- check if user is owner of file

- delete unnecessary models and web routes

app/Http/Controllers/BookController.php

@@ -1,82 +0,0 @@
-<?php
-namespace App\Http\Controllers;
-
-use App\Http\Requests;
-use App\Http\Controllers\Controller;
-use App\Book;
-use App\Models\Project;
-use App\Shelf;
-use App\Http\Requests\BookRequest;
-use Illuminate\Http\Request;
-use Illuminate\View\View;
-
-class BookController extends Controller
-{
-    public function __construct()
-    {
-        $this->middleware('auth');
-    }
-
-    public function index() : View
-    {
-        //$books = Book::with('category', 'shelf')->get();
-        $books = Book::with('project')->get();
-        return view('rdr.settings.book.book', compact('books'));
-    }
-
-    public function add()
-    {
-        $categories = Project::pluck('name', 'id');
-        $shelves = Shelf::pluck('shelf', 'id');
-    
-        $datum = date('Y-m-d');
-        $nowYear = substr($datum, 0, 4);
-        $years = array();
-        for ($jahr = 1990; $jahr <= $nowYear; $jahr++) {
-            $years[$jahr] = $jahr;
-        }
-        
-        return view('rdr.settings.book.add', compact('categories', 'shelves', 'years'));
-    }
-
-    public function store(BookRequest $request)
-    {
-        $input = $request->all();
-        $book = Book::create($input);
-        session()->flash('flash_message', 'You have been addded 1 book!');
-        return redirect()->route('settings.book');
-    }
-
-    public function edit($id)
-    {
-        $book = Book::findOrFail($id);
-        $categories = Project::pluck('name', 'id');
-        // $shelves = Shelf::pluck('shelf', 'id');
-        
-        $datum = date('Y-m-d');
-        $nowYear = substr($datum, 0, 4);
-        $years = array();
-        for ($jahr = 1990; $jahr <= $nowYear; $jahr++) {
-            $years[$jahr] = $jahr;
-        }
-        return view('rdr.settings.book.edit', compact('book', 'categories', 'years'));
-        //return view('rdr.settings.book.edit', compact('book', 'categories', 'shelves', 'years'));
-    }
-
-    public function update($id, BookRequest $request)
-    {
-        $book = Book::findOrFail($id);
-        $input = $request->all();
-        $book->update($input);
-        session()->flash('flash_message', 'You have updated 1 book!');
-        return redirect()->route('settings.book');
-    }
-
-    public function delete($id)
-    {
-        $book = Book::findOrFail($id);
-        $book->delete();
-        session()->flash('flash_message', 'You have deleted 1 book!');
-        return redirect()->route('settings.book');
-    }
-}

app/Http/Controllers/PeriodeController.php

@@ -1,58 +0,0 @@
-<?php
-namespace App\Http\Controllers;
-
-use App\Http\Requests;
-use App\Http\Controllers\Controller;
-use App\Periode;
-use App\Student;
-use App\Http\Requests\PeriodeRequest;
-use Illuminate\Http\Request;
-
-class PeriodeController extends Controller
-{
-
-    public function __construct()
-    {
-        $this->middleware('auth');
-    }
-
-    public function index()
-    {
-        $periodes = Periode::get();
-        return view('lms.settings.periode.periode', compact('periodes'));
-    }
-
-    public function edit($id)
-    {
-        $periode = Periode::findOrFail($id);
-        return view('lms.settings.periode.edit', compact('periode'));
-    }
-
-    public function update($id, PeriodeRequest $request)
-    {
-        $periode = Periode::findOrFail($id);
-
-        $input = $request->all();
-
-        $periode->update($input);
-
-        //process
-        $tglSekarang = time();
-
-        $students = Student::get();
-
-        foreach ($students as $student) {
-            $dateDiff = $tglSekarang - $student['registered_at'];
-            $durasi = floor($dateDiff/(60 * 60 * 24));
-            $periodes = Periode::first();
-            if ($durasi > $periodes['days']) {
-                $student->update(['status' => 0]);
-            } else {
-                $student->update(['status' => 1]);
-            }
-        }
-
-        session()->flash('flash_message', 'You have been updated periode!');
-        return redirect()->route('settings.periode');
-    }
-}

app/Http/Controllers/Publish/EditorController.php

@@ -116,7 +116,7 @@ class EditorController extends Controller
         $referenceTypes = ["rdr-id", "arXiv", "bibcode", "DOI", "EAN13", "EISSN", "Handle", "IGSN", "ISBN", "ISSN", "ISTC", "LISSN", "LSID", "PMID", "PURL", "UPC", "URL", "URN"];
         $referenceTypes = array_combine($referenceTypes, $referenceTypes);
 
-        $relationTypes = ["IsCitedBy", "Cites", "IsSupplementTo", "IsSupplementedBy", "IsContinuedBy", "Continues", "HasMetadata", "IsMetadataFor","IsNewVersionOf", "IsPreviousVersionOf", "IsPartOf", "HasPart", "IsReferencedBy", "References"]; 
+        $relationTypes = ["IsCitedBy", "Cites", "IsSupplementTo", "IsSupplementedBy", "IsContinuedBy", "Continues", "HasMetadata", "IsMetadataFor","IsNewVersionOf", "IsPreviousVersionOf", "IsPartOf", "HasPart", "IsReferencedBy", "References"];
         // "IsDocumentedBy", "Documents", "IsCompiledBy", "Compiles", "IsVariantFormOf", "IsOriginalFormOf", "IsIdenticalTo", "IsReviewedBy", "Reviews", "IsDerivedFrom", "IsSourceOf"];
         $relationTypes = array_combine($relationTypes, $relationTypes);
 

app/Http/Kernel.php

@@ -64,6 +64,7 @@ class Kernel extends HttpKernel
         'permission' => \Zizaco\Entrust\Middleware\EntrustPermission::class,
         'ability' => \Zizaco\Entrust\Middleware\EntrustAbility::class,
         'isUserDatasetAdmin' => \App\Http\Middleware\WebAuthorizeDataset::class,
+        'isUserFileOwner' => \App\Http\Middleware\WebAuthorizeFile::class,
         
     ];
 }

app/Http/Middleware/WebAuthorizeFile.php

@@ -0,0 +1,60 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Contracts\Auth\Guard;
+use App\Models\Dataset;
+use App\Models\User;
+use App\Models\File;
+
+class WebAuthorizeFile
+{
+    const DELIMITER = '|';
+
+    protected $auth;
+
+    /**
+     * Creates a new instance of the middleware.
+     *
+     * @param Guard $auth
+     */
+    public function __construct(Guard $auth)
+    {
+        $this->auth = $auth;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle(\Illuminate\Http\Request $request, Closure $next)
+    {
+        // if ($this->auth->guest() || !$request->user()->can("Administrator")) {
+        //     abort(403);
+        // }
+        $userId = $this->auth->user()->id;
+        $fileId = $request->route('id');
+        $file = File::with('dataset')->findOrFail($fileId);
+        $datasetId = $file->dataset->id;
+               
+        if ($this->auth->guest() || !$this->isUserDatasetAdmin($userId, $datasetId)) {
+            abort(403, "You are not allowed to do this action!");
+        }
+        return $next($request);
+    }
+
+    private function isUserDatasetAdmin($userId, $datasetId)
+    {
+        $dataset = Dataset::with('user:id,login')->findOrFail($datasetId);
+        $user = User::findOrFail($userId);
+        if ($dataset->user->id == $user->id) { //} || $user->can("administrator")) {
+            return true;
+        } else {
+            return false;
+        }
+    }
+}

composer.lock

@@ -3909,16 +3909,16 @@
         },
         {
             "name": "phpunit/php-token-stream",
-            "version": "3.1.0",
+            "version": "3.1.1",
             "source": {
                 "type": "git",
                 "url": "https://github.com/sebastianbergmann/php-token-stream.git",
-                "reference": "e899757bb3df5ff6e95089132f32cd59aac2220a"
+                "reference": "995192df77f63a59e47f025390d2d1fdf8f425ff"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/e899757bb3df5ff6e95089132f32cd59aac2220a",
-                "reference": "e899757bb3df5ff6e95089132f32cd59aac2220a",
+                "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/995192df77f63a59e47f025390d2d1fdf8f425ff",
+                "reference": "995192df77f63a59e47f025390d2d1fdf8f425ff",
                 "shasum": ""
             },
             "require": {
@@ -3954,7 +3954,7 @@
             "keywords": [
                 "tokenizer"
             ],
-            "time": "2019-07-25T05:29:42+00:00"
+            "time": "2019-09-17T06:23:10+00:00"
         },
         {
             "name": "phpunit/phpunit",

routes/web.php

@@ -251,6 +251,13 @@ Route::group(
     }
 );
 
+// //=============================================================================================================
+// //=================================================setting file=============================================
+Route::get('settings/file/download/{id}', [
+    'middleware' => ['isUserFileOwner'],
+    'as' => 'settings.file.download', 'uses' => 'Settings\FileController@download',
+]);
+
 //=================================================setting home - dashboard=======================================
 Route::get('settings/', [
     'as' => 'settings.dashboard', 'uses' => 'Settings\DashboardController@index',
@@ -275,11 +282,6 @@ Route::group(['middleware' => ['permission:settings']], function () {
     // Route::get('settings/file/download/{id}', [
     //     'as' => 'settings.file.download', 'uses' => 'Settings\DatasetController@download',
     // ]);
-    // //=============================================================================================================
-    // //=================================================setting file=============================================
-    Route::get('settings/file/download/{id}', [
-        'as' => 'settings.file.download', 'uses' => 'Settings\FileController@download',
-    ]);
 
     //=================================================setting mimetype=============================================
     Route::get('/settings/mimetype', [
@@ -499,38 +501,6 @@ Route::get('history', [
     'as' => 'borrow.history', 'uses' => 'BorrowController@histori',
 ]);
 
-//=========================================================================================================
-//=================================================setting periode=========================================
-Route::get('/settings/periode', [
-    'as' => 'settings.periode', 'uses' => 'PeriodeController@index',
-]);
-Route::get('settings/periode/edit/{id}', [
-    'as' => 'settings.periode.edit', 'uses' => 'PeriodeController@edit',
-]);
-Route::patch('settings/periode/edit/{id}', [
-    'as' => 'settings.periode.update', 'uses' => 'PeriodeController@update',
-]);
-
-//=============================================================================================================
-//=================================================setting book================================================
-Route::get('/settings/book', [
-    'as' => 'settings.book', 'uses' => 'BookController@index',
-]);
-Route::get('/settings/book/add', [
-    'as' => 'settings.book.add', 'uses' => 'BookController@add',
-]);
-Route::post('settings/book/add', [
-    'as' => 'settings.book.post', 'uses' => 'BookController@store',
-]);
-Route::get('settings/book/edit/{id}', [
-    'as' => 'settings.book.edit', 'uses' => 'BookController@edit',
-]);
-Route::patch('settings/book/edit/{id}', [
-    'as' => 'settings.book.update', 'uses' => 'BookController@update',
-]);
-Route::get('settings/book/delete/{id}', [
-    'as' => 'settings.book.delete', 'uses' => 'BookController@delete',
-]);
 
 //====================================authentication===========================================================================
 // Route::controllers([