Updated so permission effect admins more

Asset permissions can now be configured for admins. joint_permissions will now effect admins more often. Made so shelves header link will hide if you have no bookshelves view permission.
2024-11-22 20:30:18 +08:00 · 2018-09-20 19:48:08 +01:00 · 2018-09-20 19:48:08 +01:00 · 8ff969dd17
commit 8ff969dd17
parent 6eead437d8
5 changed files with 27 additions and 49 deletions
--- a/app/Repos/PermissionsRepo.php
+++ b/app/Repos/PermissionsRepo.php
@ -80,7 +80,7 @@ class PermissionsRepo

    /**
     * Updates an existing role.
-     * Ensure Admin role always has all permissions.
+     * Ensure Admin role always have core permissions.
     * @param $roleId
     * @param $roleData
     * @throws PermissionsException
@ -90,13 +90,18 @@ class PermissionsRepo
        $role = $this->role->findOrFail($roleId);

        $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
-        $this->assignRolePermissions($role, $permissions);
-
        if ($role->system_name === 'admin') {
-            $permissions = $this->permission->all()->pluck('id')->toArray();
-            $role->permissions()->sync($permissions);
+            $permissions = array_merge($permissions, [
+                'users-manage',
+                'user-roles-manage',
+                'restrictions-manage-all',
+                'restrictions-manage-own',
+                'settings-manage',
+            ]);
        }

+        $this->assignRolePermissions($role, $permissions);
+
        $role->fill($roleData);
        $role->save();
        $this->permissionService->buildJointPermissionForRole($role);
--- a/app/Services/PermissionService.php
+++ b/app/Services/PermissionService.php
@ -60,7 +60,6 @@ class PermissionService
        $this->book = $book;
        $this->chapter = $chapter;
        $this->page = $page;
-        // TODO - Update so admin still goes through filters
    }

    /**
@ -520,11 +519,6 @@ class PermissionService
     */
    public function checkOwnableUserAccess(Ownable $ownable, $permission)
    {
-        if ($this->isAdmin()) {
-            $this->clean();
-            return true;
-        }
-
        $explodedPermission = explode('-', $permission);

        $baseQuery = $ownable->where('id', '=', $ownable->id);
@ -617,17 +611,16 @@ class PermissionService
        $query = $this->db->query()->select('*')->from($this->db->raw("({$pageSelect->toSql()} UNION {$chapterSelect->toSql()}) AS U"))
            ->mergeBindings($pageSelect)->mergeBindings($chapterSelect);

-        if (!$this->isAdmin()) {
-            $whereQuery = $this->db->table('joint_permissions as jp')->selectRaw('COUNT(*)')
-                ->whereRaw('jp.entity_id=U.id')->whereRaw('jp.entity_type=U.entity_type')
-                ->where('jp.action', '=', 'view')->whereIn('jp.role_id', $this->getRoles())
-                ->where(function ($query) {
-                    $query->where('jp.has_permission', '=', 1)->orWhere(function ($query) {
-                        $query->where('jp.has_permission_own', '=', 1)->where('jp.created_by', '=', $this->currentUser()->id);
-                    });
+        // Add joint permission filter
+        $whereQuery = $this->db->table('joint_permissions as jp')->selectRaw('COUNT(*)')
+            ->whereRaw('jp.entity_id=U.id')->whereRaw('jp.entity_type=U.entity_type')
+            ->where('jp.action', '=', 'view')->whereIn('jp.role_id', $this->getRoles())
+            ->where(function ($query) {
+                $query->where('jp.has_permission', '=', 1)->orWhere(function ($query) {
+                    $query->where('jp.has_permission_own', '=', 1)->where('jp.created_by', '=', $this->currentUser()->id);
                });
-            $query->whereRaw("({$whereQuery->toSql()}) > 0")->mergeBindings($whereQuery);
-        }
+            });
+        $query->whereRaw("({$whereQuery->toSql()}) > 0")->mergeBindings($whereQuery);

        $query->orderBy('draft', 'desc')->orderBy('priority', 'asc');
        $this->clean();
@ -655,11 +648,6 @@ class PermissionService
            });
        }

-        if ($this->isAdmin()) {
-            $this->clean();
-            return $query;
-        }
-
        $this->currentAction = $action;
        return $this->entityRestrictionQuery($query);
    }
@ -675,10 +663,6 @@ class PermissionService
     */
    public function filterRestrictedEntityRelations($query, $tableName, $entityIdColumn, $entityTypeColumn, $action = 'view')
    {
-        if ($this->isAdmin()) {
-            $this->clean();
-            return $query;
-        }

        $this->currentAction = $action;
        $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];
@ -711,11 +695,6 @@ class PermissionService
     */
    public function filterRelatedPages($query, $tableName, $entityIdColumn)
    {
-        if ($this->isAdmin()) {
-            $this->clean();
-            return $query;
-        }
-
        $this->currentAction = 'view';
        $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn];

@ -740,19 +719,6 @@ class PermissionService
        return $q;
    }

-    /**
-     * Check if the current user is an admin.
-     * @return bool
-     */
-    private function isAdmin()
-    {
-        if ($this->isAdminUser === null) {
-            $this->isAdminUser = ($this->currentUser()->id !== null) ? $this->currentUser()->hasSystemRole('admin') : false;
-        }
-
-        return $this->isAdminUser;
-    }
-
    /**
     * Get the current user
     * @return User
--- a/resources/lang/en/settings.php
+++ b/resources/lang/en/settings.php
@ -90,6 +90,7 @@ return [
    'role_manage_settings' => 'Manage app settings',
    'role_asset' => 'Asset Permissions',
    'role_asset_desc' => 'These permissions control default access to the assets within the system. Permissions on Books, Chapters and Pages will override these permissions.',
+    'role_asset_admins' => 'Admins are automatically given access to all content but these options may show or hide UI options.',
    'role_all' => 'All',
    'role_own' => 'Own',
    'role_controlled_by_asset' => 'Controlled by the asset they are uploaded to',
--- a/resources/views/base.blade.php
+++ b/resources/views/base.blade.php
@ -52,7 +52,9 @@
                            </form>
                        </div>
                        <div class="links text-center">
-                            <a href="{{ baseUrl('/shelves') }}">@icon('bookshelf'){{ trans('entities.shelves') }}</a>
+                            @if(userCan('bookshelf-view-all') || userCan('bookshelf-view-own'))
+                                <a href="{{ baseUrl('/shelves') }}">@icon('bookshelf'){{ trans('entities.shelves') }}</a>
+                            @endif
                            <a href="{{ baseUrl('/books') }}">@icon('book'){{ trans('entities.books') }}</a>
                            @if(signedInUser() && userCan('settings-manage'))
                                <a href="{{ baseUrl('/settings') }}">@icon('settings'){{ trans('settings.settings') }}</a>
--- a/resources/views/settings/roles/form.blade.php
+++ b/resources/views/settings/roles/form.blade.php
@ -36,6 +36,10 @@
                    <h5>{{ trans('settings.role_asset') }}</h5>
                    <p>{{ trans('settings.role_asset_desc') }}</p>

+                    @if (isset($role) && $role->system_name === 'admin')
+                        <p>{{ trans('settings.role_asset_admins') }}</p>
+                    @endif
+
                    <table class="table">
                        <tr>
                            <th width="20%"></th>