lkddi/nexusphp
1
0
Fork 0
mirror of https://github.com/lkddi/nexusphp.git synced 2026-04-14 04:20:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix user without authority can view approval page

Browse Source
This commit is contained in:
xiaomlove
2022-08-17 17:39:41 +08:00
parent 78a25071d1
commit 0cce250df2
7 changed files with 30 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/Http/Controllers/Controller.php
View File

@@ -2,10 +2,13 @@
namespace App\Http\Controllers;
use App\Exceptions\InsufficientPermissionException;
use App\Models\Setting;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Foundation\Bus\DispatchesJobs;
use Illuminate\Foundation\Validation\ValidatesRequests;
use Illuminate\Routing\Controller as BaseController;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Str;
class Controller extends BaseController
@@ -54,4 +57,11 @@ class Controller extends BaseController
return Str::slug("$title.$action", '.');
}
protected function checkPermission($permission)
{
if (Auth::user()->class < Setting::get($permission)) {
throw new InsufficientPermissionException();
}
}
}

4
app/Http/Controllers/TorrentController.php
View File

@@ -107,6 +107,7 @@ class TorrentController extends Controller
public function approvalPage(Request $request)
{
$request->validate(['torrent_id' => 'required']);
$this->checkPermission('authority.torrentmanage');
$torrentId = $request->torrent_id;
$torrent = Torrent::query()->findOrFail($torrentId, Torrent::$commentFields);
$denyReasons = TorrentDenyReason::query()->orderBy('priority', 'desc')->get();
@@ -116,6 +117,7 @@ class TorrentController extends Controller
public function approvalLogs(Request $request)
{
$request->validate(['torrent_id' => 'required']);
$this->checkPermission('authority.torrentmanage');
$torrentId = $request->torrent_id;
$actionTypes = [
TorrentOperationLog::ACTION_TYPE_APPROVAL_NONE,
@@ -140,8 +142,10 @@ class TorrentController extends Controller
'torrent_id' => 'required',
'approval_status' => 'required',
]);
$this->checkPermission('authority.torrentmanage');
$params = $request->all();
$this->repository->approval(Auth::user(), $params);
return $this->success($params);
}
}