::denies('view-list', Client::class)) { if (Gate::denies('view-list', Client::class)) {
info("the gate!");
$query->where('clients.user_id', '=', $user->id); $query->where('clients.user_id', '=', $user->id);
} }
@ -189,7 +190,6 @@ class ClientFilters extends QueryFilters
*/ */
public function entityFilter() public function entityFilter()
{ {
//return $this->builder->whereCompanyId(auth()->user()->company()->id); //return $this->builder->whereCompanyId(auth()->user()->company()->id);
return $this->builder->company(); return $this->builder->company();
} }

16
app/Http/Controllers/BaseController.php
View File

@ -131,14 +131,16 @@ class BaseController extends Controller
$query->with($includes); $query->with($includes);
if (auth()->user()->cannot('view_'.$this->entity_type)) { if (!auth()->user()->hasPermission('view_'.lcfirst(class_basename($this->entity_type)))) {
if ($this->entity_type == Company::class || $this->entity_type == Design::class) {
//no user keys exist on the company table, so we need to skip // if ($this->entity_type == Company::class || $this->entity_type == Design::class) {
} elseif ($this->entity_type == User::class) { // //no user keys exist on the company table, so we need to skip
//$query->where('id', '=', auth()->user()->id); @todo why? // } elseif ($this->entity_type == User::class) {
} else { // //$query->where('id', '=', auth()->user()->id); @todo why?
// } else {
$query->where('user_id', '=', auth()->user()->id); $query->where('user_id', '=', auth()->user()->id);
} // }
} }
if (request()->has('updated_at') && request()->input('updated_at') > 0) { if (request()->has('updated_at') && request()->input('updated_at') > 0) {

11
app/Models/User.php
View File

@ -286,7 +286,16 @@ class User extends Authenticatable implements MustVerifyEmail
*/ */
public function hasPermission($permission) : bool public function hasPermission($permission) : bool
{ {
return (stripos($this->company_user->permissions, $permission) !== false); $parts = explode("_", $permission);
$all_permission = '';
if(count($parts) > 1)
$all_permission = $parts[0] . '_all';
return $this->isOwner() ||
$this->isAdmin() ||
(stripos($this->company_user->permissions, $all_permission) !== false) ||
(stripos($this->company_user->permissions, $permission) !== false);
} }
public function documents() public function documents()