diff --git a/app/Filament/Resources/User/UserResource/Pages/UserProfile.php b/app/Filament/Resources/User/UserResource/Pages/UserProfile.php index a3f11fb2..ab12ae66 100644 --- a/app/Filament/Resources/User/UserResource/Pages/UserProfile.php +++ b/app/Filament/Resources/User/UserResource/Pages/UserProfile.php @@ -48,17 +48,19 @@ class UserProfile extends Page protected function getActions(): array { $actions = []; - if ($this->record->two_step_secret) { - $actions[] = $this->buildDisableTwoStepAuthenticationAction(); + if (Auth::user()->class > $this->record->class) { + $actions[] = $this->buildAssignExamAction(); + $actions[] = $this->buildGrantMedalAction(); + $actions[] = $this->buildChangeBonusEtcAction(); + if ($this->record->two_step_secret) { + $actions[] = $this->buildDisableTwoStepAuthenticationAction(); + } + if ($this->record->status == User::STATUS_PENDING) { + $actions[] = $this->buildConfirmAction(); + } + $actions[] = $this->buildResetPasswordAction(); + $actions[] = $this->buildEnableDisableAction(); } - if ($this->record->status == User::STATUS_PENDING) { - $actions[] = $this->buildConfirmAction(); - } - $actions[] = $this->buildResetPasswordAction(); - $actions[] = $this->buildAssignExamAction(); - $actions[] = $this->buildGrantMedalAction(); - $actions[] = $this->buildChangeBonusEtcAction(); - $actions[] = $this->buildEnableDisableAction(); return $actions; } @@ -219,6 +221,10 @@ class UserProfile extends Page ->modalHeading(__('admin.resources.user.actions.confirm_btn')) ->requiresConfirmation() ->action(function () { + if (Auth::user()->class <= $this->record->class) { + $this->notify('danger', 'No permission!'); + return; + } $this->record->status = User::STATUS_CONFIRMED; $this->record->info= null; $this->record->save(); diff --git a/app/Repositories/ExamRepository.php b/app/Repositories/ExamRepository.php index 332fa228..e14d619a 100644 --- a/app/Repositories/ExamRepository.php +++ b/app/Repositories/ExamRepository.php @@ -16,6 +16,7 @@ use Illuminate\Database\Eloquent\Builder; use Illuminate\Database\Eloquent\Model; use Illuminate\Database\Query\JoinClause; use Illuminate\Support\Arr; +use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\DB; class ExamRepository extends BaseRepository @@ -292,6 +293,9 @@ class ExamRepository extends BaseRepository $logPrefix = "uid: $uid, examId: $examId, begin: $begin, end: $end"; $exam = Exam::query()->find($examId); $user = User::query()->findOrFail($uid); + if (Auth::user()->Class <= $user->class) { + throw new NexusException("No permission !"); + } if (!$this->isExamMatchUser($exam, $user)) { throw new NexusException("Exam: {$exam->id} no match this user."); } diff --git a/app/Repositories/MedalRepository.php b/app/Repositories/MedalRepository.php index 39ebc943..d21ef17a 100644 --- a/app/Repositories/MedalRepository.php +++ b/app/Repositories/MedalRepository.php @@ -5,6 +5,7 @@ use App\Models\Medal; use App\Models\User; use App\Models\UserMedal; use Carbon\Carbon; +use Illuminate\Support\Facades\Auth; use Nexus\Database\NexusDB; class MedalRepository extends BaseRepository @@ -56,6 +57,9 @@ class MedalRepository extends BaseRepository public function grantToUser(int $uid, int $medalId, $duration = null) { $user = User::query()->findOrFail($uid, User::$commonFields); + if (Auth::user()->class <= $user->class) { + throw new \LogicException("No permission!"); + } $medal = Medal::query()->findOrFail($medalId); $exists = $user->valid_medals()->where('medal_id', $medalId)->exists(); do_log(last_query()); diff --git a/app/Repositories/UserRepository.php b/app/Repositories/UserRepository.php index 416f3784..47973fa1 100644 --- a/app/Repositories/UserRepository.php +++ b/app/Repositories/UserRepository.php @@ -11,6 +11,7 @@ use App\Models\User; use App\Models\UserBanLog; use Carbon\Carbon; use Illuminate\Database\Eloquent\Builder; +use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\DB; use Nexus\Database\NexusDB; @@ -132,7 +133,10 @@ class UserRepository extends BaseRepository if ($password != $passwordConfirmation) { throw new \InvalidArgumentException("password confirmation != password"); } - $user = User::query()->findOrFail($id, ['id', 'username']); + $user = User::query()->findOrFail($id, ['id', 'username', 'class']); + if (Auth::user()->class <= $user->class) { + throw new \LogicException("Sorry, you don't have enough permission to reset this user's password."); + } $secret = mksecret(); $passhash = md5($secret . $password . $secret); $update = [ @@ -182,6 +186,9 @@ class UserRepository extends BaseRepository if ($targetUser->enabled == User::ENABLED_YES) { throw new NexusException('Already enabled !'); } + if ($targetUser->class >= $operator->class) { + throw new NexusException('No Permission !'); + } $update = [ 'enabled' => User::ENABLED_YES ]; @@ -226,6 +233,9 @@ class UserRepository extends BaseRepository } $sourceField = $fieldMap[$field]; $targetUser = User::query()->findOrFail($uid, User::$commonFields); + if (Auth::user()->Class <= $targetUser->class) { + throw new NexusException("No permission !"); + } $old = $targetUser->{$sourceField}; $valueAtomic = $value; $formatSize = false; @@ -310,6 +320,9 @@ class UserRepository extends BaseRepository throw new \RuntimeException("No permission."); } $user = User::query()->findOrFail($uid, User::$commonFields); + if ($operator->class <= $user->class) { + throw new \RuntimeException("No permission!"); + } $user->two_step_secret = ''; return $user->save(); } diff --git a/include/constants.php b/include/constants.php index 5d6e49a0..0786a12a 100644 --- a/include/constants.php +++ b/include/constants.php @@ -1,6 +1,6 @@