Commit 6a8b80b3 authored by ZeMKI's avatar ZeMKI
Browse files

new security check

permissions url check
- you can't see other interviews if you can't read-studies
- you can't create studies
parent 74b630af
......@@ -19,6 +19,8 @@ class InterviewController extends Controller
public function show(Interview $interview)
{
if(!Auth::user()->can('read-studies',Study::where('id','=',$interview->study_id)->first()->name) && !Auth::user()->hasRole('superadministrator') ) abort(403,"You are not allowed to read this study");
// check permissions for interview!
// if the user has access to this study's interview
//$interview = Interview::where('id','=',$request->input('id'))->with('answers')->first();
......
......@@ -28,6 +28,8 @@ class StudyController extends Controller
public function create()
{
if(!Auth::user()->cancreatestudies())abort(403,'You cannot create studies');
$arrayOfFiles = $this->getPresetImages();
$data['study'] = new Study;
......
......@@ -19,4 +19,14 @@ class StudyPolicy
return true;
}
public function read($studyid){
if(!Auth::user()->can('read-studies',Study::where('id','=',$interview->study_id)->first()->name) && !Auth::user()->hasRole('superadministrator') ){
abort(403,"you can't read this study data!");
}
return true;
}
}
......@@ -25,7 +25,7 @@
<div class="field">
<label for="email" class="label">{{ __('E-Mail Address') }}</label>
<div class="control">
<input id="email" type="email" class="input {{ $errors->has('email') ? ' is-invalid' : '' }}" name="email" value="{{ old('email') }}" required autofocus>
<input id="email" type="text" class="input {{ $errors->has('email') ? ' is-invalid' : '' }}" name="email" value="{{ old('email') }}" required autofocus>
</div>
</div>
@if ($errors->has('email'))
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment