From 0cce250df2882bcc3302c9bbe182f3337906b65a Mon Sep 17 00:00:00 2001
From: xiaomlove <i353856593@163.com>
Date: Wed, 17 Aug 2022 17:39:41 +0800
Subject: [PATCH] fix user without authority can view approval page

---
 app/Exceptions/Handler.php                 | 15 ++++++++++-----
 app/Http/Controllers/Controller.php        | 10 ++++++++++
 app/Http/Controllers/TorrentController.php |  4 ++++
 app/Providers/AuthServiceProvider.php      |  3 ---
 app/Repositories/TorrentRepository.php     |  3 +++
 include/constants.php                      |  4 ++--
 routes/web.php                             |  2 +-
 7 files changed, 30 insertions(+), 11 deletions(-)

diff --git a/app/Exceptions/Handler.php b/app/Exceptions/Handler.php
index 18df3a23..e1c3631a 100644
--- a/app/Exceptions/Handler.php
+++ b/app/Exceptions/Handler.php
@@ -41,14 +41,19 @@ class Handler extends ExceptionHandler
      */
     public function register()
     {
+        $this->reportable(function (InsufficientPermissionException $e) {
+            if (request()->expectsJson()) {
+                return response()->json(fail($e->getMessage(), request()->all()), 403);
+            } else {
+                return abort(403);
+            }
+        });
+
+        //Other Only handle in json request
         if (!request()->expectsJson()) {
             return;
         }
 
-        $this->reportable(function (Throwable $e) {
-            //
-        });
-
         $this->renderable(function (AuthenticationException $e) {
             return response()->json(fail($e->getMessage(), $e->guards()), 401);
         });
@@ -82,7 +87,7 @@ class Handler extends ExceptionHandler
     {
         $data = $request->all();
         $httpStatusCode = $this->getHttpStatusCode($e);
-        $msg = $e->getMessage();
+        $msg = $e->getMessage() ?: class_basename($e);
         $trace = $e->getTraceAsString();
         if (config('app.debug')) {
             $data['trace'] = $trace;
diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
index a4e41099..f6de71c1 100644
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@@ -2,10 +2,13 @@
 
 namespace App\Http\Controllers;
 
+use App\Exceptions\InsufficientPermissionException;
+use App\Models\Setting;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
 use Illuminate\Foundation\Bus\DispatchesJobs;
 use Illuminate\Foundation\Validation\ValidatesRequests;
 use Illuminate\Routing\Controller as BaseController;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Str;
 
 class Controller extends BaseController
@@ -54,4 +57,11 @@ class Controller extends BaseController
         return Str::slug("$title.$action", '.');
     }
 
+    protected function checkPermission($permission)
+    {
+        if (Auth::user()->class < Setting::get($permission)) {
+            throw new InsufficientPermissionException();
+        }
+    }
+
 }
diff --git a/app/Http/Controllers/TorrentController.php b/app/Http/Controllers/TorrentController.php
index e93a72d1..642b7893 100644
--- a/app/Http/Controllers/TorrentController.php
+++ b/app/Http/Controllers/TorrentController.php
@@ -107,6 +107,7 @@ class TorrentController extends Controller
     public function approvalPage(Request $request)
     {
         $request->validate(['torrent_id' => 'required']);
+        $this->checkPermission('authority.torrentmanage');
         $torrentId = $request->torrent_id;
         $torrent = Torrent::query()->findOrFail($torrentId, Torrent::$commentFields);
         $denyReasons = TorrentDenyReason::query()->orderBy('priority', 'desc')->get();
@@ -116,6 +117,7 @@ class TorrentController extends Controller
     public function approvalLogs(Request $request)
     {
         $request->validate(['torrent_id' => 'required']);
+        $this->checkPermission('authority.torrentmanage');
         $torrentId = $request->torrent_id;
         $actionTypes = [
             TorrentOperationLog::ACTION_TYPE_APPROVAL_NONE,
@@ -140,8 +142,10 @@ class TorrentController extends Controller
             'torrent_id' => 'required',
             'approval_status' => 'required',
         ]);
+        $this->checkPermission('authority.torrentmanage');
         $params = $request->all();
         $this->repository->approval(Auth::user(), $params);
         return $this->success($params);
     }
+
 }
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 54cc589b..f815bfff 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -41,9 +41,6 @@ class AuthServiceProvider extends ServiceProvider
             return new NexusWebGuard($app['request'], new NexusWebUserProvider());
         });
 
-//        Bouncer::useAbilityModel(Permission::class);
-//        Bouncer::useRoleModel(Role::class);
-//        Bouncer::useUserModel(User::class);
     }
 
     private function getUserByCookie($cookie)
diff --git a/app/Repositories/TorrentRepository.php b/app/Repositories/TorrentRepository.php
index 400ea639..0c83bcd0 100644
--- a/app/Repositories/TorrentRepository.php
+++ b/app/Repositories/TorrentRepository.php
@@ -479,6 +479,9 @@ class TorrentRepository extends BaseRepository
     public function approval($user, array $params): array
     {
         $user = $this->getUser($user);
+        if ($user->class < Setting::get('authority.torrentmanage')) {
+            throw new InsufficientPermissionException();
+        }
         $torrent = Torrent::query()->findOrFail($params['torrent_id'], ['id', 'banned', 'approval_status', 'visible', 'owner']);
         $lastLog = TorrentOperationLog::query()
             ->where('torrent_id', $params['torrent_id'])
diff --git a/include/constants.php b/include/constants.php
index 3acaa0a0..1dfb8182 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -1,6 +1,6 @@
 <?php
-defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.7.21');
-defined('RELEASE_DATE') || define('RELEASE_DATE', '2022-08-16');
+defined('VERSION_NUMBER') || define('VERSION_NUMBER', '1.7.22');
+defined('RELEASE_DATE') || define('RELEASE_DATE', '2022-08-17');
 defined('IN_TRACKER') || define('IN_TRACKER', false);
 defined('PROJECTNAME') || define("PROJECTNAME","NexusPHP");
 defined('NEXUSPHPURL') || define("NEXUSPHPURL","https://nexusphp.org");
diff --git a/routes/web.php b/routes/web.php
index ba8033ce..50c00ab4 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -17,7 +17,7 @@ Route::get('/', function () {
     return redirect('index.php');
 });
 
-Route::group(['prefix' => 'web', 'middleware' => ['auth.nexus:nexus', 'locale']], function () {
+Route::group(['prefix' => 'web', 'middleware' => ['auth.nexus:nexus-web', 'locale']], function () {
     Route::get('torrent-approval-page', [\App\Http\Controllers\TorrentController::class, 'approvalPage']);
     Route::get('torrent-approval-logs', [\App\Http\Controllers\TorrentController::class, 'approvalLogs']);
     Route::post('torrent-approval', [\App\Http\Controllers\TorrentController::class, 'approval']);