Home Explore Help
Register Sign In
dth
/
strprfcrm
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

fix permissions

Alexander Musikhin 1 week ago
parent
a6ab13a666
commit
8ab2a35ac1
7 changed files with 33 additions and 8 deletions
Unified View Show Diff Stats
  1. 2 0
      app/Http/Controllers/UserController.php
  2. 1 3
      app/Http/Middleware/EnsureRoutePermission.php
  3. 1 3
      app/Http/Middleware/EnsureUserHasRole.php
  4. 6 1
      config/access_routes.php
  5. 0 1
      database/seeders/RbacSeeder.php
  6. 22 0
      tests/Feature/UserControllerTest.php
  7. 1 0
      tests/Unit/Services/AccessServiceTest.php

+ 2 - 0
app/Http/Controllers/UserController.php
View File 

@@ -266,6 +266,8 @@ class UserController extends Controller
 
             return redirect()->route('login')->with(['danger' => 'Не удалось вернуться к исходному пользователю.']);
 
             return redirect()->route('login')->with(['danger' => 'Не удалось вернуться к исходному пользователю.']);
 
         }
 
         }
 
 
 
+        abort_unless($impersonator->resolvedRoleSlug() === Role::ADMIN, 403);
 
+
 
         Auth::login($impersonator);
 
         Auth::login($impersonator);
 
         $request->session()->forget('impersonator_id');
 
         $request->session()->forget('impersonator_id');
 
         $request->session()->regenerate();
 
         $request->session()->regenerate();

+ 1 - 3
app/Http/Middleware/EnsureRoutePermission.php
View File 

@@ -18,9 +18,7 @@ class EnsureRoutePermission
 
         $user = $request->user();
 
         $user = $request->user();
 
         $routeName = $request->route()?->getName();
 
         $routeName = $request->route()?->getName();
 
 
 
-        $routePermission = $routeName === 'import.create' && $request->input('type') === 'catalog'
 
-            ? 'catalog.import'
 
-            : $this->accessService->routePermission($routeName);
 
+        $routePermission = $this->accessService->routePermission($routeName);
 
 
 
         if (!$user || !$routeName || !$routePermission) {
 
         if (!$user || !$routeName || !$routePermission) {
 
             return $next($request);
 
             return $next($request);

+ 1 - 3
app/Http/Middleware/EnsureUserHasRole.php
View File 

@@ -26,9 +26,7 @@ class EnsureUserHasRole
 
         $user = $request->user();
 
         $user = $request->user();
 
 
 
         $routeName = $request->route()?->getName();
 
         $routeName = $request->route()?->getName();
 
-        $hasRoutePermission = $user && $routeName === 'import.create' && $request->input('type') === 'catalog'
 
-            ? $this->accessService->can($user, 'catalog.import')
 
-            : ($user && $this->accessService->canAccessRoute($user, $routeName));
 
+        $hasRoutePermission = $user && $this->accessService->canAccessRoute($user, $routeName);
 
 
 
         if ($user?->hasRole($roles) || $hasRoutePermission) {
 
         if ($user?->hasRole($roles) || $hasRoutePermission) {
 
             return $next($request);
 
             return $next($request);

+ 6 - 1
config/access_routes.php
View File 

@@ -83,7 +83,7 @@ return [
 
         'import.' => [
 
         'import.' => [
 
             'index' => 'import.view',
 
             'index' => 'import.view',
 
             'show' => 'import.view',
 
             'show' => 'import.view',
 
-            'create' => 'import.create',
 
+            'create' => ['import.create', 'catalog.import'],
 
         ],
 
         ],
 
         'maf_order.' => [
 
         'maf_order.' => [
 
             'index' => 'maf_orders.view',
 
             'index' => 'maf_orders.view',
 
@@ -170,6 +170,11 @@ return [
 
             'generate-photos-before-pack' => 'reclamations.documents.generate',
 
             'generate-photos-before-pack' => 'reclamations.documents.generate',
 
             'generate-photos-after-pack' => 'reclamations.documents.generate',
 
             'generate-photos-after-pack' => 'reclamations.documents.generate',
 
         ],
 
         ],
 
+        'reclamation.' => [
 
+            'generate-reclamation-payment-pack' => 'reclamations.documents.generate',
 
+            'generate-photos-before-pack' => 'reclamations.documents.generate',
 
+            'generate-photos-after-pack' => 'reclamations.documents.generate',
 
+        ],
 
         'reports.' => [
 
         'reports.' => [
 
             '*' => 'reports.view',
 
             '*' => 'reports.view',
 
         ],
 
         ],

+ 0 - 1
database/seeders/RbacSeeder.php
View File 

@@ -143,7 +143,6 @@ class RbacSeeder extends Seeder
 
             'reclamations.act.delete',
 
             'reclamations.act.delete',
 
             'reclamations.spare_parts.manage',
 
             'reclamations.spare_parts.manage',
 
             'catalog.view',
 
             'catalog.view',
 
-            'catalog.import',
 
             'maf.view',
 
             'maf.view',
 
             'maf.update',
 
             'maf.update',
 
             'maf.passports.upload',
 
             'maf.passports.upload',

+ 22 - 0
tests/Feature/UserControllerTest.php
View File 

@@ -251,4 +251,26 @@ class UserControllerTest extends TestCase
 
         $response->assertRedirect(route('home'));
 
         $response->assertRedirect(route('home'));
 
         $response->assertSessionHas('impersonator_id', $this->adminUser->id);
 
         $response->assertSessionHas('impersonator_id', $this->adminUser->id);
 
     }
 
     }
 
+
 
+    public function test_impersonated_session_can_leave_only_to_admin(): void
 
+    {
 
+        $targetUser = User::factory()->create(['role' => Role::MANAGER]);
 
+
 
+        $response = $this->actingAs($targetUser)
 
+            ->withSession(['impersonator_id' => $this->adminUser->id])
 
+            ->post(route('user.impersonate.leave'));
 
+
 
+        $response->assertRedirect(route('user.index'));
 
+    }
 
+
 
+    public function test_impersonated_session_cannot_leave_to_non_admin(): void
 
+    {
 
+        $targetUser = User::factory()->create(['role' => Role::BRIGADIER]);
 
+
 
+        $response = $this->actingAs($targetUser)
 
+            ->withSession(['impersonator_id' => $this->managerUser->id])
 
+            ->post(route('user.impersonate.leave'));
 
+
 
+        $response->assertForbidden();
 
+    }
 
 }
 
 }

+ 1 - 0
tests/Unit/Services/AccessServiceTest.php
View File 

@@ -46,6 +46,7 @@ class AccessServiceTest extends TestCase
 
 
 
         $this->assertTrue(app(AccessService::class)->can($manager, 'catalog.view'));
 
         $this->assertTrue(app(AccessService::class)->can($manager, 'catalog.view'));
 
         $this->assertTrue(app(AccessService::class)->can($manager, 'catalog.fields.product_price.view'));
 
         $this->assertTrue(app(AccessService::class)->can($manager, 'catalog.fields.product_price.view'));
 
+        $this->assertFalse(app(AccessService::class)->can($manager, 'catalog.import'));
 
         $this->assertFalse(app(AccessService::class)->can($manager, 'catalog.update'));
 
         $this->assertFalse(app(AccessService::class)->can($manager, 'catalog.update'));
 
     }
 
     }