diff --git a/app/Http/Controllers/Admin/UserController.php b/app/Http/Controllers/Admin/UserController.php index d53dd54..10fa4b3 100644 --- a/app/Http/Controllers/Admin/UserController.php +++ b/app/Http/Controllers/Admin/UserController.php @@ -79,8 +79,27 @@ class UserController extends XController */ public function edit(User $item) { + $routes = []; + foreach (\Route::getRoutes()->getRoutes() as $route) { + $action = $route->getAction(); + if (array_key_exists('as', $action)) { + $routeName = explode('.', $action['as']); + if (isset($routeName[2]) && $routeName[0] == 'admin') { + if (!isset($routes[$routeName[1]])) { + $routes[$routeName[1]] = []; + if ($routeName[2] != 'edit' && $routeName[2] != 'create') + $routes[$routeName[1]][] = $routeName[2]; + + } else { + if ($routeName[2] != 'edit' && $routeName[2] != 'create') + $routes[$routeName[1]][] = $routeName[2]; + } + } + } + } + unset($routes['home'], $routes['user'], $routes['ckeditor'],$routes['area'],$routes['lang'],$routes['gfx']); // - return view($this->formView, compact('item')); + return view($this->formView, compact('item','routes')); } public function bulk(Request $request) diff --git a/app/Http/Middleware/Acl.php b/app/Http/Middleware/Acl.php index 11deca3..26a9c6e 100644 --- a/app/Http/Middleware/Acl.php +++ b/app/Http/Middleware/Acl.php @@ -8,6 +8,8 @@ use Symfony\Component\HttpFoundation\Response; class Acl { + + private $excepts = ['ckeditor', 'home']; /** * Handle an incoming request. * @@ -15,6 +17,31 @@ class Acl */ public function handle(Request $request, Closure $next): Response { + $route = \Route::getCurrentRoute(); + // check admin page & user is not super admin + if (auth()->check() && isset($route->action['as'])) { + // explode user request to process + $requestPath = explode('.', $route->action['as']); + // ignore admin and not admin page + if ($requestPath[0] == 'admin' && !auth()->user()->hasRole('developer') && !auth()->user()->hasRole('admin')) { + // check excpet and has 3 routes and has user acceess + if (!in_array($requestPath[1], $this->excepts) && + isset($requestPath[2]) && + !auth()->user()->hasAccess($route->action['as'])) { + return abort(403, __("You dont't have acccess this action")); + } + // check delete or destroy with bulk action + if (isset($requestPath[2]) && $requestPath[2] == 'bulk' && $request->input('bulk') == 'delete') { + $requestPath[2] = 'delete'; + if (!auth()->user()->hasAccess(implode('.', $requestPath))) { + $requestPath[2] = 'destroy'; + if (!auth()->user()->hasAccess(implode('.', $requestPath))) { + return abort(403, __("You dont't have acccess this action")); + } + } + } + } + } return $next($request); } } diff --git a/app/Models/User.php b/app/Models/User.php index 80af713..c0fe2d1 100644 --- a/app/Models/User.php +++ b/app/Models/User.php @@ -105,4 +105,24 @@ class User extends Authenticatable { return $this->hasMany(AdminLog::class, 'user_id', 'id'); } + + public function accesses(){ + return $this->hasMany(Access::class); + } + public function hasAnyAccess($name){ + if ($this->hasRole('SUSPENDED')){ + return false; + } + if ($this->hasRole('admin') || $this->hasRole('developer')) { + return true; + } + return $this->accesses()->where('route','LIKE','%.'.$name.'.%')->count() > 0; + } + + public function hasAccess($route){ + if ($this->hasRole('SUSPENDED')){ + return false; + } + return $this->accesses()->where('route',$route)->count() > 0; + } } diff --git a/resources/views/admin/users/user-form.blade.php b/resources/views/admin/users/user-form.blade.php index 46227e1..67d51af 100644 --- a/resources/views/admin/users/user-form.blade.php +++ b/resources/views/admin/users/user-form.blade.php @@ -107,8 +107,90 @@ + + + + + @if(isset($item) && $item->hasRole('user')) + +
+
+ +
+
+
+ @foreach($routes as $name => $route) + +
+ +
+
+ + +
+
+
+ @foreach($route as $r) +
+
+
+ hasAccess("admin.{$name}.{$r}")) + checked + @endif + value="admin.{{$name}}.{{$r}}" + id="s{{$r}}"> + +
+
+ +
+ @endforeach +
+
+
+ @endforeach +
+
+
+
+
+ @endif @endsection + + +@section('js-content') + +@endsection