security: secure role, notification, system setting, and documentation pages with spatie permissions
This commit is contained in:
@@ -12,6 +12,8 @@ class NotificationController extends Controller
|
||||
{
|
||||
public function index(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
|
||||
$logs = NotificationLog::with(['targetUser', 'sender'])
|
||||
->latest()
|
||||
->paginate(10);
|
||||
@@ -37,6 +39,8 @@ class NotificationController extends Controller
|
||||
|
||||
public function store(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
|
||||
$validated = $request->validate([
|
||||
'title' => 'required|string|max:255',
|
||||
'body' => 'required|string',
|
||||
|
||||
@@ -11,6 +11,8 @@ class RoleController extends Controller
|
||||
{
|
||||
public function index()
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.view'), 403, 'Unauthorized. Role view permission required.');
|
||||
|
||||
$order = ['super-admin' => 0, 'admin' => 1, 'user' => 2];
|
||||
|
||||
$roles = Role::where('guard_name', 'web')
|
||||
@@ -48,6 +50,8 @@ class RoleController extends Controller
|
||||
*/
|
||||
public function updatePermissions(Request $request, Role $role)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
|
||||
$validated = $request->validate([
|
||||
'permissions' => 'required|array',
|
||||
'permissions.*' => 'string|exists:permissions,name',
|
||||
@@ -64,6 +68,8 @@ class RoleController extends Controller
|
||||
*/
|
||||
public function store(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
|
||||
$validated = $request->validate([
|
||||
'name' => 'required|string|max:50|unique:roles,name',
|
||||
]);
|
||||
@@ -81,6 +87,8 @@ class RoleController extends Controller
|
||||
*/
|
||||
public function destroy(Role $role)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
|
||||
if ($role->name === 'super-admin') {
|
||||
return back()->withErrors(['error' => 'Cannot delete the super-admin role.']);
|
||||
}
|
||||
|
||||
@@ -15,7 +15,7 @@ class SystemSettingController extends Controller
|
||||
*/
|
||||
public function index()
|
||||
{
|
||||
abort_if(!auth()->user()->hasRole('super-admin'), 403, 'Unauthorized. Super-Admin only.');
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.');
|
||||
|
||||
$settings = Setting::all()->pluck('value', 'key');
|
||||
|
||||
@@ -73,7 +73,7 @@ class SystemSettingController extends Controller
|
||||
*/
|
||||
public function update(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->hasRole('super-admin'), 403, 'Unauthorized. Super-Admin only.');
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.');
|
||||
|
||||
$validated = $request->validate([
|
||||
'settings' => 'required|array',
|
||||
@@ -140,7 +140,7 @@ class SystemSettingController extends Controller
|
||||
*/
|
||||
public function testEmail(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->hasRole('super-admin'), 403, 'Unauthorized. Super-Admin only.');
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.');
|
||||
|
||||
$request->validate([
|
||||
'recipient' => 'required|email',
|
||||
|
||||
+9
-5
@@ -38,10 +38,12 @@ Route::middleware(['auth', 'verified'])->group(function () {
|
||||
// Settings page
|
||||
Route::get('/settings', [SettingsController::class, 'index'])->name('settings.index');
|
||||
|
||||
// System Settings (Super-Admin only)
|
||||
Route::get('/system-settings', [\App\Http\Controllers\SystemSettingController::class, 'index'])->name('system.settings.index');
|
||||
Route::patch('/system-settings', [\App\Http\Controllers\SystemSettingController::class, 'update'])->name('system.settings.update');
|
||||
Route::post('/system-settings/test-email', [\App\Http\Controllers\SystemSettingController::class, 'testEmail'])->name('system.settings.test-email');
|
||||
// System Settings (Super-Admin / settings.manage)
|
||||
Route::middleware('can:settings.manage')->group(function () {
|
||||
Route::get('/system-settings', [\App\Http\Controllers\SystemSettingController::class, 'index'])->name('system.settings.index');
|
||||
Route::patch('/system-settings', [\App\Http\Controllers\SystemSettingController::class, 'update'])->name('system.settings.update');
|
||||
Route::post('/system-settings/test-email', [\App\Http\Controllers\SystemSettingController::class, 'testEmail'])->name('system.settings.test-email');
|
||||
});
|
||||
|
||||
// Users CRUD
|
||||
Route::get('/users', [UserController::class, 'index'])->name('users.index');
|
||||
@@ -68,7 +70,9 @@ Route::middleware(['auth', 'verified'])->group(function () {
|
||||
Route::post('/notifications', [\App\Http\Controllers\NotificationController::class, 'store'])->name('notifications.store');
|
||||
|
||||
// Internal Docs
|
||||
Route::get('/documentation', fn() => Inertia::render('Docs/Index'))->name('docs.index');
|
||||
Route::get('/documentation', fn() => Inertia::render('Docs/Index'))
|
||||
->middleware('can:settings.manage')
|
||||
->name('docs.index');
|
||||
|
||||
// Two-Factor Authentication
|
||||
Route::get('/two-factor', [\App\Http\Controllers\TwoFactorController::class, 'show'])->name('two-factor.show');
|
||||
|
||||
Reference in New Issue
Block a user