admin permission control

2026-04-15 13:32:41 +08:00 · 2022-07-18 01:37:50 +08:00
parent c147ba528f
commit ffd25a1dae
5 changed files with 39 additions and 12 deletions
--- a/app/Filament/Resources/User/UserResource/Pages/UserProfile.php
+++ b/app/Filament/Resources/User/UserResource/Pages/UserProfile.php
@@ -48,17 +48,19 @@ class UserProfile extends Page
    protected function getActions(): array
    {
        $actions = [];
-        if ($this->record->two_step_secret) {
-            $actions[] = $this->buildDisableTwoStepAuthenticationAction();
+        if (Auth::user()->class > $this->record->class) {
+            $actions[] = $this->buildAssignExamAction();
+            $actions[] = $this->buildGrantMedalAction();
+            $actions[] = $this->buildChangeBonusEtcAction();
+            if ($this->record->two_step_secret) {
+                $actions[] = $this->buildDisableTwoStepAuthenticationAction();
+            }
+            if ($this->record->status == User::STATUS_PENDING) {
+                $actions[] = $this->buildConfirmAction();
+            }
+            $actions[] = $this->buildResetPasswordAction();
+            $actions[] = $this->buildEnableDisableAction();
        }
-        if ($this->record->status == User::STATUS_PENDING) {
-            $actions[] = $this->buildConfirmAction();
-        }
-        $actions[] = $this->buildResetPasswordAction();
-        $actions[] = $this->buildAssignExamAction();
-        $actions[] = $this->buildGrantMedalAction();
-        $actions[] = $this->buildChangeBonusEtcAction();
-        $actions[] = $this->buildEnableDisableAction();
        return $actions;
    }

@@ -219,6 +221,10 @@ class UserProfile extends Page
            ->modalHeading(__('admin.resources.user.actions.confirm_btn'))
            ->requiresConfirmation()
            ->action(function () {
+                if (Auth::user()->class <= $this->record->class) {
+                    $this->notify('danger', 'No permission!');
+                    return;
+                }
                $this->record->status = User::STATUS_CONFIRMED;
                $this->record->info= null;
                $this->record->save();
--- a/app/Repositories/ExamRepository.php
+++ b/app/Repositories/ExamRepository.php
@@ -16,6 +16,7 @@ use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Model;
 use Illuminate\Database\Query\JoinClause;
 use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\DB;

 class ExamRepository extends BaseRepository
@@ -292,6 +293,9 @@ class ExamRepository extends BaseRepository
        $logPrefix = "uid: $uid, examId: $examId, begin: $begin, end: $end";
        $exam = Exam::query()->find($examId);
        $user = User::query()->findOrFail($uid);
+        if (Auth::user()->Class <= $user->class) {
+            throw new NexusException("No permission !");
+        }
        if (!$this->isExamMatchUser($exam, $user)) {
            throw new NexusException("Exam: {$exam->id} no match this user.");
        }
--- a/app/Repositories/MedalRepository.php
+++ b/app/Repositories/MedalRepository.php
@@ -5,6 +5,7 @@ use App\Models\Medal;
 use App\Models\User;
 use App\Models\UserMedal;
 use Carbon\Carbon;
+use Illuminate\Support\Facades\Auth;
 use Nexus\Database\NexusDB;

 class MedalRepository extends BaseRepository
@@ -56,6 +57,9 @@ class MedalRepository extends BaseRepository
    public function  grantToUser(int $uid, int $medalId, $duration = null)
    {
        $user = User::query()->findOrFail($uid, User::$commonFields);
+        if (Auth::user()->class <= $user->class) {
+            throw new \LogicException("No permission!");
+        }
        $medal = Medal::query()->findOrFail($medalId);
        $exists = $user->valid_medals()->where('medal_id', $medalId)->exists();
        do_log(last_query());
--- a/app/Repositories/UserRepository.php
+++ b/app/Repositories/UserRepository.php
@@ -11,6 +11,7 @@ use App\Models\User;
 use App\Models\UserBanLog;
 use Carbon\Carbon;
 use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\DB;
 use Nexus\Database\NexusDB;

@@ -132,7 +133,10 @@ class UserRepository extends BaseRepository
        if ($password != $passwordConfirmation) {
            throw new \InvalidArgumentException("password confirmation != password");
        }
-        $user = User::query()->findOrFail($id, ['id', 'username']);
+        $user = User::query()->findOrFail($id, ['id', 'username', 'class']);
+        if (Auth::user()->class <= $user->class) {
+            throw new \LogicException("Sorry, you don't have enough permission to reset this user's password.");
+        }
        $secret = mksecret();
        $passhash = md5($secret . $password . $secret);
        $update = [
@@ -182,6 +186,9 @@ class UserRepository extends BaseRepository
        if ($targetUser->enabled == User::ENABLED_YES) {
            throw new NexusException('Already enabled !');
        }
+        if ($targetUser->class >= $operator->class) {
+            throw new NexusException('No Permission !');
+        }
        $update = [
            'enabled' => User::ENABLED_YES
        ];
@@ -226,6 +233,9 @@ class UserRepository extends BaseRepository
        }
        $sourceField = $fieldMap[$field];
        $targetUser = User::query()->findOrFail($uid, User::$commonFields);
+        if (Auth::user()->Class <= $targetUser->class) {
+            throw new NexusException("No permission !");
+        }
        $old = $targetUser->{$sourceField};
        $valueAtomic = $value;
        $formatSize = false;
@@ -310,6 +320,9 @@ class UserRepository extends BaseRepository
            throw new \RuntimeException("No permission.");
        }
        $user = User::query()->findOrFail($uid, User::$commonFields);
+        if ($operator->class <= $user->class) {
+            throw new \RuntimeException("No permission!");
+        }
        $user->two_step_secret = '';
        return $user->save();
    }