From 7b34e57aee3c12256ecb02a514b2e16df37ae05c Mon Sep 17 00:00:00 2001 From: Arno Kaimbacher Date: Thu, 19 Sep 2019 13:22:05 +0200 Subject: [PATCH] - check if user is owner of file - delete unnecessary models and web routes --- app/Http/Controllers/BookController.php | 82 ------------------- app/Http/Controllers/PeriodeController.php | 58 ------------- .../Controllers/Publish/EditorController.php | 2 +- app/Http/Kernel.php | 1 + app/Http/Middleware/WebAuthorizeFile.php | 60 ++++++++++++++ composer.lock | 10 +-- routes/web.php | 44 ++-------- 7 files changed, 74 insertions(+), 183 deletions(-) delete mode 100755 app/Http/Controllers/BookController.php delete mode 100755 app/Http/Controllers/PeriodeController.php create mode 100644 app/Http/Middleware/WebAuthorizeFile.php diff --git a/app/Http/Controllers/BookController.php b/app/Http/Controllers/BookController.php deleted file mode 100755 index 86c5c04..0000000 --- a/app/Http/Controllers/BookController.php +++ /dev/null @@ -1,82 +0,0 @@ -middleware('auth'); - } - - public function index() : View - { - //$books = Book::with('category', 'shelf')->get(); - $books = Book::with('project')->get(); - return view('rdr.settings.book.book', compact('books')); - } - - public function add() - { - $categories = Project::pluck('name', 'id'); - $shelves = Shelf::pluck('shelf', 'id'); - - $datum = date('Y-m-d'); - $nowYear = substr($datum, 0, 4); - $years = array(); - for ($jahr = 1990; $jahr <= $nowYear; $jahr++) { - $years[$jahr] = $jahr; - } - - return view('rdr.settings.book.add', compact('categories', 'shelves', 'years')); - } - - public function store(BookRequest $request) - { - $input = $request->all(); - $book = Book::create($input); - session()->flash('flash_message', 'You have been addded 1 book!'); - return redirect()->route('settings.book'); - } - - public function edit($id) - { - $book = Book::findOrFail($id); - $categories = Project::pluck('name', 'id'); - // $shelves = Shelf::pluck('shelf', 'id'); - - $datum = date('Y-m-d'); - $nowYear = substr($datum, 0, 4); - $years = array(); - for ($jahr = 1990; $jahr <= $nowYear; $jahr++) { - $years[$jahr] = $jahr; - } - return view('rdr.settings.book.edit', compact('book', 'categories', 'years')); - //return view('rdr.settings.book.edit', compact('book', 'categories', 'shelves', 'years')); - } - - public function update($id, BookRequest $request) - { - $book = Book::findOrFail($id); - $input = $request->all(); - $book->update($input); - session()->flash('flash_message', 'You have updated 1 book!'); - return redirect()->route('settings.book'); - } - - public function delete($id) - { - $book = Book::findOrFail($id); - $book->delete(); - session()->flash('flash_message', 'You have deleted 1 book!'); - return redirect()->route('settings.book'); - } -} diff --git a/app/Http/Controllers/PeriodeController.php b/app/Http/Controllers/PeriodeController.php deleted file mode 100755 index 245cf90..0000000 --- a/app/Http/Controllers/PeriodeController.php +++ /dev/null @@ -1,58 +0,0 @@ -middleware('auth'); - } - - public function index() - { - $periodes = Periode::get(); - return view('lms.settings.periode.periode', compact('periodes')); - } - - public function edit($id) - { - $periode = Periode::findOrFail($id); - return view('lms.settings.periode.edit', compact('periode')); - } - - public function update($id, PeriodeRequest $request) - { - $periode = Periode::findOrFail($id); - - $input = $request->all(); - - $periode->update($input); - - //process - $tglSekarang = time(); - - $students = Student::get(); - - foreach ($students as $student) { - $dateDiff = $tglSekarang - $student['registered_at']; - $durasi = floor($dateDiff/(60 * 60 * 24)); - $periodes = Periode::first(); - if ($durasi > $periodes['days']) { - $student->update(['status' => 0]); - } else { - $student->update(['status' => 1]); - } - } - - session()->flash('flash_message', 'You have been updated periode!'); - return redirect()->route('settings.periode'); - } -} diff --git a/app/Http/Controllers/Publish/EditorController.php b/app/Http/Controllers/Publish/EditorController.php index 417a4bd..9d7cc57 100644 --- a/app/Http/Controllers/Publish/EditorController.php +++ b/app/Http/Controllers/Publish/EditorController.php @@ -116,7 +116,7 @@ class EditorController extends Controller $referenceTypes = ["rdr-id", "arXiv", "bibcode", "DOI", "EAN13", "EISSN", "Handle", "IGSN", "ISBN", "ISSN", "ISTC", "LISSN", "LSID", "PMID", "PURL", "UPC", "URL", "URN"]; $referenceTypes = array_combine($referenceTypes, $referenceTypes); - $relationTypes = ["IsCitedBy", "Cites", "IsSupplementTo", "IsSupplementedBy", "IsContinuedBy", "Continues", "HasMetadata", "IsMetadataFor","IsNewVersionOf", "IsPreviousVersionOf", "IsPartOf", "HasPart", "IsReferencedBy", "References"]; + $relationTypes = ["IsCitedBy", "Cites", "IsSupplementTo", "IsSupplementedBy", "IsContinuedBy", "Continues", "HasMetadata", "IsMetadataFor","IsNewVersionOf", "IsPreviousVersionOf", "IsPartOf", "HasPart", "IsReferencedBy", "References"]; // "IsDocumentedBy", "Documents", "IsCompiledBy", "Compiles", "IsVariantFormOf", "IsOriginalFormOf", "IsIdenticalTo", "IsReviewedBy", "Reviews", "IsDerivedFrom", "IsSourceOf"]; $relationTypes = array_combine($relationTypes, $relationTypes); diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index a0eca54..c986e10 100755 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -64,6 +64,7 @@ class Kernel extends HttpKernel 'permission' => \Zizaco\Entrust\Middleware\EntrustPermission::class, 'ability' => \Zizaco\Entrust\Middleware\EntrustAbility::class, 'isUserDatasetAdmin' => \App\Http\Middleware\WebAuthorizeDataset::class, + 'isUserFileOwner' => \App\Http\Middleware\WebAuthorizeFile::class, ]; } diff --git a/app/Http/Middleware/WebAuthorizeFile.php b/app/Http/Middleware/WebAuthorizeFile.php new file mode 100644 index 0000000..f144e13 --- /dev/null +++ b/app/Http/Middleware/WebAuthorizeFile.php @@ -0,0 +1,60 @@ +auth = $auth; + } + + /** + * Handle an incoming request. + * + * @param \Illuminate\Http\Request $request + * @param \Closure $next + * @return mixed + */ + public function handle(\Illuminate\Http\Request $request, Closure $next) + { + // if ($this->auth->guest() || !$request->user()->can("Administrator")) { + // abort(403); + // } + $userId = $this->auth->user()->id; + $fileId = $request->route('id'); + $file = File::with('dataset')->findOrFail($fileId); + $datasetId = $file->dataset->id; + + if ($this->auth->guest() || !$this->isUserDatasetAdmin($userId, $datasetId)) { + abort(403, "You are not allowed to do this action!"); + } + return $next($request); + } + + private function isUserDatasetAdmin($userId, $datasetId) + { + $dataset = Dataset::with('user:id,login')->findOrFail($datasetId); + $user = User::findOrFail($userId); + if ($dataset->user->id == $user->id) { //} || $user->can("administrator")) { + return true; + } else { + return false; + } + } +} diff --git a/composer.lock b/composer.lock index abf6737..3189e76 100755 --- a/composer.lock +++ b/composer.lock @@ -3909,16 +3909,16 @@ }, { "name": "phpunit/php-token-stream", - "version": "3.1.0", + "version": "3.1.1", "source": { "type": "git", "url": "https://github.com/sebastianbergmann/php-token-stream.git", - "reference": "e899757bb3df5ff6e95089132f32cd59aac2220a" + "reference": "995192df77f63a59e47f025390d2d1fdf8f425ff" }, "dist": { "type": "zip", - "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/e899757bb3df5ff6e95089132f32cd59aac2220a", - "reference": "e899757bb3df5ff6e95089132f32cd59aac2220a", + "url": "https://api.github.com/repos/sebastianbergmann/php-token-stream/zipball/995192df77f63a59e47f025390d2d1fdf8f425ff", + "reference": "995192df77f63a59e47f025390d2d1fdf8f425ff", "shasum": "" }, "require": { @@ -3954,7 +3954,7 @@ "keywords": [ "tokenizer" ], - "time": "2019-07-25T05:29:42+00:00" + "time": "2019-09-17T06:23:10+00:00" }, { "name": "phpunit/phpunit", diff --git a/routes/web.php b/routes/web.php index 2650b62..4b2776a 100644 --- a/routes/web.php +++ b/routes/web.php @@ -251,6 +251,13 @@ Route::group( } ); +// //============================================================================================================= +// //=================================================setting file============================================= +Route::get('settings/file/download/{id}', [ + 'middleware' => ['isUserFileOwner'], + 'as' => 'settings.file.download', 'uses' => 'Settings\FileController@download', +]); + //=================================================setting home - dashboard======================================= Route::get('settings/', [ 'as' => 'settings.dashboard', 'uses' => 'Settings\DashboardController@index', @@ -275,11 +282,6 @@ Route::group(['middleware' => ['permission:settings']], function () { // Route::get('settings/file/download/{id}', [ // 'as' => 'settings.file.download', 'uses' => 'Settings\DatasetController@download', // ]); - // //============================================================================================================= - // //=================================================setting file============================================= - Route::get('settings/file/download/{id}', [ - 'as' => 'settings.file.download', 'uses' => 'Settings\FileController@download', - ]); //=================================================setting mimetype============================================= Route::get('/settings/mimetype', [ @@ -499,38 +501,6 @@ Route::get('history', [ 'as' => 'borrow.history', 'uses' => 'BorrowController@histori', ]); -//========================================================================================================= -//=================================================setting periode========================================= -Route::get('/settings/periode', [ - 'as' => 'settings.periode', 'uses' => 'PeriodeController@index', -]); -Route::get('settings/periode/edit/{id}', [ - 'as' => 'settings.periode.edit', 'uses' => 'PeriodeController@edit', -]); -Route::patch('settings/periode/edit/{id}', [ - 'as' => 'settings.periode.update', 'uses' => 'PeriodeController@update', -]); - -//============================================================================================================= -//=================================================setting book================================================ -Route::get('/settings/book', [ - 'as' => 'settings.book', 'uses' => 'BookController@index', -]); -Route::get('/settings/book/add', [ - 'as' => 'settings.book.add', 'uses' => 'BookController@add', -]); -Route::post('settings/book/add', [ - 'as' => 'settings.book.post', 'uses' => 'BookController@store', -]); -Route::get('settings/book/edit/{id}', [ - 'as' => 'settings.book.edit', 'uses' => 'BookController@edit', -]); -Route::patch('settings/book/edit/{id}', [ - 'as' => 'settings.book.update', 'uses' => 'BookController@update', -]); -Route::get('settings/book/delete/{id}', [ - 'as' => 'settings.book.delete', 'uses' => 'BookController@delete', -]); //====================================authentication=========================================================================== // Route::controllers([