security: expand and complete permissions matrix with granular, enterprise-ready permissions
This commit is contained in:
@@ -10,7 +10,7 @@ class ActivityLogController extends Controller
|
||||
{
|
||||
public function index(Request $request)
|
||||
{
|
||||
$this->authorize('user.view');
|
||||
abort_if(!auth()->user()->can('activity-logs.view'), 403, 'Unauthorized. Activity logs view permission required.');
|
||||
|
||||
$search = $request->input('search');
|
||||
$logName = $request->input('log_name');
|
||||
@@ -58,7 +58,7 @@ class ActivityLogController extends Controller
|
||||
|
||||
public function bulkDelete(Request $request)
|
||||
{
|
||||
$this->authorize('user.delete');
|
||||
abort_if(!auth()->user()->can('activity-logs.delete'), 403, 'Unauthorized. Activity logs delete permission required.');
|
||||
|
||||
$ids = (array) $request->input('ids', []);
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ class NotificationController extends Controller
|
||||
{
|
||||
public function index(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
abort_if(!auth()->user()->can('notifications.view'), 403, 'Unauthorized. Notification view permission required.');
|
||||
|
||||
$logs = NotificationLog::with(['targetUser', 'sender'])
|
||||
->latest()
|
||||
@@ -39,7 +39,7 @@ class NotificationController extends Controller
|
||||
|
||||
public function store(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
abort_if(!auth()->user()->can('notifications.send'), 403, 'Unauthorized. Notification send permission required.');
|
||||
|
||||
$validated = $request->validate([
|
||||
'title' => 'required|string|max:255',
|
||||
|
||||
@@ -68,7 +68,7 @@ class RoleController extends Controller
|
||||
*/
|
||||
public function store(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
abort_if(!auth()->user()->can('role.create'), 403, 'Unauthorized. Role creation permission required.');
|
||||
|
||||
$validated = $request->validate([
|
||||
'name' => 'required|string|max:50|unique:roles,name',
|
||||
@@ -87,7 +87,7 @@ class RoleController extends Controller
|
||||
*/
|
||||
public function destroy(Role $role)
|
||||
{
|
||||
abort_if(!auth()->user()->can('role.manage'), 403, 'Unauthorized. Role management permission required.');
|
||||
abort_if(!auth()->user()->can('role.delete'), 403, 'Unauthorized. Role deletion permission required.');
|
||||
|
||||
if ($role->name === 'super-admin') {
|
||||
return back()->withErrors(['error' => 'Cannot delete the super-admin role.']);
|
||||
|
||||
@@ -15,7 +15,7 @@ class SystemSettingController extends Controller
|
||||
*/
|
||||
public function index()
|
||||
{
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.');
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.view'), 403, 'Unauthorized. Settings view permission required.');
|
||||
|
||||
$settings = Setting::all()->pluck('value', 'key');
|
||||
|
||||
@@ -73,7 +73,7 @@ class SystemSettingController extends Controller
|
||||
*/
|
||||
public function update(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.');
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.edit'), 403, 'Unauthorized. Settings edit permission required.');
|
||||
|
||||
$validated = $request->validate([
|
||||
'settings' => 'required|array',
|
||||
@@ -140,7 +140,7 @@ class SystemSettingController extends Controller
|
||||
*/
|
||||
public function testEmail(Request $request)
|
||||
{
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.manage'), 403, 'Unauthorized. Settings management permission required.');
|
||||
abort_if(!auth()->user()->hasRole('super-admin') && !auth()->user()->can('settings.test-email'), 403, 'Unauthorized. SMTP testing permission required.');
|
||||
|
||||
$request->validate([
|
||||
'recipient' => 'required|email',
|
||||
|
||||
@@ -181,7 +181,7 @@ class UserController extends Controller
|
||||
|
||||
public function bulkArchive(Request $request)
|
||||
{
|
||||
$this->authorize('user.delete');
|
||||
abort_if(!auth()->user()->can('user.delete'), 403, 'Unauthorized. User delete permission required.');
|
||||
|
||||
$ids = array_filter(
|
||||
(array) $request->input('ids', []),
|
||||
@@ -195,7 +195,7 @@ class UserController extends Controller
|
||||
|
||||
public function bulkRestore(Request $request)
|
||||
{
|
||||
$this->authorize('user.delete');
|
||||
abort_if(!auth()->user()->can('user.restore'), 403, 'Unauthorized. User restore permission required.');
|
||||
|
||||
$ids = (array) $request->input('ids', []);
|
||||
|
||||
@@ -206,7 +206,7 @@ class UserController extends Controller
|
||||
|
||||
public function bulkForceDelete(Request $request)
|
||||
{
|
||||
$this->authorize('user.delete');
|
||||
abort_if(!auth()->user()->can('user.force-delete'), 403, 'Unauthorized. User permanent deletion permission required.');
|
||||
|
||||
$ids = array_filter(
|
||||
(array) $request->input('ids', []),
|
||||
|
||||
@@ -33,11 +33,11 @@ class UserPolicy
|
||||
|
||||
public function restore(User $authUser, User $user): bool
|
||||
{
|
||||
return $authUser->hasPermissionTo('user.delete');
|
||||
return $authUser->hasPermissionTo('user.restore');
|
||||
}
|
||||
|
||||
public function forceDelete(User $authUser, User $user): bool
|
||||
{
|
||||
return $authUser->hasPermissionTo('user.delete') && $authUser->id !== $user->id;
|
||||
return $authUser->hasPermissionTo('user.force-delete') && $authUser->id !== $user->id;
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user