Commit dd937196 authored by ZeMKI's avatar ZeMKI
Browse files

optimization and permissions review

- phpdoc optimization
- new policies for interview, study and sorting
- custom 403 errors
parent 6a8b80b3
......@@ -4,18 +4,14 @@ namespace App\Helpers;
class Helper
{
/**
* Generate a random string, using a cryptographically secure
* pseudorandom number generator (random_int)
*
* For PHP 7, random_int is a PHP core function
* For PHP 5.x, depends on https://github.com/paragonie/random_compat
*
* @param int $length How many characters do we want?
* @param string $keyspace A string of all possible characters
* to select from
* @return string
*/
/**
* Generate random string with a given set of chars
* @param $length
* @param string $keyspace
* @return string
* @throws \Exception
*/
public static function random_str($length, $keyspace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!$%()=-*.,')
{
$pieces = [];
......
......@@ -19,11 +19,7 @@ class InterviewController extends Controller
public function show(Interview $interview)
{
if(!Auth::user()->can('read-studies',Study::where('id','=',$interview->study_id)->first()->name) && !Auth::user()->hasRole('superadministrator') ) abort(403,"You are not allowed to read this study");
// check permissions for interview!
// if the user has access to this study's interview
//$interview = Interview::where('id','=',$request->input('id'))->with('answers')->first();
$this->authorize($interview);
$study = $interview->study;
$author = $interview->author;
......@@ -66,6 +62,8 @@ class InterviewController extends Controller
public function create(Request $request)
{
$this->authorize([Interview::class,$request->input('study')]);
/** Extract method FORMATQUESTIONSANSWERS */
$query ='
select distinct qid, q, d,
......
......@@ -52,6 +52,7 @@ class SortingController extends Controller
*/
public function show(Interview $interview)
{
$this->authorize([Sorting::class,$interview]);
// check permissions for interview!
// if the user has access to this study's interview
......@@ -71,6 +72,8 @@ class SortingController extends Controller
public function download(Interview $interview)
{
$this->authorize('view',[Sorting::class,$interview]);
$study = Study::where('id', '=', $interview->study_id)->first();
$data['interview'] = $interview;
......
......@@ -13,22 +13,15 @@ use App\Answer;
use App\Question;
use App\Permission;
use App\Role;
use Helper;
class StudyController extends Controller
{
// use helper instead
public function extension($uri)
{
$img = explode(',', $uri);
$ini =substr($img[0], 11);
$type = explode(';', $ini);
return $type[0];
}
public function create()
{
if(!Auth::user()->cancreatestudies())abort(403,'You cannot create studies');
// if(!Auth::user()->cancreatestudies())abort(403,'You cannot create studies');
$arrayOfFiles = $this->getPresetImages();
......@@ -103,7 +96,7 @@ class StudyController extends Controller
else $image = config('utilities.base64logo');
//extract method save and encrypt files
$extension = $this->extension($image);
$extension = Helper::extension($image);
$name = $t['name'];
$arr = explode(",", $image , 2);
$base64firstpart = $arr[0];
......@@ -214,8 +207,9 @@ class StudyController extends Controller
*/
public function edit(Study $study)
{
$this->authorize($study);
if(!Auth::user()->can('update-studies',$study->name)) abort(403,"You are not allowed to edit this study");
//if(!Auth::user()->can('update-studies',$study->name)) abort(403,"You are not allowed to edit this study");
// check permissions to edit study
......@@ -278,8 +272,9 @@ class StudyController extends Controller
public function update(Study $study, Request $request)
{
$this->authorize($study);
// extract method validate
if(!Auth::user()->can('update-studies',$study->name)) abort(403,"You are not allowed to edit this study");
// if(!Auth::user()->can('update-studies',$study->name)) abort(403,"You are not allowed to edit this study");
if ($request->name == "") {
return response()->json('Data are not valid', 422);
......@@ -310,12 +305,12 @@ class StudyController extends Controller
// @todo remove all tokens before updating the new ones to remove what was remove
$key = 'id';
$rtokens = $request->get('sorting')['tokens'];
$output = array_map(function($item) use ($key) {
if(isset($item[$key]))return $item[$key];
}, $rtokens);
$available_tokens = $study->available_tokens()->pluck('tokens.id')->toArray();
$key = 'id';
$rtokens = $request->get('sorting')['tokens'];
$output = array_map(function($item) use ($key) {
if(isset($item[$key]))return $item[$key];
}, $rtokens);
$available_tokens = $study->available_tokens()->pluck('tokens.id')->toArray();
$result=array_diff($available_tokens,$output);
foreach ($result as $t){
......@@ -381,7 +376,7 @@ $available_tokens = $study->available_tokens()->pluck('tokens.id')->toArray();
else $image = config('utilities.base64logo');
//extract method save and encrypt files
$extension = $this->extension($image);
$extension = Helper::extension($image);
$name = $t['name'];
$arr = explode(",", $image , 2);
$base64firstpart = $arr[0];
......@@ -430,10 +425,9 @@ $available_tokens = $study->available_tokens()->pluck('tokens.id')->toArray();
/**
* Remove the specified resource from storage.
*
* @param int $id
* @return \Illuminate\Http\Response
* @param Study $study
* @return \Illuminate\Contracts\Routing\ResponseFactory|\Illuminate\Http\Response
* @throws \Exception
*/
public function destroy(Study $study)
{
......@@ -456,8 +450,9 @@ $available_tokens = $study->available_tokens()->pluck('tokens.id')->toArray();
return $study->users()->get();
}
/**
* @return preset images
* @return array preset images
*/
public function getPresetImages(): array
{
......
......@@ -46,7 +46,7 @@ class UserController extends Controller
{
$studies = Auth::user()->studies;
dd($studies);
$allusers = [];
foreach ($studies as $study) {
......
<?php
namespace App\Policies;
use App\Study;
use App\User;
use App\Interview;
use Auth;
use Illuminate\Auth\Access\HandlesAuthorization;
class InterviewPolicy
{
use HandlesAuthorization;
/**
* Don't check for authorization if the user is a superadmin
* @param $user
* @param $ability
* @return bool
*/
public function before($user, $ability)
{
if ($user->hasRole('superadministrator')) {
return true;
}
}
/**
* Determine whether the user can view the interview.
*
* @param \App\User $user
* @param \App\Interview $interview
* @return mixed
*/
public function view(User $user, Interview $interview)
{
if(!$user->can('read-studies',Study::where('id','=',$interview->study_id)->first()->name) ) abort(403,"You are not allowed to read this study");
return true;
}
/**
* Determine whether the user can create interviews.
*
* @param \App\User $user
* @param \App\Study $study
* @return mixed
*/
public function create(User $user,$study)
{
if(!$user->can('create-interviews',Study::where('id','=',$study)->first()->name) ) abort(403,"You are not allowed to create interviews for this study");
return true;
}
/**
* Determine whether the user can update the interview.
*
* @param \App\User $user
* @param \App\Interview $interview
* @return mixed
*/
public function update(User $user, Interview $interview)
{
//
}
/**
* Determine whether the user can delete the interview.
*
* @param \App\User $user
* @param \App\Interview $interview
* @return mixed
*/
public function delete(User $user, Interview $interview)
{
//
}
/**
* Determine whether the user can restore the interview.
*
* @param \App\User $user
* @param \App\Interview $interview
* @return mixed
*/
public function restore(User $user, Interview $interview)
{
}
/**
* Determine whether the user can permanently delete the interview.
*
* @param \App\User $user
* @param \App\Interview $interview
* @return mixed
*/
public function forceDelete(User $user, Interview $interview)
{
//
}
}
<?php
namespace App\Policies;
use App\Study;
use App\User;
use App\Sorting;
use App\Interview;
use Illuminate\Auth\Access\HandlesAuthorization;
class SortingPolicy
{
use HandlesAuthorization;
/**
* Don't check for authorization if the user is a superadmin
* @param $user
* @param $ability
* @return bool
*/
public function before($user, $ability)
{
if ($user->hasRole('superadministrator')) {
return true;
}
}
/**
* Determine whether the user can view the sorting.
*
* @param \App\User $user
* @param \App\Sorting $sorting
* @return mixed
*/
public function view(User $user,Interview $interview)
{
//$interview = Interview::where('id','=',$interviewid)->first();
if(!$user->can('read-studies',Study::where('id','=',$interview->study_id)->first()->name) ) abort(403,"You are not allowed to read this study");
return true;
}
/**
* Determine whether the user can create sortings.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
//
}
/**
* Determine whether the user can update the sorting.
*
* @param \App\User $user
* @param \App\Sorting $sorting
* @return mixed
*/
public function update(User $user, Sorting $sorting)
{
//
}
/**
* Determine whether the user can delete the sorting.
*
* @param \App\User $user
* @param \App\Sorting $sorting
* @return mixed
*/
public function delete(User $user, Sorting $sorting)
{
//
}
/**
* Determine whether the user can restore the sorting.
*
* @param \App\User $user
* @param \App\Sorting $sorting
* @return mixed
*/
public function restore(User $user, Sorting $sorting)
{
//
}
/**
* Determine whether the user can permanently delete the sorting.
*
* @param \App\User $user
* @param \App\Sorting $sorting
* @return mixed
*/
public function forceDelete(User $user, Sorting $sorting)
{
//
}
}
......@@ -2,6 +2,7 @@
namespace App\Policies;
use App\User;
use App\Study;
use Illuminate\Auth\Access\HandlesAuthorization;
......@@ -9,24 +10,91 @@ class StudyPolicy
{
use HandlesAuthorization;
public function edit(Study $study)
/**
* Don't check for authorization if the user is a superadmin
* @param $user
* @param $ability
* @return bool
*/
public function before($user, $ability)
{
if(!Auth::user()->can('update-study',$study->id)){
abort(403,"you can't edit this study");
if ($user->hasRole('superadministrator')) {
return true;
}
}
return true;
/**
* Determine whether the user can view the study.
*
* @param \App\User $user
* @param \App\Study $study
* @return mixed
*/
public function view(User $user, Study $study)
{
//
}
public function read($studyid){
/**
* Determine whether the user can create studies.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
if(!Auth::user()->can('read-studies',Study::where('id','=',$interview->study_id)->first()->name) && !Auth::user()->hasRole('superadministrator') ){
abort(403,"you can't read this study data!");
}
/**
* Determine whether the user can update the study.
*
* @param \App\User $user
* @param \App\Study $study
* @return mixed
*/
public function update(User $user, Study $study)
{
if(!$user->can('update-studies',$study->name)){
abort(403,"you can't edit this study");
}
return true;
}
/**
* Determine whether the user can delete the study.
*
* @param \App\User $user
* @param \App\Study $study
* @return mixed
*/
public function delete(User $user, Study $study)
{
//
}
/**
* Determine whether the user can restore the study.
*
* @param \App\User $user
* @param \App\Study $study
* @return mixed
*/
public function restore(User $user, Study $study)
{
//
}
/**
* Determine whether the user can permanently delete the study.
*
* @param \App\User $user
* @param \App\Study $study
* @return mixed
*/
public function forceDelete(User $user, Study $study)
{
//
}
}
......@@ -13,9 +13,10 @@ class AuthServiceProvider extends ServiceProvider
* @var array
*/
protected $policies = [
'App\Model' => 'App\Policies\ModelPolicy',
'App\User' => 'App\Policies\UserPolicy',
'App\Study' => 'App\Policies\StudyPolicy',
'App\Interview' => 'App\Policies\InterviewPolicy',
'App\Sorting' => 'App\Policies\SortingPolicy',
];
/**
......
......@@ -137,10 +137,9 @@
<div class="columns">
<div class="column">
<div class="field">
<label class="label">Pre-Sort Questions</label>
<div class="control">
<input v-model.number="presort.number" class="input " type="number" placeholder="" min="0">
</div>
<b-field label="Pre-Sort Questions">
<b-numberinput controls-position="compact" type="is-light" v-model="presort.number" min="0" max="20" editable="false" steps="1"></b-numberinput>
</b-field>
</div>
<div class="field" v-for="(q,index) in presort.questions">
<label class="label">Question</label>
......@@ -165,10 +164,9 @@
</label>
<span v-if="(q.ismultiple || q.isonechoice) && !q.isscale">
<div class="field">
<label class="label">Number of Answers</label>
<div class="control">
<input v-model.number="q.numberofanswer" class="input " type="number" placeholder="" min="0" @change="normalizeanwers(index,'presort')">
</div>
<b-field label="Number of Answers">
<b-numberinput controls-position="compact" type="is-light" v-model="q.numberofanswer" min="1" max="20" editable="false" steps="1" @change="normalizeanwers(index,'presort')"></b-numberinput>
</b-field>
</div>
<div class="field" v-for="na in q.numberofanswer">
<label class="label">Answers</label>
......@@ -203,10 +201,9 @@
</div>
<div class="column">
<div class="field">
<label class="label">Post-Sort Questions</label>
<div class="control">
<input v-model.number="postsort.number" class="input " type="number" placeholder="" min="0">
</div>
<b-field label="Post-Sort Questions">
<b-numberinput controls-position="compact" type="is-light" v-model="postsort.number" min="0" max="20" editable="false" steps="1"></b-numberinput>
</b-field>
</div>
<div class="field" v-for="(q,index) in postsort.questions" >
......@@ -232,10 +229,9 @@
</label>
<span v-if="(q.ismultiple || q.isonechoice) && !q.isscale">
<div class="field">
<label class="label">Number of Answers</label>
<div class="control">
<input v-model.number="q.numberofanswer" class="input " type="number" placeholder="" @change="normalizeanwers(index,'postsort')">
</div>
<b-field label="Number of Answers">
<b-numberinput controls-position="compact" type="is-light" v-model="q.numberofanswer" min="1" max="20" editable="false" steps="1" @change="normalizeanwers(index,'presort')"></b-numberinput>
</b-field>
</div>
<div class="field" v-for="na in q.numberofanswer">
<label class="label">Answers</label>
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment