Skip to content
Permalink
Browse files Browse the repository at this point in the history
ensure only admin and owner can change role, and password, unless it …
…is yourself
  • Loading branch information
Bottelet committed Jun 25, 2021
1 parent a0392f4 commit fe842ea
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 2 deletions.
14 changes: 13 additions & 1 deletion app/Http/Controllers/UsersController.php
Expand Up @@ -40,6 +40,10 @@ public function index()

public function calendarUsers()
{
if (!auth()->user()->can('absence-view')) {
session()->flash('flash_message_warning', __('You do not have permission to view this page'));
return redirect()->back();
}
return User::with(['department', 'absences' => function ($q) {
return $q->whereBetween('start_at', [today()->subWeeks(2)->startOfDay(), today()->addWeeks(4)->endOfDay()])
->orWhereBetween('end_at', [today()->subWeeks(2)->startOfDay(), today()->addWeeks(4)->endOfDay()]);
Expand Down Expand Up @@ -244,6 +248,12 @@ public function update($external_id, UpdateUserRequest $request)
$password = bcrypt($request->password);
$role = $request->roles;
$department = $request->departments;

if( !auth()->user()->canChangePasswordOn($user) ) {
unset($request['password']);
}


if ($request->hasFile('image_path')) {
$companyname = Setting::first()->external_id;
$file = $request->file('image_path');
Expand Down Expand Up @@ -273,7 +283,9 @@ public function update($external_id, UpdateUserRequest $request)
if ($role && $role->name == Role::OWNER_ROLE && $owners->count() <= 1) {
Session()->flash('flash_message_warning', __('Not able to change owner role, please choose a new owner first'));
} else {
$user->roles()->sync([$request->roles]);
if(auth()->user()->canChangeRole() ) {
$user->roles()->sync([$request->roles]);
}
}
$user->department()->sync([$department]);

Expand Down
13 changes: 13 additions & 0 deletions app/Models/User.php
Expand Up @@ -98,6 +98,19 @@ public function tokens()
return $this->hasMany(Token::class, 'user_id', 'id');
}

public function canChangePasswordOn(User $user)
{
if($this->id === $user->id || ( $this->roles->first()->name == Role::OWNER_ROLE || $this->roles->first()->name == Role::ADMIN_ROLE)) {
return true;
}

return false;
}

public function canChangeRole()
{
return $this->roles->first()->name == Role::OWNER_ROLE || $this->roles->first()->name == Role::ADMIN_ROLE;
}


public function isOnline()
Expand Down
6 changes: 5 additions & 1 deletion resources/views/users/form.blade.php
Expand Up @@ -61,10 +61,11 @@
<div class="col-sm-12">
<hr>
</div>

@if(isset($user) && auth()->user()->canChangePasswordOn($user))
<div class="col-sm-3">
<label for="name" class="base-input-label">@lang('Security')</label>
</div>

<div class="col-sm-9">
<div class="form-group col-sm-8">
<label for="password" class="control-label thin-weight">@lang('Password')</label>
Expand All @@ -75,13 +76,15 @@
<input type="password" name="password_confirmation" class="form-control" value="">
</div>
</div>
@endif
<div class="col-sm-12">
<hr>
</div>
<div class="col-sm-3">
<label for="name" class="base-input-label">@lang('Access')</label>
</div>
<div class="col-sm-9">
@if(isset($user) && auth()->user()->canChangeRole())
<div class="form-group col-sm-8">
<label for="roles" class="control-label thin-weight">@lang('Assign role')</label>
<select name="roles" id="" class="form-control">
Expand All @@ -90,6 +93,7 @@
@endforeach
</select>
</div>
@endif
<div class="form-group col-sm-8">
<label for="departments" class="control-label thin-weight">@lang('Assign department')</label>
<select name="departments" id="" class="form-control">
Expand Down

0 comments on commit fe842ea

Please sign in to comment.