From fdf1b25b16abc542626d3ee8963121a25cf4429a Mon Sep 17 00:00:00 2001
From: Joshua Dwire <joshua@joshuadwire.com>
Date: Sat, 23 Apr 2016 11:52:36 -0400
Subject: [PATCH] Begin adding authorization policies

---
 app/Http/Controllers/BaseController.php    | 30 ++-----------
 app/Http/Controllers/InvoiceController.php |  4 +-
 app/Models/EntityModel.php                 | 52 ----------------------
 app/Models/User.php                        |  4 ++
 app/Policies/EntityPolicy.php              | 25 +++++++++++
 app/Policies/InvoicePolicy.php             | 23 ++++++++++
 app/Providers/AuthServiceProvider.php      | 29 ++++++++++++
 config/app.php                             |  1 +
 8 files changed, 86 insertions(+), 82 deletions(-)
 create mode 100644 app/Policies/EntityPolicy.php
 create mode 100644 app/Policies/InvoicePolicy.php
 create mode 100644 app/Providers/AuthServiceProvider.php

diff --git a/app/Http/Controllers/BaseController.php b/app/Http/Controllers/BaseController.php
index 5124097636a9..c62c496e8c60 100644
--- a/app/Http/Controllers/BaseController.php
+++ b/app/Http/Controllers/BaseController.php
@@ -22,39 +22,15 @@ class BaseController extends Controller
         }
     }
     
-    protected function checkViewPermission($object, &$response = null){
-        if(!$object->canView()){
-            $response = response('Unauthorized.', 401);
-            return false;
-        }
-        return true;
-    }
-    
-    protected function checkEditPermission($object, &$response = null){
-        if(!$object->canEdit()){
-            $response = response('Unauthorized.', 401);
-            return false;
-        }
-        return true;
-    }
-    
-    protected function checkCreatePermission(&$response = null){
-        if(!call_user_func(array($this->model, 'canCreate'))){
-            $response = response('Unauthorized.', 401);
-            return false;
-        }
-        return true;
-    }
-    
-    protected function checkUpdatePermission($input, &$response = null){
+    protected function authorizeUpdate($input){
         $creating = empty($input['public_id']) || $input['public_id'] == '-1';
         
         if($creating){
-            return $this->checkCreatePermission($response);
+            $this->authorize('create', $this->model);
         }
         else{
             $object = call_user_func(array($this->model, 'scope'), $input['public_id'])->firstOrFail();
-            return $this->checkEditPermission($object, $response);
+            $this->authorize('edit', $object);
         }
     }
 }
diff --git a/app/Http/Controllers/InvoiceController.php b/app/Http/Controllers/InvoiceController.php
index 774ed7a7a70c..bbc8ab87db09 100644
--- a/app/Http/Controllers/InvoiceController.php
+++ b/app/Http/Controllers/InvoiceController.php
@@ -96,9 +96,7 @@ class InvoiceController extends BaseController
                         ->withTrashed()
                         ->firstOrFail();
         
-        if(!$this->checkEditPermission($invoice, $response)){
-            return $response;
-        }
+        $this->authorize('edit', $invoice)
         
         $entityType = $invoice->getEntityType();
 
diff --git a/app/Models/EntityModel.php b/app/Models/EntityModel.php
index 53bb1d0d1a48..8d0da39d3fab 100644
--- a/app/Models/EntityModel.php
+++ b/app/Models/EntityModel.php
@@ -118,56 +118,4 @@ class EntityModel extends Eloquent
         $name = $parts[count($parts)-1];
         return strtolower($name) . '_id';
     }
-    
-    public static function canCreate() {
-        return Auth::user()->hasPermission('create_all');
-    }
-    
-    public function canEdit() {
-        return static::canEditItem($this);
-    }
-    
-    public static function canEditItem($item) {
-        return Auth::user()->hasPermission('edit_all') || (isset($item->user_id) && Auth::user()->id == $item->user_id);
-    }
-    
-    public static function canEditItemById($item_id) {
-        if(Auth::user()->hasPermission('edit_all')) {
-            return true;
-        }
-        
-        return static::whereId($item_id)->first()->user_id == Auth::user()->id;
-    }
-    
-    public static function canEditItemByOwner($user_id) {
-        if(Auth::user()->hasPermission('edit_all')) {
-            return true;
-        }
-        
-        return Auth::user()->id == $user_id;
-    }
-    
-    public function canView() {
-        return static::canViewItem($this);
-    }
-    
-    public static function canViewItem($item) {
-        return Auth::user()->hasPermission('view_all') || (isset($item->user_id) && Auth::user()->id == $item->user_id);
-    }
-    
-    public static function canViewItemById($item_id) {
-        if(Auth::user()->hasPermission('view_all')) {
-            return true;
-        }
-        
-        return static::whereId($item_id)->first()->user_id == Auth::user()->id;
-    }
-    
-    public static function canViewItemByOwner($user_id) {
-        if(Auth::user()->hasPermission('view_all')) {
-            return true;
-        }
-        
-        return Auth::user()->id == $user_id;
-    }
 }
diff --git a/app/Models/User.php b/app/Models/User.php
index 32a4960a8482..a7ef6fcf5bd7 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -326,6 +326,10 @@ class User extends Model implements AuthenticatableContract, CanResetPasswordCon
         
         return false;
     }
+    
+    public function owns($entity) {
+        return !empty($entity->user_id) && $entity->user_id == $this->id;
+    }
 }
 
 User::updating(function ($user) {
diff --git a/app/Policies/EntityPolicy.php b/app/Policies/EntityPolicy.php
new file mode 100644
index 000000000000..79f60e8ff504
--- /dev/null
+++ b/app/Policies/EntityPolicy.php
@@ -0,0 +1,25 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\User;
+use App\Models\EntityModel;
+
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class InvoicePolicy extends EntityPolicy
+{
+    use HandlesAuthorization;
+    
+    public static function canCreate() {
+        return Auth::user()->hasPermission('create_all');
+    }
+    
+    public static function edit($user, $item) {
+        $user->hasPermission('edit_all') || $user->owns($item);
+    }
+    
+    public static function view($user, $item) {
+        $user->hasPermission('view_all') || $user->owns($item);
+    }
+}
\ No newline at end of file
diff --git a/app/Policies/InvoicePolicy.php b/app/Policies/InvoicePolicy.php
new file mode 100644
index 000000000000..46a1adcc3d84
--- /dev/null
+++ b/app/Policies/InvoicePolicy.php
@@ -0,0 +1,23 @@
+<?php
+
+namespace App\Policies;
+
+use App\Models\User;
+use App\Post;
+
+use Illuminate\Auth\Access\HandlesAuthorization;
+
+class InvoicePolicy extends EntityPolicy
+{
+    use HandlesAuthorization;
+
+    /**
+     * Create a new policy instance.
+     *
+     * @return void
+     */
+    public function __construct()
+    {
+        //
+    }
+}
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
new file mode 100644
index 000000000000..a686b06ac9ba
--- /dev/null
+++ b/app/Providers/AuthServiceProvider.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace App\Providers;
+
+use Illuminate\Contracts\Auth\Access\Gate as GateContract;
+use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
+
+class AuthServiceProvider extends ServiceProvider
+{
+    /**
+     * The policy mappings for the application.
+     *
+     * @var array
+     */
+    protected $policies = [
+        Invoice::class => InvoicePolicy::class,
+    ];
+    
+    /**
+     * Register any application authentication / authorization services.
+     *
+     * @param  \Illuminate\Contracts\Auth\Access\Gate  $gate
+     * @return void
+     */
+    public function boot(GateContract $gate)
+    {
+        $this->registerPolicies($gate);
+    }
+}
\ No newline at end of file
diff --git a/config/app.php b/config/app.php
index c86362a9afea..027c3d5ece28 100644
--- a/config/app.php
+++ b/config/app.php
@@ -157,6 +157,7 @@ return [
         /*
          * Application Service Providers...
          */
+        'App\Providers\AuthServiceProvider',
         'App\Providers\AppServiceProvider',
         //'App\Providers\BusServiceProvider',
         'App\Providers\ConfigServiceProvider',