Update Auth Filters

rydurham · Nov 19, 2013 · af97a7a · af97a7a
1 parent fae01ba
commit af97a7a
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 13 deletions.
diff --git a/app/controllers/GroupController.php b/app/controllers/GroupController.php
@@ -20,7 +20,7 @@ public function __construct(GroupInterface $group, GroupForm $groupForm)
 		$this->groupForm = $groupForm;
 
 		// Establish Filters
-		$this->beforeFilter('admin_auth');
+		$this->beforeFilter('inGroup:Admins');
 	}
 
 	/**

diff --git a/app/controllers/UserController.php b/app/controllers/UserController.php
@@ -46,7 +46,9 @@ public function __construct(
 		$this->beforeFilter('csrf', array('on' => 'post'));
 
 		// Set up Auth Filters
-		 $this->beforeFilter('auth', array('except' => array('create', 'store', 'activate', 'resend', 'forgot', 'reset')));
+		$this->beforeFilter('auth', array('only' => array('show', 'update', 'change')));
+		$this->beforeFilter('inGroup:Admins', array('only' => array('index', 'destroy', 'suspend', 'unsuspend', 'ban', 'unban', 'edit')));
+		//array('except' => array('create', 'store', 'activate', 'resend', 'forgot', 'reset')));
 	}
 
 

diff --git a/app/filters.php b/app/filters.php
@@ -35,23 +35,42 @@
 
 Route::filter('auth', function()
 {
-	if (!Sentry::check()) return Redirect::to('login');
+	if (!Sentry::check()) return Redirect::route('login');
 });
 
-Route::filter('admin_auth', function()
+Route::filter('inGroup', function($route, $request, $value)
 {
-	if (!Sentry::check())
+	if (!Sentry::check()) return Redirect::route('login');
+
+	// we need to determine if a non admin user 
+	// is trying to access their own account.
+    $userId = $route->getParameter('users');
+
+	try
 	{
-		// if not logged in, redirect to login
-		return Redirect::to('login');
+		$user = Sentry::getUser();
+
+		$group = Sentry::findGroupByName($value);
+
+		if ($userId != Session::get('userId') && (! $user->inGroup($group))  )
+		{
+			Session::flash('error', trans('users.noaccess'));
+			return Redirect::route('home');
+		}
 	}
-
-	if (!Sentry::getUser()->hasAccess('admin'))
+	catch (Cartalyst\Sentry\Users\UserNotFoundException $e)
+	{
+		Session::flash('error', trans('users.notfound'));
+		return Redirect::route('login');
+	}
+
+	catch (Cartalyst\Sentry\Groups\GroupNotFoundException $e)
 	{
-		// has no access
-		return Response::make('Access Forbidden', '403');
+		Session::flash('error', trans('groups.notfound'));
+		return Redirect::route('login');
 	}
 });
+// thanks to http://laravelsnippets.com/snippets/sentry-route-filters
 
 /*
 |--------------------------------------------------------------------------

diff --git a/app/lang/en/users.php b/app/lang/en/users.php
@@ -16,6 +16,8 @@
 
 	'notfound'		=>	"User not found",
 
+	'noaccess'		=>	"You are not allowed to do that.",
+
 	'updated'		=>	"Profile updated",
 
 	'notupdated'	=>	"Unable to update profile",

diff --git a/app/routes.php b/app/routes.php
@@ -45,10 +45,10 @@
 // Group Routes
 Route::resource('groups', 'GroupController');
 
-Route::get('/', function()
+Route::get('/', array('as' => 'home', function()
 {
 	return View::make('home');
-});
+}));
 
 
 // App::missing(function($exception)