mirror of
https://github.com/lkddi/nexusphp.git
synced 2026-04-03 14:10:57 +08:00
fix user without authority can view approval page
This commit is contained in:
xiaomlove
@@ -41,14 +41,19 @@ class Handler extends ExceptionHandler
|
||||
*/
|
||||
public function register()
|
||||
{
|
||||
$this->reportable(function (InsufficientPermissionException $e) {
|
||||
if (request()->expectsJson()) {
|
||||
return response()->json(fail($e->getMessage(), request()->all()), 403);
|
||||
} else {
|
||||
return abort(403);
|
||||
}
|
||||
});
|
||||
|
||||
//Other Only handle in json request
|
||||
if (!request()->expectsJson()) {
|
||||
return;
|
||||
}
|
||||
|
||||
$this->reportable(function (Throwable $e) {
|
||||
//
|
||||
});
|
||||
|
||||
$this->renderable(function (AuthenticationException $e) {
|
||||
return response()->json(fail($e->getMessage(), $e->guards()), 401);
|
||||
});
|
||||
@@ -82,7 +87,7 @@ class Handler extends ExceptionHandler
|
||||
{
|
||||
$data = $request->all();
|
||||
$httpStatusCode = $this->getHttpStatusCode($e);
|
||||
$msg = $e->getMessage();
|
||||
$msg = $e->getMessage() ?: class_basename($e);
|
||||
$trace = $e->getTraceAsString();
|
||||
if (config('app.debug')) {
|
||||
$data['trace'] = $trace;
|
||||
|
||||
@@ -2,10 +2,13 @@
|
||||
|
||||
namespace App\Http\Controllers;
|
||||
|
||||
use App\Exceptions\InsufficientPermissionException;
|
||||
use App\Models\Setting;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Illuminate\Foundation\Bus\DispatchesJobs;
|
||||
use Illuminate\Foundation\Validation\ValidatesRequests;
|
||||
use Illuminate\Routing\Controller as BaseController;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
use Illuminate\Support\Str;
|
||||
|
||||
class Controller extends BaseController
|
||||
@@ -54,4 +57,11 @@ class Controller extends BaseController
|
||||
return Str::slug("$title.$action", '.');
|
||||
}
|
||||
|
||||
protected function checkPermission($permission)
|
||||
{
|
||||
if (Auth::user()->class < Setting::get($permission)) {
|
||||
throw new InsufficientPermissionException();
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -107,6 +107,7 @@ class TorrentController extends Controller
|
||||
public function approvalPage(Request $request)
|
||||
{
|
||||
$request->validate(['torrent_id' => 'required']);
|
||||
$this->checkPermission('authority.torrentmanage');
|
||||
$torrentId = $request->torrent_id;
|
||||
$torrent = Torrent::query()->findOrFail($torrentId, Torrent::$commentFields);
|
||||
$denyReasons = TorrentDenyReason::query()->orderBy('priority', 'desc')->get();
|
||||
@@ -116,6 +117,7 @@ class TorrentController extends Controller
|
||||
public function approvalLogs(Request $request)
|
||||
{
|
||||
$request->validate(['torrent_id' => 'required']);
|
||||
$this->checkPermission('authority.torrentmanage');
|
||||
$torrentId = $request->torrent_id;
|
||||
$actionTypes = [
|
||||
TorrentOperationLog::ACTION_TYPE_APPROVAL_NONE,
|
||||
@@ -140,8 +142,10 @@ class TorrentController extends Controller
|
||||
'torrent_id' => 'required',
|
||||
'approval_status' => 'required',
|
||||
]);
|
||||
$this->checkPermission('authority.torrentmanage');
|
||||
$params = $request->all();
|
||||
$this->repository->approval(Auth::user(), $params);
|
||||
return $this->success($params);
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@@ -41,9 +41,6 @@ class AuthServiceProvider extends ServiceProvider
|
||||
return new NexusWebGuard($app['request'], new NexusWebUserProvider());
|
||||
});
|
||||
|
||||
// Bouncer::useAbilityModel(Permission::class);
|
||||
// Bouncer::useRoleModel(Role::class);
|
||||
// Bouncer::useUserModel(User::class);
|
||||
}
|
||||
|
||||
private function getUserByCookie($cookie)
|
||||
|
||||
@@ -479,6 +479,9 @@ class TorrentRepository extends BaseRepository
|
||||
public function approval($user, array $params): array
|
||||
{
|
||||
$user = $this->getUser($user);
|
||||
if ($user->class < Setting::get('authority.torrentmanage')) {
|
||||
throw new InsufficientPermissionException();
|
||||
}
|
||||
$torrent = Torrent::query()->findOrFail($params['torrent_id'], ['id', 'banned', 'approval_status', 'visible', 'owner']);
|
||||
$lastLog = TorrentOperationLog::query()
|
||||
->where('torrent_id', $params['torrent_id'])
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
<?php
|
||||
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.7.21');
|
||||
defined('RELEASE_DATE') || define('RELEASE_DATE', '2022-08-16');
|
||||
defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.7.22');
|
||||
defined('RELEASE_DATE') || define('RELEASE_DATE', '2022-08-17');
|
||||
defined('IN_TRACKER') || define('IN_TRACKER', false);
|
||||
defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
|
||||
defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
|
||||
|
||||
@@ -17,7 +17,7 @@ Route::get('/', function () {
|
||||
return redirect('index.php');
|
||||
});
|
||||
|
||||
Route::group(['prefix' => 'web', 'middleware' => ['auth.nexus:nexus', 'locale']], function () {
|
||||
Route::group(['prefix' => 'web', 'middleware' => ['auth.nexus:nexus-web', 'locale']], function () {
|
||||
Route::get('torrent-approval-page', [\App\Http\Controllers\TorrentController::class, 'approvalPage']);
|
||||
Route::get('torrent-approval-logs', [\App\Http\Controllers\TorrentController::class, 'approvalLogs']);
|
||||
Route::post('torrent-approval', [\App\Http\Controllers\TorrentController::class, 'approval']);
|
||||
|
||||
Reference in New Issue
Block a user