Merge 32e24da into 43ee54e

README.md

@@ -157,6 +157,14 @@ return [
      */
 
     'log_registration_exception' => true,
+
+    /*
+     * When set to true, the required permission/role names are added to the exception
+     * message. This could be considered an information leak in some contexts, so
+     * the default setting is false here for optimum safety.
+     */
+
+    'display_permission_in_exception' => false,
 ];
 ```
 

composer.json

@@ -40,7 +40,7 @@
         "codeclimate/php-test-reporter": "^0.4.4",
         "monolog/monolog": "^1.23",
         "orchestra/testbench": "^3.2.0",
-        "phpunit/phpunit": "^5.7|^6.0",
+        "phpunit/phpunit": "^5.7|^6.0|^7.0",
         "squizlabs/php_codesniffer": "^3.1"
     },
     "autoload": {

config/permission.php

@@ -53,4 +53,21 @@
      */
 
     'cache_expiration_time' => 60 * 24,
+
+    /*
+     * By default we'll make an entry in the application log when the permissions
+     * could not be loaded. Normally this only occurs while installing the packages.
+     *
+     * If for some reason you want to disable that logging, set this value to false.
+     */
+
+    'log_registration_exception' => true,
+
+    /*
+     * When set to true, the required permission/role names are added to the exception
+     * message. This could be considered an information leak in some contexts, so
+     * the default setting is false here for optimum safety.
+     */
+
+    'display_permission_in_exception' => false,
 ];

src/Exceptions/UnauthorizedException.php

@@ -2,7 +2,6 @@
 
 namespace Maklad\Permission\Exceptions;
 
-use http\Exception;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 
 /**
@@ -11,20 +10,47 @@
  */
 class UnauthorizedException extends HttpException
 {
+    private $requiredRoles = [];
+    private $requiredPermissions = [];
 
     /**
      * UnauthorizedException constructor.
      *
      * @param $statusCode
      * @param null $message
+     * @param array $requiredRoles
+     * @param array $requiredPermissions
      */
-    public function __construct($statusCode, $message = null)
+    public function __construct($statusCode, $message = null, $requiredRoles = [], $requiredPermissions = [])
     {
         parent::__construct($statusCode, $message);
 
         if (\config('permission.log_registration_exception')) {
             $logger = \app('log');
             $logger->alert($message);
         }
+
+        $this->requiredRoles       = $requiredRoles;
+        $this->requiredPermissions = $requiredPermissions;
+    }
+
+    /**
+     * Return Required Roles
+     *
+     * @return array
+     */
+    public function getRequiredRoles(): array
+    {
+        return $this->requiredRoles;
+    }
+
+    /**
+     * Return Required Permissions
+     *
+     * @return array
+     */
+    public function getRequiredPermissions(): array
+    {
+        return $this->requiredPermissions;
     }
 }

src/Exceptions/UnauthorizedPermission.php

@@ -8,4 +8,15 @@
  */
 class UnauthorizedPermission extends UnauthorizedException
 {
+    /**
+     * UnauthorizedPermission constructor.
+     *
+     * @param $statusCode
+     * @param null $message
+     * @param array $requiredPermissions
+     */
+    public function __construct($statusCode, $message = null, $requiredPermissions = [])
+    {
+        parent::__construct($statusCode, $message, [], $requiredPermissions);
+    }
 }

src/Exceptions/UnauthorizedRole.php

@@ -8,4 +8,15 @@
  */
 class UnauthorizedRole extends UnauthorizedException
 {
+    /**
+     * UnauthorizedPermission constructor.
+     *
+     * @param $statusCode
+     * @param null $message
+     * @param array $requiredRoles
+     */
+    public function __construct($statusCode, $message = null, $requiredRoles = [])
+    {
+        parent::__construct($statusCode, $message, $requiredRoles);
+    }
 }

src/Helpers.php

@@ -87,7 +87,12 @@ public function getRoleDoesNotExistMessage(string $name, string $guardName): str
      */
     public function getUnauthorizedRoleMessage(string $roles): string
     {
-        return "User does not have the right roles `{$roles}`.";
+        $message = "User does not have the right roles `{$roles}`.";
+        if (! config('permission.display_permission_in_exception')) {
+            $message = 'User does not have the right roles.';
+        }
+
+        return $message;
     }
 
     /**
@@ -97,7 +102,12 @@ public function getUnauthorizedRoleMessage(string $roles): string
      */
     public function getUnauthorizedPermissionMessage(string $permissions): string
     {
-        return "User does not have the right permissions `{$permissions}`.";
+        $message = "User does not have the right permissions `{$permissions}`.";
+        if (! config('permission.display_permission_in_exception')) {
+            $message = 'User does not have the right permissions.';
+        }
+
+        return $message;
     }
 
     /**

src/Middlewares/PermissionMiddleware.php

@@ -4,6 +4,7 @@
 namespace Maklad\Permission\Middlewares;
 
 use Closure;
+use Maklad\Permission\Exceptions\UnauthorizedPermission;
 use Maklad\Permission\Exceptions\UserNotLoggedIn;
 use Maklad\Permission\Helpers;
 
@@ -33,7 +34,11 @@ public function handle($request, Closure $next, $permission)
 
         if (! app('auth')->user()->hasAnyPermission($permissions)) {
             $helpers = new Helpers();
-            throw new UserNotLoggedIn(403, $helpers->getUnauthorizedPermissionMessage(implode(', ', $permissions)));
+            throw new UnauthorizedPermission(
+                403,
+                $helpers->getUnauthorizedPermissionMessage(implode(', ', $permissions)),
+                $permissions
+            );
         }
 
         return $next($request);

src/Middlewares/RoleMiddleware.php

@@ -4,6 +4,7 @@
 namespace Maklad\Permission\Middlewares;
 
 use Closure;
+use Maklad\Permission\Exceptions\UnauthorizedRole;
 use Maklad\Permission\Exceptions\UserNotLoggedIn;
 use Maklad\Permission\Helpers;
 
@@ -32,7 +33,7 @@ public function handle($request, Closure $next, $role)
 
         if (! app('auth')->user()->hasAnyRole($roles)) {
             $helpers = new Helpers();
-            throw new UserNotLoggedIn(403, $helpers->getUnauthorizedRoleMessage(implode(', ', $roles)));
+            throw new UnauthorizedRole(403, $helpers->getUnauthorizedRoleMessage(implode(', ', $roles)), $roles);
         }
 
         return $next($request);

tests/HasPermissionsTest.php

@@ -24,7 +24,7 @@ public function it_throws_an_exception_when_assigning_a_permission_that_does_not
         $can_logs = [true, false];
 
         foreach ($can_logs as $can_log) {
-            $this->app['config']->set('permission.log_registration_exception', $can_log);
+            config('permission.log_registration_exception', $can_log);
 
             try {
                 $this->expectException(PermissionDoesNotExist::class);
@@ -43,7 +43,7 @@ public function it_throws_an_exception_when_assigning_a_permission_to_a_user_fro
         $can_logs = [true, false];
 
         foreach ($can_logs as $can_log) {
-            $this->app['config']->set('permission.log_registration_exception', $can_log);
+            config('permission.log_registration_exception', $can_log);
 
             try {
                 $this->expectException(GuardDoesNotMatch::class);

tests/HasRolesTest.php

@@ -66,7 +66,7 @@ public function it_throws_an_exception_when_assigning_a_role_that_does_not_exist
         $can_logs = [true, false];
 
         foreach ($can_logs as $can_log) {
-            $this->app['config']->set('permission.log_registration_exception', $can_log);
+            config('permission.log_registration_exception', $can_log);
 
             try {
                 $this->expectException(RoleDoesNotExist::class);
@@ -85,7 +85,7 @@ public function it_can_only_assign_roles_from_the_correct_guard()
         $can_logs = [true, false];
 
         foreach ($can_logs as $can_log) {
-            $this->app['config']->set('permission.log_registration_exception', $can_log);
+            config('permission.log_registration_exception', $can_log);
 
             try {
                 $this->expectException(RoleDoesNotExist::class);
@@ -104,7 +104,7 @@ public function it_throws_an_exception_when_assigning_a_role_from_a_different_gu
         $can_logs = [true, false];
 
         foreach ($can_logs as $can_log) {
-            $this->app['config']->set('permission.log_registration_exception', $can_log);
+            config('permission.log_registration_exception', $can_log);
 
             try {
                 $this->expectException(GuardDoesNotMatch::class);
@@ -169,7 +169,7 @@ public function it_throws_an_exception_when_syncing_a_role_from_another_guard()
         $can_logs = [true, false];
 
         foreach ($can_logs as $can_log) {
-            $this->app['config']->set('permission.log_registration_exception', $can_log);
+            config('permission.log_registration_exception', $can_log);
 
             try {
                 $this->expectException(GuardDoesNotMatch::class);
@@ -323,7 +323,7 @@ public function it_throws_an_exception_when_the_permission_does_not_exist()
         $can_logs = [true, false];
 
         foreach ($can_logs as $can_log) {
-            $this->app['config']->set('permission.log_registration_exception', $can_log);
+            config('permission.log_registration_exception', $can_log);
 
             try {
                 $this->expectException(PermissionDoesNotExist::class);
@@ -342,7 +342,7 @@ public function it_throws_an_exception_when_the_permission_does_not_exist_for_th
         $can_logs = [true, false];
 
         foreach ($can_logs as $can_log) {
-            $this->app['config']->set('permission.log_registration_exception', $can_log);
+            config('permission.log_registration_exception', $can_log);
 
             try {
                 $this->expectException(PermissionDoesNotExist::class);