lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-24 03:57:22 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix user without authority can view approval page

Browse Source
This commit is contained in:
xiaomlove
2022-08-17 17:39:41 +08:00
parent 78a25071d1
commit 0cce250df2
7 changed files with 30 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
app/Exceptions/Handler.php
+10 -5
View File
@@ -41,14 +41,19 @@ class Handler extends ExceptionHandler
*/
public function register()
{
$this->reportable(function (InsufficientPermissionException $e) {
if (request()->expectsJson()) {
return response()->json(fail($e->getMessage(), request()->all()), 403);
} else {
return abort(403);
}
});
//Other Only handle in json request
if (!request()->expectsJson()) {
return;
}
$this->reportable(function (Throwable $e) {
//
});
$this->renderable(function (AuthenticationException $e) {
return response()->json(fail($e->getMessage(), $e->guards()), 401);
});
@@ -82,7 +87,7 @@ class Handler extends ExceptionHandler
{
$data = $request->all();
$httpStatusCode = $this->getHttpStatusCode($e);
$msg = $e->getMessage();
$msg = $e->getMessage() ?: class_basename($e);
$trace = $e->getTraceAsString();
if (config('app.debug')) {
$data['trace'] = $trace;
app/Http/Controllers/Controller.php
+10
View File
@@ -2,10 +2,13 @@
namespace App\Http\Controllers;
use App\Exceptions\InsufficientPermissionException;
use App\Models\Setting;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Foundation\Bus\DispatchesJobs;
use Illuminate\Foundation\Validation\ValidatesRequests;
use Illuminate\Routing\Controller as BaseController;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Str;
class Controller extends BaseController
@@ -54,4 +57,11 @@ class Controller extends BaseController
return Str::slug("$title.$action", '.');
}
protected function checkPermission($permission)
{
if (Auth::user()->class < Setting::get($permission)) {
throw new InsufficientPermissionException();
}
}
}
app/Http/Controllers/TorrentController.php
+4
View File
@@ -107,6 +107,7 @@ class TorrentController extends Controller
public function approvalPage(Request $request)
{
$request->validate(['torrent_id' => 'required']);
$this->checkPermission('authority.torrentmanage');
$torrentId = $request->torrent_id;
$torrent = Torrent::query()->findOrFail($torrentId, Torrent::$commentFields);
$denyReasons = TorrentDenyReason::query()->orderBy('priority', 'desc')->get();
@@ -116,6 +117,7 @@ class TorrentController extends Controller
public function approvalLogs(Request $request)
{
$request->validate(['torrent_id' => 'required']);
$this->checkPermission('authority.torrentmanage');
$torrentId = $request->torrent_id;
$actionTypes = [
TorrentOperationLog::ACTION_TYPE_APPROVAL_NONE,
@@ -140,8 +142,10 @@ class TorrentController extends Controller
'torrent_id' => 'required',
'approval_status' => 'required',
]);
$this->checkPermission('authority.torrentmanage');
$params = $request->all();
$this->repository->approval(Auth::user(), $params);
return $this->success($params);
}
}
app/Providers/AuthServiceProvider.php
-3
View File
@@ -41,9 +41,6 @@ class AuthServiceProvider extends ServiceProvider
return new NexusWebGuard($app['request'], new NexusWebUserProvider());
});
// Bouncer::useAbilityModel(Permission::class);
// Bouncer::useRoleModel(Role::class);
// Bouncer::useUserModel(User::class);
}
private function getUserByCookie($cookie)
app/Repositories/TorrentRepository.php
+3
View File
@@ -479,6 +479,9 @@ class TorrentRepository extends BaseRepository
public function approval($user, array $params): array
{
$user = $this->getUser($user);
if ($user->class < Setting::get('authority.torrentmanage')) {
throw new InsufficientPermissionException();
}
$torrent = Torrent::query()->findOrFail($params['torrent_id'], ['id', 'banned', 'approval_status', 'visible', 'owner']);
$lastLog = TorrentOperationLog::query()
->where('torrent_id', $params['torrent_id'])