work on user role

dbarzin · Nov 20, 2023 · 35aef83 · 35aef83
1 parent e2b2543
commit 35aef83
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 14 deletions.
diff --git a/app/Http/Controllers/ControlController.php b/app/Http/Controllers/ControlController.php
@@ -263,8 +263,8 @@ public function show(int $id)
             (
                 (Auth::User()->role === 5)&&
                 !DB::table('control_user')
-                    ->where('user_id',$id)
-                    ->where('control_id',Auth::User()->id)
+                    ->where('control_id', $id)
+                    ->where('user_id', Auth::User()->id)
                     ->exists()
             ), Response::HTTP_FORBIDDEN, '403 Forbidden');
 

diff --git a/app/Http/Controllers/GlobalSearchController.php b/app/Http/Controllers/GlobalSearchController.php
@@ -3,7 +3,9 @@
 namespace App\Http\Controllers;
 
 use Illuminate\Http\Request;
+use Illuminate\Http\Response;
 use Illuminate\Support\Str;
+use Illuminate\Support\Facades\Auth;
 
 class GlobalSearchController extends Controller
 {
@@ -15,6 +17,9 @@ class GlobalSearchController extends Controller
 
     public function search(Request $request)
     {
+        // Not for API
+        abort_if(Auth::User()->role === 4, Response::HTTP_FORBIDDEN, '403 Forbidden');
+
         $term = $request->input('search');
         if ($term === null) {
             return redirect()->back();
@@ -23,13 +28,33 @@ public function search(Request $request)
         $searchableData = [];
 
         foreach ($this->models as $model) {
+            // user does not search on domain and measures
+            if (
+                    (Auth::User()->role===5)&&
+                    (
+                        ($model=='App\\Models\\Domain')||
+                        ($model=='App\\Models\\Measure')
+                    )
+                )
+                continue;
+
             $query = $model::query();
             $fields = $model::$searchable;
 
+            // user only search on assigned controls
+            if (Auth::User()->role===5)
+            $query = $query
+                ->join('control_user', 'controls.id', '=', 'control_user.control_id')
+                ->where('control_user.user_id','=',Auth::User()->id);
+
+
             foreach ($fields as $field) {
                 $query->orWhere($field, 'LIKE', '%' . $term . '%');
             }
 
+
+            // newest first
+            $query->orderBy('id','desc');
             $results = $query->take(20)->get();
 
             foreach ($results as $result) {

diff --git a/app/Http/Controllers/MeasureController.php b/app/Http/Controllers/MeasureController.php
@@ -24,6 +24,12 @@ class MeasureController extends Controller
      */
     public function index(Request $request)
     {
+        // Not for Auditor, API and auditee
+        abort_if(
+            (Auth::User()->role === 4)||
+            (Auth::User()->role === 5),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
+
         $domains = Domain::All();
 
         $domain = $request->get('domain');
@@ -156,11 +162,19 @@ public function store(Request $request)
      */
     public function show(int $id)
     {
-        // Not for Auditor, API and auditee
+        // Not for API
         abort_if(
-            (Auth::User()->role === 3)||
-            (Auth::User()->role === 4)||
-            (Auth::User()->role === 5),
+            (Auth::User()->role === 4),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
+
+        // user must have and assigned controls
+        abort_if(
+            (Auth::User()->role === 5) &&
+            !DB::table('controls')
+                ->where('measure_id',$id)
+                ->leftjoin('control_user', 'control_id', '=', 'controls.id')
+                ->where('user_id', Auth::User()->id)
+                ->exists(),
             Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $measure = Measure::where('id', $id)->get()->first();

diff --git a/resources/views/controls/show.blade.php b/resources/views/controls/show.blade.php
@@ -76,7 +76,7 @@
     		<div class="cell-1">
     			<strong>{{ trans("common.previous") }}</strong>
     			<br>
-	    		<strong>{{ trans("common.next") }}</strong>	    		
+	    		<strong>{{ trans("common.next") }}</strong>
 	    	</div>
 			<div class="cell-1">
 		    	@if ($prev_id!=null)
@@ -160,12 +160,12 @@
 	                    &#9899;
 	                @endif
 					&nbsp; - &nbsp;
-					@if ($control->score==1) 
+					@if ($control->score==1)
 						{{ trans("common.red") }}
-					@elseif ($control->score==2) 
+					@elseif ($control->score==2)
 						{{ trans("common.orange") }}
-					@elseif ($control->score==3) 
-						{{ trans("common.green") }}						
+					@elseif ($control->score==3)
+						{{ trans("common.green") }}
 					@endif
 				</div>
 			</div>
@@ -212,16 +212,18 @@
 
    	<div class="row">
    		<div class="cell-7">
-			@if ((Auth::User()->role==1)||(Auth::User()->role==2))
+			@if ((Auth::User()->role===1)||(Auth::User()->role===2)||(Auth::User()->role===5))
 				@if ($control->realisation_date==null)
 			    <form action="/bob/make/{{ $control->id }}">
 		    		<button class="button success">
 						<span class="mif-assignment"></span>
-						&nbsp;	    			
+						&nbsp;
 			    		{{ trans("common.make") }}
 			    	</button>
 				</form>
 				&nbsp;
+            @endif
+            @if ((Auth::User()->role===1)||(Auth::User()->role===2))
 			    <form action="/bob/plan/{{ $control->id }}">
 		    		<button class="button info">
 						<span class="mif-calendar"></span>

diff --git a/resources/views/measures/show.blade.php b/resources/views/measures/show.blade.php
@@ -90,7 +90,7 @@
 		</div>
 
 		<div class="form-group">
-			@if (Auth::User()->role !== 3)
+			@if (Auth::User()->role === 1)
 		    <form action="/alice/plan/{{ $measure->id }}">
 		    	<button class="button info">
 		            <span class="mif-calendar"></span>