diff --git a/app/Http/Controllers/Admin/ActivityLogController.php b/app/Http/Controllers/Admin/ActivityLogController.php index 2b061094..25978a37 100644 --- a/app/Http/Controllers/Admin/ActivityLogController.php +++ b/app/Http/Controllers/Admin/ActivityLogController.php @@ -14,6 +14,7 @@ use Spatie\Activitylog\Models\Activity; class ActivityLogController extends Controller { + const VIEW_PERMISSION = "admin.logs.read"; /** * Display a listing of the resource. * @@ -21,6 +22,9 @@ class ActivityLogController extends Controller */ public function index(Request $request) { + $this->checkPermission(self::VIEW_PERMISSION); + + $cronLogs = Storage::disk('logs')->exists('cron.log') ? Storage::disk('logs')->get('cron.log') : null; if ($request->input('search')) { diff --git a/app/Http/Controllers/Admin/ApplicationApiController.php b/app/Http/Controllers/Admin/ApplicationApiController.php index f037efe8..f6c00bbd 100644 --- a/app/Http/Controllers/Admin/ApplicationApiController.php +++ b/app/Http/Controllers/Admin/ApplicationApiController.php @@ -16,6 +16,8 @@ use Illuminate\Http\Response; class ApplicationApiController extends Controller { + const READ_PERMISSION = "admin.api.read"; + const WRITE_PERMISSION = "admin.api.write"; /** * Display a listing of the resource. * @@ -23,6 +25,8 @@ class ApplicationApiController extends Controller */ public function index(LocaleSettings $locale_settings) { + $this->checkPermission(self::READ_PERMISSION); + return view('admin.api.index', [ 'locale_datatables' => $locale_settings->datatables ]); @@ -35,6 +39,8 @@ class ApplicationApiController extends Controller */ public function create() { + $this->checkPermission(self::WRITE_PERMISSION); + return view('admin.api.create'); } @@ -76,6 +82,7 @@ class ApplicationApiController extends Controller */ public function edit(ApplicationApi $applicationApi) { + $this->checkPermission(self::WRITE_PERMISSION); return view('admin.api.edit', [ 'applicationApi' => $applicationApi, ]); @@ -107,6 +114,8 @@ class ApplicationApiController extends Controller */ public function destroy(ApplicationApi $applicationApi) { + $this->checkPermission(self::WRITE_PERMISSION); + $applicationApi->delete(); return redirect()->back()->with('success', __('api key has been removed!')); diff --git a/app/Http/Controllers/Admin/LegalController.php b/app/Http/Controllers/Admin/LegalController.php index 0eafca57..27c858fb 100644 --- a/app/Http/Controllers/Admin/LegalController.php +++ b/app/Http/Controllers/Admin/LegalController.php @@ -10,6 +10,8 @@ use Qirolab\Theme\Theme; class LegalController extends Controller { + const READ_PERMISSION = "admin.legal.read"; + const WRITE_PERMISSION = "admin.legal.write"; /** * Display * @@ -17,6 +19,8 @@ class LegalController extends Controller */ public function index() { + $this->checkPermission(self::READ_PERMISSION); + $tos = File::get(Theme::path($path = 'views', "default") . '/information/tos-content.blade.php'); $privacy = File::get(Theme::path($path = 'views', "default") . '/information/privacy-content.blade.php'); $imprint = File::get(Theme::path($path = 'views', "default") . '/information/imprint-content.blade.php'); @@ -29,6 +33,8 @@ class LegalController extends Controller } public function update(Request $request){ + $this->checkPermission(self::READ_PERMISSION); + $tos = $request->tos; $privacy = $request->privacy; $imprint = $request->imprint; diff --git a/app/Http/Controllers/Admin/OverViewController.php b/app/Http/Controllers/Admin/OverViewController.php index eac33d02..90cd9307 100644 --- a/app/Http/Controllers/Admin/OverViewController.php +++ b/app/Http/Controllers/Admin/OverViewController.php @@ -19,6 +19,8 @@ use Carbon\Carbon; class OverViewController extends Controller { + const READ_PERMISSION = "admin.overview.read"; + const SYNC_PERMISSION = "admin.overview.sync"; public const TTL = 86400; private $pterodactyl; @@ -27,9 +29,11 @@ class OverViewController extends Controller { $this->pterodactyl = new PterodactylClient($ptero_settings); } - + public function index(GeneralSettings $general_settings) { + $this->checkPermission(self::READ_PERMISSION); + //Get counters $counters = collect(); //Set basic variables in the collection @@ -225,6 +229,8 @@ class OverViewController extends Controller */ public function syncPterodactyl() { + $this->checkPermission(self::SYNC_PERMISSION); + Node::syncNodes(); Egg::syncEggs(); diff --git a/app/Http/Controllers/Admin/PartnerController.php b/app/Http/Controllers/Admin/PartnerController.php index cea2aec2..5c4a6bab 100644 --- a/app/Http/Controllers/Admin/PartnerController.php +++ b/app/Http/Controllers/Admin/PartnerController.php @@ -11,8 +11,12 @@ use Illuminate\Http\Request; class PartnerController extends Controller { + const READ_PERMISSION = "admin.partners.read"; + const WRITE_PERMISSION = "admin.partners.write"; public function index(LocaleSettings $locale_settings) { + $this->checkPermission(self::READ_PERMISSION); + return view('admin.partners.index', [ 'locale_datatables' => $locale_settings->datatables ]); @@ -25,6 +29,8 @@ class PartnerController extends Controller */ public function create() { + $this->checkPermission(self::WRITE_PERMISSION); + return view('admin.partners.create', [ 'partners' => PartnerDiscount::get(), 'users' => User::orderBy('name')->get(), @@ -62,6 +68,8 @@ class PartnerController extends Controller */ public function edit(PartnerDiscount $partner) { + $this->checkPermission(self::WRITE_PERMISSION); + return view('admin.partners.edit', [ 'partners' => PartnerDiscount::get(), 'partner' => $partner, @@ -98,6 +106,8 @@ class PartnerController extends Controller */ public function destroy(PartnerDiscount $partner) { + $this->checkPermission(self::WRITE_PERMISSION); + $partner->delete(); return redirect()->back()->with('success', __('partner has been removed!')); diff --git a/app/Http/Controllers/Admin/PaymentController.php b/app/Http/Controllers/Admin/PaymentController.php index 02d91bde..543cdcf6 100644 --- a/app/Http/Controllers/Admin/PaymentController.php +++ b/app/Http/Controllers/Admin/PaymentController.php @@ -24,11 +24,15 @@ use App\Settings\LocaleSettings; class PaymentController extends Controller { const BUY_PERMISSION = 'user.shop.buy'; + const VIEW_PERMISSION = "admin.payments.read"; /** * @return Application|Factory|View */ public function index(LocaleSettings $locale_settings) { + $this->checkPermission(self::VIEW_PERMISSION); + + return view('admin.payments.index')->with([ 'payments' => Payment::paginate(15), 'locale_datatables' => $locale_settings->datatables diff --git a/app/Http/Controllers/Admin/ProductController.php b/app/Http/Controllers/Admin/ProductController.php index f26691e3..3dc95829 100644 --- a/app/Http/Controllers/Admin/ProductController.php +++ b/app/Http/Controllers/Admin/ProductController.php @@ -19,6 +19,10 @@ use Illuminate\Http\Request; class ProductController extends Controller { + const READ_PERMISSION = "admin.products.read"; + const WRITE_PERMISSION = "admin.products.write"; + const EDIT_PERMISSION = "admin.products.edit"; + const DELETE_PERMISSION = "admin.products.delete"; /** * Display a listing of the resource. * @@ -26,6 +30,8 @@ class ProductController extends Controller */ public function index(LocaleSettings $locale_settings) { + $this->checkPermission(self::READ_PERMISSION); + return view('admin.products.index', [ 'locale_datatables' => $locale_settings->datatables ]); @@ -38,6 +44,7 @@ class ProductController extends Controller */ public function create(GeneralSettings $general_settings) { + $this->checkPermission(self::WRITE_PERMISSION); return view('admin.products.create', [ 'locations' => Location::with('nodes')->get(), 'nests' => Nest::with('eggs')->get(), @@ -47,6 +54,8 @@ class ProductController extends Controller public function clone(Product $product) { + $this->checkPermission(self::WRITE_PERMISSION); + return view('admin.products.create', [ 'product' => $product, 'locations' => Location::with('nodes')->get(), @@ -98,6 +107,8 @@ class ProductController extends Controller */ public function show(Product $product, UserSettings $user_settings, GeneralSettings $general_settings) { + $this->checkPermission(self::READ_PERMISSION); + return view('admin.products.show', [ 'product' => $product, 'minimum_credits' => $user_settings->min_credits_to_make_server, @@ -113,6 +124,8 @@ class ProductController extends Controller */ public function edit(Product $product, GeneralSettings $general_settings) { + $this->checkPermission(self::EDIT_PERMISSION); + return view('admin.products.edit', [ 'product' => $product, 'locations' => Location::with('nodes')->get(), @@ -167,6 +180,8 @@ class ProductController extends Controller */ public function disable(Product $product) { + $this->checkPermission(self::WRITE_PERMISSION); + $product->update(['disabled' => ! $product->disabled]); return redirect()->route('admin.products.index')->with('success', 'Product has been updated!'); @@ -180,6 +195,8 @@ class ProductController extends Controller */ public function destroy(Product $product) { + $this->checkPermission(self::DELETE_PERMISSION); + $servers = $product->servers()->count(); if ($servers > 0) { return redirect()->back()->with('error', "Product cannot be removed while it's linked to {$servers} servers"); diff --git a/app/Http/Controllers/Admin/RoleController.php b/app/Http/Controllers/Admin/RoleController.php index ed4194be..3850c180 100644 --- a/app/Http/Controllers/Admin/RoleController.php +++ b/app/Http/Controllers/Admin/RoleController.php @@ -16,6 +16,10 @@ use Spatie\Permission\Models\Role; class RoleController extends Controller { + const READ_PERMISSION = "admin.roles.read"; + const CREATE_PERMISSION = "admin.roles.create"; + const EDIT_PERMISSION = "admin.roles.edit"; + const DELETE_PERMISSION = "admin.roles.delete"; /** * Display a listing of the resource. * @@ -26,6 +30,7 @@ class RoleController extends Controller public function index(Request $request) { + $this->checkPermission(self::READ_PERMISSION); //datatables if ($request->ajax()) { @@ -43,6 +48,7 @@ class RoleController extends Controller */ public function create() { + $this->checkPermission(self::CREATE_PERMISSION); $permissions = Permission::all(); @@ -56,6 +62,8 @@ class RoleController extends Controller */ public function store(Request $request): RedirectResponse { + $this->checkPermission(self::CREATE_PERMISSION); + $role = Role::create([ 'name' => $request->name, 'color' => $request->color @@ -86,6 +94,7 @@ class RoleController extends Controller */ public function edit(Role $role) { + $this->checkPermission(self::EDIT_PERMISSION); $permissions = Permission::all(); @@ -100,6 +109,8 @@ class RoleController extends Controller */ public function update(Request $request, Role $role) { + $this->checkPermission(self::EDIT_PERMISSION); + if ($request->permissions) { if($role->id != 1){ //disable admin permissions change $role->syncPermissions($request->permissions); @@ -135,6 +146,7 @@ class RoleController extends Controller */ public function destroy(Role $role) { + $this->checkPermission(self::DELETE_PERMISSION); if($role->id == 1 || $role->id == 3 || $role->id == 4){ //cannot delete the hard coded roles return back()->with("error","You cannot delete that role"); diff --git a/app/Http/Controllers/Admin/ServerController.php b/app/Http/Controllers/Admin/ServerController.php index 8e2475f5..6fb3266a 100644 --- a/app/Http/Controllers/Admin/ServerController.php +++ b/app/Http/Controllers/Admin/ServerController.php @@ -20,6 +20,13 @@ use Illuminate\Support\Facades\Log; class ServerController extends Controller { + + const READ_PERMISSION = "admin.servers.read"; + const WRITE_PERMISSION = "admin.servers.write"; + const SUSPEND_PERMISSION = "admin.servers.suspend"; + const CHANGEOWNER_PERMISSION = "admin.servers.write.owner"; + const CHANGE_IDENTIFIER_PERMISSION ="admin.servers.write.identifier"; + const DELETE_PERMISSION = "admin.servers.delete"; private $pterodactyl; public function __construct(PterodactylSettings $ptero_settings) @@ -34,6 +41,8 @@ class ServerController extends Controller */ public function index(LocaleSettings $locale_settings) { + $this->checkPermission(self::READ_PERMISSION); + return view('admin.servers.index', [ 'locale_datatables' => $locale_settings->datatables ]); @@ -47,6 +56,8 @@ class ServerController extends Controller */ public function edit(Server $server) { + $this->checkPermission(self::WRITE_PERMISSION); + // get all users from the database $users = User::all(); @@ -70,7 +81,7 @@ class ServerController extends Controller ]); - if ($request->get('user_id') != $server->user_id) { + if ($request->get('user_id') != $server->user_id && $this->can(self::CHANGEOWNER_PERMISSION)) { // find the user $user = User::findOrFail($request->get('user_id')); @@ -89,7 +100,10 @@ class ServerController extends Controller } // update the identifier - $server->identifier = $request->get('identifier'); + if($this->can(self::CHANGE_IDENTIFIER_PERMISSION)) { + + $server->identifier = $request->get('identifier'); + } $server->save(); return redirect()->route('admin.servers.index')->with('success', 'Server updated!'); @@ -103,6 +117,7 @@ class ServerController extends Controller */ public function destroy(Server $server) { + $this->checkPermission(self::DELETE_PERMISSION); try { $server->delete(); @@ -118,6 +133,8 @@ class ServerController extends Controller */ public function toggleSuspended(Server $server) { + $this->checkPermission(self::SUSPEND_PERMISSION); + try { $server->isSuspended() ? $server->unSuspend() : $server->suspend(); } catch (Exception $exception) { diff --git a/app/Http/Controllers/Admin/SettingsController.php b/app/Http/Controllers/Admin/SettingsController.php index 7e1c5457..3c6782f0 100644 --- a/app/Http/Controllers/Admin/SettingsController.php +++ b/app/Http/Controllers/Admin/SettingsController.php @@ -15,6 +15,9 @@ use Qirolab\Theme\Theme; class SettingsController extends Controller { + + const READ_PERMISSIONS = "admin.settings.read"; + const WRITE_PERMISSIONS = "admin.settings.write"; /** * Display a listing of the resource. * @@ -23,6 +26,8 @@ class SettingsController extends Controller public function index() { + $this->checkPermission(self::READ_PERMISSIONS); + // get all other settings in app/Settings directory // group items by file name like $categories $settings = collect(); @@ -91,6 +96,8 @@ class SettingsController extends Controller */ public function update(Request $request) { + $this->checkPermission(self::WRITE_PERMISSIONS); + $category = request()->get('category'); $settings_class = request()->get('settings_class'); diff --git a/app/Http/Controllers/Admin/ShopProductController.php b/app/Http/Controllers/Admin/ShopProductController.php index 690493f8..74c32639 100644 --- a/app/Http/Controllers/Admin/ShopProductController.php +++ b/app/Http/Controllers/Admin/ShopProductController.php @@ -2,6 +2,7 @@ namespace App\Http\Controllers\Admin; +use App\Http\Controllers\Controller; use App\Models\ShopProduct; use App\Settings\GeneralSettings; use App\Settings\LocaleSettings; @@ -11,12 +12,15 @@ use Illuminate\Contracts\View\View; use Illuminate\Http\RedirectResponse; use Illuminate\Http\Request; use Illuminate\Http\Response; -use Illuminate\Routing\Controller; use Illuminate\Validation\Rule; class ShopProductController extends Controller { + const READ_PERMISSION = 'admin.store.read'; + const WRITE_PERMISSION = 'admin.store.write'; + const DISABLE_PERMISSION = 'admin.store.disable'; + /** * Display a listing of the resource. * @@ -24,6 +28,8 @@ class ShopProductController extends Controller */ public function index(LocaleSettings $locale_settings, GeneralSettings $general_settings) { + $this->checkPermission(self::READ_PERMISSION); + $isStoreEnabled = $general_settings->store_enabled; @@ -40,6 +46,8 @@ class ShopProductController extends Controller */ public function create(GeneralSettings $general_settings) { + $this->checkPermission(self::WRITE_PERMISSION); + return view('admin.store.create', [ 'currencyCodes' => config('currency_codes'), 'credits_display_name' => $general_settings->credits_display_name @@ -78,6 +86,8 @@ class ShopProductController extends Controller */ public function edit(ShopProduct $shopProduct, GeneralSettings $general_settings) { + $this->checkPermission(self::WRITE_PERMISSION); + return view('admin.store.edit', [ 'currencyCodes' => config('currency_codes'), 'shopProduct' => $shopProduct, @@ -117,6 +127,8 @@ class ShopProductController extends Controller */ public function disable(ShopProduct $shopProduct) { + $this->checkPermission(self::DISABLE_PERMISSION); + $shopProduct->update(['disabled' => !$shopProduct->disabled]); return redirect()->route('admin.store.index')->with('success', __('Product has been updated!')); @@ -130,6 +142,7 @@ class ShopProductController extends Controller */ public function destroy(ShopProduct $shopProduct) { + $this->checkPermission(self::WRITE_PERMISSION); $shopProduct->delete(); return redirect()->back()->with('success', __('Store item has been removed!')); diff --git a/app/Http/Controllers/Moderation/TicketCategoryController.php b/app/Http/Controllers/Admin/TicketCategoryController.php similarity index 81% rename from app/Http/Controllers/Moderation/TicketCategoryController.php rename to app/Http/Controllers/Admin/TicketCategoryController.php index 729e2f3c..74fff87a 100644 --- a/app/Http/Controllers/Moderation/TicketCategoryController.php +++ b/app/Http/Controllers/Admin/TicketCategoryController.php @@ -1,6 +1,6 @@ checkPermission(self::READ_PERMISSION); + $categories = TicketCategory::all(); - return view('moderator.ticket.category')->with("categories",$categories); + return view('admin.ticket.category')->with("categories",$categories); } /** @@ -28,6 +33,8 @@ class TicketCategoryController extends Controller */ public function store(Request $request) { + $this->checkPermission(self::WRITE_PERMISSION); + $request->validate([ 'name' => 'required|string|max:191', ]); @@ -35,7 +42,7 @@ class TicketCategoryController extends Controller TicketCategory::create($request->all()); - return redirect(route("moderator.ticket.category.index"))->with("success",__("Category created")); + return redirect(route("admin.ticket.category.index"))->with("success",__("Category created")); } /** @@ -46,6 +53,8 @@ class TicketCategoryController extends Controller */ public function update(Request $request) { + $this->checkPermission(self::WRITE_PERMISSION); + $request->validate([ 'category' => 'required|int', 'name' => 'required|string|max:191', @@ -68,6 +77,8 @@ class TicketCategoryController extends Controller */ public function destroy($id) { + $this->checkPermission(self::WRITE_PERMISSION); + $category = TicketCategory::where("id",$id)->firstOrFail(); if($category->id == 5 ){ //cannot delete "other" category @@ -84,7 +95,7 @@ class TicketCategoryController extends Controller $category->delete(); return redirect() - ->route('moderator.ticket.category.index') + ->route('admin.ticket.category.index') ->with('success', __('Category removed')); } @@ -101,7 +112,7 @@ class TicketCategoryController extends Controller }) ->addColumn('actions', function (TicketCategory $category) { return ' -
+ '.csrf_field().' '.method_field('DELETE').' diff --git a/app/Http/Controllers/Moderation/TicketsController.php b/app/Http/Controllers/Admin/TicketsController.php similarity index 86% rename from app/Http/Controllers/Moderation/TicketsController.php rename to app/Http/Controllers/Admin/TicketsController.php index cb05f36f..3622c22a 100644 --- a/app/Http/Controllers/Moderation/TicketsController.php +++ b/app/Http/Controllers/Admin/TicketsController.php @@ -1,8 +1,9 @@ checkPermission(self::READ_PERMISSION); + + return view('admin.ticket.index', [ 'tickets' => Ticket::orderBy('id', 'desc')->paginate(10), 'ticketcategories' => TicketCategory::all(), 'locale_datatables' => $locale_settings->datatables @@ -28,6 +36,7 @@ class TicketsController extends Controller public function show($ticket_id, PterodactylSettings $ptero_settings) { + $this->checkPermission(self::READ_PERMISSION); try { $ticket = Ticket::where('ticket_id', $ticket_id)->firstOrFail(); } catch (Exception $e) @@ -39,11 +48,12 @@ class TicketsController extends Controller $server = Server::where('id', $ticket->server)->first(); $pterodactyl_url = $ptero_settings->panel_url; - return view('moderator.ticket.show', compact('ticket', 'ticketcategory', 'ticketcomments', 'server', 'pterodactyl_url')); + return view('admin.ticket.show', compact('ticket', 'ticketcategory', 'ticketcomments', 'server', 'pterodactyl_url')); } public function changeStatus($ticket_id) { + $this->checkPermission(self::WRITE_PERMISSION); try { $ticket = Ticket::where('ticket_id', $ticket_id)->firstOrFail(); } catch(Exception $e) @@ -65,6 +75,7 @@ class TicketsController extends Controller public function delete($ticket_id) { + $this->checkPermission(self::WRITE_PERMISSION); try { $ticket = Ticket::where('ticket_id', $ticket_id)->firstOrFail(); } catch (Exception $e) @@ -80,6 +91,9 @@ class TicketsController extends Controller public function reply(Request $request) { + $this->checkPermission(self::WRITE_PERMISSION); + + $this->validate($request, ['ticketcomment' => 'required']); try { $ticket = Ticket::where('id', $request->input('ticket_id'))->firstOrFail(); @@ -114,7 +128,7 @@ class TicketsController extends Controller return $tickets->ticketcategory->name; }) ->editColumn('title', function (Ticket $tickets) { - return ''.'#'.$tickets->ticket_id.' - '.htmlspecialchars($tickets->title).''; + return ''.'#'.$tickets->ticket_id.' - '.htmlspecialchars($tickets->title).''; }) ->editColumn('user_id', function (Ticket $tickets) { return ''.$tickets->user->name.''; @@ -125,13 +139,13 @@ class TicketsController extends Controller $statusButtonText = ($tickets->status == "Closed") ? __('Reopen') : __('Close'); return ' - - + + '.csrf_field().' '.method_field('POST').'
-
+ '.csrf_field().' '.method_field('POST').' @@ -170,13 +184,17 @@ class TicketsController extends Controller public function blacklist(LocaleSettings $locale_settings) { - return view('moderator.ticket.blacklist', [ + $this->checkPermission(self::BLACKLIST_READ_PERMISSION); + + return view('admin.ticket.blacklist', [ 'locale_datatables' => $locale_settings->datatables ]); } public function blacklistAdd(Request $request) { + $this->checkPermission(self::BLACKLIST_WRITE_PERMISSION); + try { $user = User::where('id', $request->user_id)->firstOrFail(); $check = TicketBlacklist::where('user_id', $user->id)->first(); @@ -202,6 +220,8 @@ class TicketsController extends Controller public function blacklistDelete($id) { + $this->checkPermission(self::BLACKLIST_WRITE_PERMISSION); + $blacklist = TicketBlacklist::where('id', $id)->first(); $blacklist->delete(); @@ -210,6 +230,8 @@ class TicketsController extends Controller public function blacklistChange($id) { + $this->checkPermission(self::BLACKLIST_WRITE_PERMISSION); + try { $blacklist = TicketBlacklist::where('id', $id)->first(); } @@ -254,12 +276,12 @@ class TicketsController extends Controller }) ->addColumn('actions', function (TicketBlacklist $blacklist) { return ' - + '.csrf_field().' '.method_field('POST').'
-
+ '.csrf_field().' '.method_field('POST').' diff --git a/app/Http/Controllers/Admin/UsefulLinkController.php b/app/Http/Controllers/Admin/UsefulLinkController.php index ddfdb7de..17f8774b 100644 --- a/app/Http/Controllers/Admin/UsefulLinkController.php +++ b/app/Http/Controllers/Admin/UsefulLinkController.php @@ -15,6 +15,8 @@ use Illuminate\Http\Response; class UsefulLinkController extends Controller { + const READ_PERMISSION = "admin.useful_links.read"; + const WRITE_PERMISSION = "admin.useful_links.write"; /** * Display a listing of the resource. * @@ -22,6 +24,7 @@ class UsefulLinkController extends Controller */ public function index(LocaleSettings $locale_settings) { + $this->checkPermission(self::READ_PERMISSION); return view('admin.usefullinks.index', [ 'locale_datatables' => $locale_settings->datatables ]); @@ -34,6 +37,7 @@ class UsefulLinkController extends Controller */ public function create() { + $this->checkPermission(self::WRITE_PERMISSION); $positions = UsefulLinkLocation::cases(); return view('admin.usefullinks.create')->with('positions', $positions); } @@ -84,6 +88,8 @@ class UsefulLinkController extends Controller */ public function edit(UsefulLink $usefullink) { + $this->checkPermission(self::WRITE_PERMISSION); + $positions = UsefulLinkLocation::cases(); return view('admin.usefullinks.edit', [ 'link' => $usefullink, @@ -126,6 +132,7 @@ class UsefulLinkController extends Controller */ public function destroy(UsefulLink $usefullink) { + $this->checkPermission(self::WRITE_PERMISSION); $usefullink->delete(); return redirect()->back()->with('success', __('product has been removed!')); diff --git a/app/Http/Controllers/Admin/UserController.php b/app/Http/Controllers/Admin/UserController.php index caf8fafd..2edc3b7e 100644 --- a/app/Http/Controllers/Admin/UserController.php +++ b/app/Http/Controllers/Admin/UserController.php @@ -30,6 +30,20 @@ use Spatie\Permission\Models\Role; class UserController extends Controller { + const READ_PERMISSION = "admin.users.read"; + const WRITE_PERMISSION = "admin.users.write"; + const SUSPEND_PERMISSION = "admin.users.suspend"; + const CHANGE_EMAIL_PERMISSION = "admin.users.write.email"; + const CHANGE_CREDITS_PERMISSION = "admin.users.write.credits"; + const CHANGE_USERNAME_PERMISSION = "admin.users.write.username"; + const CHANGE_PASSWORD_PERMISSION = "admin.users.write.password"; + const CHANGE_ROLE_PERMISSION ="admin.users.write.role"; + const CHANGE_REFERAL_PERMISSION ="admin.users.write.referal"; + const CHANGE_PTERO_PERMISSION = "admin.users.write.pterodactyl"; + const DELETE_PERMISSION = "admin.users.delete"; + const NOTIFY_PERMISSION = "admin.users.notify"; + const LOGIN_PERMISSION = "admin.users.login_as"; + private $pterodactyl; public function __construct(PterodactylSettings $ptero_settings) @@ -45,6 +59,8 @@ class UserController extends Controller */ public function index(LocaleSettings $locale_settings, GeneralSettings $general_settings) { + $this->checkPermission(self::READ_PERMISSION); + return view('admin.users.index', [ 'locale_datatables' => $locale_settings->datatables, 'credits_display_name' => $general_settings->credits_display_name @@ -59,6 +75,8 @@ class UserController extends Controller */ public function show(User $user, LocaleSettings $locale_settings, GeneralSettings $general_settings) { + $this->checkPermission(self::READ_PERMISSION); + //QUERY ALL REFERRALS A USER HAS //i am not proud of this at all. $allReferals = []; @@ -109,6 +127,8 @@ class UserController extends Controller */ public function edit(User $user, GeneralSettings $general_settings) { + $this->checkPermission(self::WRITE_PERMISSION); + $roles = Role::all(); return view('admin.users.edit')->with([ 'user' => $user, @@ -134,12 +154,11 @@ class UserController extends Controller 'email' => 'required|string|email', 'credits' => 'required|numeric|min:0|max:99999999', 'server_limit' => 'required|numeric|min:0|max:1000000', - 'role' => Rule::in(['admin', 'moderator', 'client', 'member']), 'referral_code' => "required|string|min:2|max:32|unique:users,referral_code,{$user->id}", ]); //update roles - if ($request->roles) { + if ($request->roles && $this->can(self::CHANGE_ROLE_PERMISSION)) { $user->syncRoles($request->roles); } @@ -149,7 +168,7 @@ class UserController extends Controller ]); } - if (!is_null($request->input('new_password'))) { + if (!is_null($request->input('new_password')) && $this->can(self::CHANGE_PASSWORD_PERMISSION)) { $request->validate([ 'new_password' => 'required|string|min:8', 'new_password_confirmation' => 'required|same:new_password', @@ -160,7 +179,24 @@ class UserController extends Controller ]); } - $user->update($request->all()); + if($this->can(self::CHANGE_USERNAME_PERMISSION)){ + $user->name = $request->name; + } + if($this->can(self::CHANGE_CREDITS_PERMISSION)){ + $user->credits = $request->credits; + } + if($this->can(self::CHANGE_PTERO_PERMISSION)){ + $user->pterodactyl_id = $request->pterodactyl_id; + } + if($this->can(self::CHANGE_REFERAL_PERMISSION)){ + $user->referral_code = $request->referral_code; + } + if($this->can(self::CHANGE_EMAIL_PERMISSION)){ + $user->email = $request->email; + } + + $user->save(); + event(new UserUpdateCreditsEvent($user)); return redirect()->route('admin.users.index')->with('success', 'User updated!'); @@ -174,7 +210,9 @@ class UserController extends Controller */ public function destroy(User $user) { - if ($user->hasRole("Admin") && User::query()->where('role', 'admin')->count() === 1) { + $this->checkPermission(self::DELETE_PERMISSION); + + if ($user->hasRole(1) && User::role(1)->count() === 1) { return redirect()->back()->with('error', __('You can not delete the last admin!')); } @@ -203,6 +241,8 @@ class UserController extends Controller */ public function loginAs(Request $request, User $user) { + $this->checkPermission(self::LOGIN_PERMISSION); + $request->session()->put('previousUser', Auth::user()->id); Auth::login($user); @@ -215,6 +255,7 @@ class UserController extends Controller */ public function logBackIn(Request $request) { + Auth::loginUsingId($request->session()->get('previousUser'), true); $request->session()->remove('previousUser'); @@ -229,6 +270,8 @@ class UserController extends Controller */ public function notifications() { + $this->checkPermission(self::NOTIFY_PERMISSION); + return view('admin.users.notifications'); } @@ -243,6 +286,8 @@ class UserController extends Controller */ public function notify(Request $request) { + $this->checkPermission(self::NOTIFY_PERMISSION); + $data = $request->validate([ 'via' => 'required|min:1|array', 'via.*' => 'required|string|in:mail,database', @@ -283,6 +328,8 @@ class UserController extends Controller */ public function toggleSuspended(User $user) { + $this->checkPermission(self::SUSPEND_PERMISSION); + try { !$user->isSuspended() ? $user->suspend() : $user->unSuspend(); } catch (Exception $exception) { diff --git a/app/Http/Controllers/Admin/VoucherController.php b/app/Http/Controllers/Admin/VoucherController.php index 73498176..f39f9c33 100644 --- a/app/Http/Controllers/Admin/VoucherController.php +++ b/app/Http/Controllers/Admin/VoucherController.php @@ -19,6 +19,8 @@ use Illuminate\Validation\ValidationException; class VoucherController extends Controller { + const READ_PERMISSION = "admin.voucher.read"; + const WRITE_PERMISSION = "admin.voucher.write"; /** * Display a listing of the resource. * @@ -26,6 +28,8 @@ class VoucherController extends Controller */ public function index(LocaleSettings $locale_settings, GeneralSettings $general_settings) { + $this->checkPermission(self::READ_PERMISSION); + return view('admin.vouchers.index', [ 'locale_datatables' => $locale_settings->datatables, 'credits_display_name' => $general_settings->credits_display_name @@ -39,6 +43,7 @@ class VoucherController extends Controller */ public function create(GeneralSettings $general_settings) { + $this->checkPermission(self::WRITE_PERMISSION); return view('admin.vouchers.create', [ 'credits_display_name' => $general_settings->credits_display_name ]); @@ -84,6 +89,7 @@ class VoucherController extends Controller */ public function edit(Voucher $voucher, GeneralSettings $general_settings) { + $this->checkPermission(self::WRITE_PERMISSION); return view('admin.vouchers.edit', [ 'voucher' => $voucher, 'credits_display_name' => $general_settings->credits_display_name @@ -120,6 +126,7 @@ class VoucherController extends Controller */ public function destroy(Voucher $voucher) { + $this->checkPermission(self::WRITE_PERMISSION); $voucher->delete(); return redirect()->back()->with('success', __('voucher has been removed!')); @@ -127,6 +134,8 @@ class VoucherController extends Controller public function users(Voucher $voucher, LocaleSettings $locale_settings, GeneralSettings $general_settings) { + $this->checkPermission(self::READ_PERMISSION); + return view('admin.vouchers.users', [ 'voucher' => $voucher, 'locale_datatables' => $locale_settings->datatables, diff --git a/config/permissions_web.php b/config/permissions_web.php index accbd07a..47ba6a46 100644 --- a/config/permissions_web.php +++ b/config/permissions_web.php @@ -6,13 +6,15 @@ return [ /* * Permissions for admin */ - 'admin.sidebar.read', 'admin.roles.read', - 'admin.roles.write', + 'admin.roles.create', + 'admin.roles.edit', + 'admin.roles.delete', 'admin.ticket.read', + 'admin.tickets.write', 'admin.ticket_blacklist.read', 'admin.ticket_blacklist.write', @@ -32,13 +34,17 @@ return [ 'admin.users.write.role', 'admin.users.write.referal', 'admin.users.write.pterodactyl', + 'admin.users.write.email', + 'admin.users.notify', + 'admin.users.login_as', + 'admin.users.delete', 'admin.servers.read', 'admin.servers.write', 'admin.servers.suspend', - 'admin.server.write.owner', - 'admin.server.write.identifier', - 'admin.server.delete', + 'admin.servers.write.owner', + 'admin.servers.write.identifier', + 'admin.servers.delete', 'admin.products.read', 'admin.products.create', @@ -58,28 +64,15 @@ return [ 'admin.legal.read', 'admin.legal.write', + 'admin.payments.read', + + 'admin.partners.read', + 'admin.partners.write', + 'admin.logs.read', - /* - * Permissions for settings - */ - 'settings.sidebar.read', - - 'settings.invoices.read', - 'settings.invoices.write', - - 'settings.language.read', - 'settings.language.write', - - 'settings.misc.read', - 'settings.misc.write', - - 'settings.payment.read', - 'settings.payment.write', - - 'settings.system.read', - 'settings.system.write', - + 'admin.settings.read', + 'admin.settings.write', /* * Permissions for users */ diff --git a/routes/web.php b/routes/web.php index c7c6a9de..5f96806a 100644 --- a/routes/web.php +++ b/routes/web.php @@ -17,13 +17,13 @@ use App\Http\Controllers\Admin\RoleController; use App\Http\Controllers\Admin\ServerController as AdminServerController; use App\Http\Controllers\Admin\SettingsController; use App\Http\Controllers\Admin\ShopProductController; +use App\Http\Controllers\Admin\TicketCategoryController; +use App\Http\Controllers\Admin\TicketsController as AdminTicketsController; use App\Http\Controllers\Admin\UsefulLinkController; use App\Http\Controllers\Admin\UserController; use App\Http\Controllers\Admin\VoucherController; use App\Http\Controllers\Auth\SocialiteController; use App\Http\Controllers\HomeController; -use App\Http\Controllers\Moderation\TicketCategoryController; -use App\Http\Controllers\Moderation\TicketsController as ModTicketsController; use App\Http\Controllers\NotificationController; use App\Http\Controllers\ProductController as FrontProductController; use App\Http\Controllers\ProfileController; @@ -117,7 +117,7 @@ Route::middleware(['auth', 'checkSuspended'])->group(function () { //admin - Route::prefix('admin')->name('admin.')->middleware('admin')->group(function () { + Route::prefix('admin')->name('admin.')->group(function () { //Roles Route::get('roles/datatable', [RoleController::class, 'datatable'])->name('roles.datatable'); Route::resource('roles', RoleController::class); @@ -199,29 +199,28 @@ Route::middleware(['auth', 'checkSuspended'])->group(function () { Route::resource('api', ApplicationApiController::class)->parameters([ 'api' => 'applicationApi', ]); - }); - //mod - Route::prefix('moderator')->name('moderator.')->middleware('moderator')->group(function () { //ticket moderation - Route::get('ticket', [ModTicketsController::class, 'index'])->name('ticket.index'); - Route::get('ticket/datatable', [ModTicketsController::class, 'datatable'])->name('ticket.datatable'); - Route::get('ticket/show/{ticket_id}', [ModTicketsController::class, 'show'])->name('ticket.show'); - Route::post('ticket/reply', [ModTicketsController::class, 'reply'])->name('ticket.reply'); - Route::post('ticket/status/{ticket_id}', [ModTicketsController::class, 'changeStatus'])->name('ticket.changeStatus'); - Route::post('ticket/delete/{ticket_id}', [ModTicketsController::class, 'delete'])->name('ticket.delete'); + Route::get('ticket', [AdminTicketsController::class, 'index'])->name('ticket.index'); + Route::get('ticket/datatable', [AdminTicketsController::class, 'datatable'])->name('ticket.datatable'); + Route::get('ticket/show/{ticket_id}', [AdminTicketsController::class, 'show'])->name('ticket.show'); + Route::post('ticket/reply', [AdminTicketsController::class, 'reply'])->name('ticket.reply'); + Route::post('ticket/status/{ticket_id}', [AdminTicketsController::class, 'changeStatus'])->name('ticket.changeStatus'); + Route::post('ticket/delete/{ticket_id}', [AdminTicketsController::class, 'delete'])->name('ticket.delete'); //ticket moderation blacklist - Route::get('ticket/blacklist', [ModTicketsController::class, 'blacklist'])->name('ticket.blacklist'); - Route::post('ticket/blacklist', [ModTicketsController::class, 'blacklistAdd'])->name('ticket.blacklist.add'); - Route::post('ticket/blacklist/delete/{id}', [ModTicketsController::class, 'blacklistDelete'])->name('ticket.blacklist.delete'); - Route::post('ticket/blacklist/change/{id}', [ModTicketsController::class, 'blacklistChange'])->name('ticket.blacklist.change'); - Route::get('ticket/blacklist/datatable', [ModTicketsController::class, 'dataTableBlacklist'])->name('ticket.blacklist.datatable'); + Route::get('ticket/blacklist', [AdminTicketsController::class, 'blacklist'])->name('ticket.blacklist'); + Route::post('ticket/blacklist', [AdminTicketsController::class, 'blacklistAdd'])->name('ticket.blacklist.add'); + Route::post('ticket/blacklist/delete/{id}', [AdminTicketsController::class, 'blacklistDelete'])->name('ticket.blacklist.delete'); + Route::post('ticket/blacklist/change/{id}', [AdminTicketsController::class, 'blacklistChange'])->name('ticket.blacklist.change'); + Route::get('ticket/blacklist/datatable', [AdminTicketsController::class, 'dataTableBlacklist'])->name('ticket.blacklist.datatable'); Route::get('ticket/category/datatable', [TicketCategoryController::class, 'datatable'])->name('ticket.category.datatable'); Route::resource("ticket/category", TicketCategoryController::class, ['as' => 'ticket']); }); + + Route::get('/home', [HomeController::class, 'index'])->name('home'); }); diff --git a/themes/BlueInfinity/views/layouts/main.blade.php b/themes/BlueInfinity/views/layouts/main.blade.php index a5c13de1..aa4a7cf5 100644 --- a/themes/BlueInfinity/views/layouts/main.blade.php +++ b/themes/BlueInfinity/views/layouts/main.blade.php @@ -257,15 +257,15 @@
  • {{ __('Moderation') }}
  • - +

    {{ __('Ticket List') }}
  • - +

    {{ __('Ticket Blacklist') }}

     diff --git a/themes/default/views/admin/overview/index.blade.php b/themes/default/views/admin/overview/index.blade.php index d5b8d5a8..1e54c6f6 100644 --- a/themes/default/views/admin/overview/index.blade.php +++ b/themes/default/views/admin/overview/index.blade.php @@ -183,7 +183,7 @@ @foreach($tickets as $ticket_id => $ticket) - #{{$ticket_id}} - {{$ticket->title}} + #{{$ticket_id}} - {{$ticket->title}} {{$ticket->user}} {{$ticket->status}} {{$ticket->last_updated}} diff --git a/themes/default/views/layouts/main.blade.php b/themes/default/views/layouts/main.blade.php index c72187bd..49fc7332 100644 --- a/themes/default/views/layouts/main.blade.php +++ b/themes/default/views/layouts/main.blade.php @@ -257,28 +257,12 @@ @endcanany @endif - @if ((Auth::user()->hasRole(1) || Auth::user()->role == 'moderator') && $ticket_enabled) -
  • {{ __('Moderation') }}
    • - -
  • - - -

    {{ __('Ticket List') }}

    -     -
    • -
  • - - -

    {{ __('Ticket Blacklist') }}

    -     -
    • - @endif - - @if (Auth::user()->hasRole(1)) + + @canany(['admin.settings.read','admin.settings.write','admin.overview.read','admin.overview.sync','admin.ticket.read','admin.tickets.write','admin.ticket_blacklist.read','admin.ticket_blacklist.write','admin.roles.read','admin.roles.write','admin.api.read','admin.api.write'])
  • {{ __('Administration') }}
    • + @endcanany + @canany(['admin.overview.read','admin.overview.sync'])
  • @@ -286,7 +270,29 @@

    {{ __('Overview') }}
    • + @endcanany + @canany(['admin.ticket.read','admin.tickets.write']) +
  • + + +

    {{ __('Ticket List') }}

    +     +
    • + @endcanany + + @canany(['admin.ticket_blacklist.read','admin.ticket_blacklist.write']) +
  • + + +

    {{ __('Ticket Blacklist') }}

    +     +
    • + @endcanany + + @canany(['admin.roles.read','admin.roles.write'])
  • @@ -294,7 +300,9 @@

    {{ __('Role Management') }}
    • + @endcanany + @canany(['admin.settings.read','admin.settings.write'])
  • @@ -302,7 +310,9 @@

    {{ __('Settings') }}
    • + @endcanany + @canany(['admin.api.read','admin.api.write'])
  • @@ -310,9 +320,40 @@

    {{ __('Application API') }}
    • + @endcanany + + @canany(['admin.users.read', + 'admin.users.write', + 'admin.users.suspend', + 'admin.users.write.credits', + 'admin.users.write.username', + 'admin.users.write.password', + 'admin.users.write.role', + 'admin.users.write.referal', + 'admin.users.write.pterodactyl','admin.servers.read', + 'admin.servers.write', + 'admin.servers.suspend', + 'admin.servers.write.owner', + 'admin.servers.write.identifier', + 'admin.servers.delete','admin.products.read', + 'admin.products.create', + 'admin.products.edit', + 'admin.products.delete',])
  • {{ __('Management') }}
    • + @endcanany + + + @canany(['admin.users.read', + 'admin.users.write', + 'admin.users.suspend', + 'admin.users.write.credits', + 'admin.users.write.username', + 'admin.users.write.password', + 'admin.users.write.role', + 'admin.users.write.referal', + 'admin.users.write.pterodactyl'])
  • @@ -320,7 +361,13 @@

    {{ __('Users') }}
    • - + @endcanany + @canany(['admin.servers.read', + 'admin.servers.write', + 'admin.servers.suspend', + 'admin.servers.write.owner', + 'admin.servers.write.identifier', + 'admin.servers.delete'])
  • @@ -328,7 +375,11 @@

    {{ __('Servers') }}
    • - + @endcanany + @canany(['admin.products.read', + 'admin.products.create', + 'admin.products.edit', + 'admin.products.delete'])
  • @@ -336,7 +387,8 @@

    {{ __('Products') }}
    • - + @endcanany + @canany(['admin.store.read','admin.store.write','admin.store.disable'])
  • @@ -344,7 +396,8 @@

    {{ __('Store') }}
    • - + @endcanany + @canany(["admin.voucher.read","admin.voucher.read"])
  • @@ -352,7 +405,8 @@

    {{ __('Vouchers') }}
    • - + @endcanany + @canany(["admin.partners.read","admin.partners.read"])
  • @@ -360,28 +414,13 @@

    {{ __('Partners') }}
    • + @endcanany - {{--
  • Pterodactyl
    • --}} - - {{--
  • --}} - {{-- --}} - {{-- --}} - {{--

    Nodes

    --}} - {{--     --}} - {{--
    • --}} - - {{--
  • --}} - {{-- --}} - {{-- --}} - {{--

    Nests

    --}} - {{--     --}} - {{--
    • --}} - - -
  • {{ __('Other') }}
    • + @canany(["admin.useful_links.read","admin.legal.read"]) +
  • {{ __('Other') }}
    • + @endcanany + @canany(["admin.useful_links.read","admin.useful_links.write"])
  • @@ -389,7 +428,9 @@

    {{ __('Useful Links') }}
    • + @endcanany + @canany(["admin.legal.read","admin.legal.write"])
  • @@ -397,9 +438,14 @@

    {{ __('Legal Sites') }}
    • + @endcanany -
  • {{ __('Logs') }}
    • + @canany(["admin.payments.read","admin.logs.read"]) +
  • {{ __('Logs') }}
    • + @endcanany + + @can("admin.payments.read")
  • @@ -410,7 +456,9 @@

    • + @endcan + @can("admin.logs.read")
  • @@ -418,7 +466,8 @@

    {{ __('Activity Logs') }}
    • - @endif + @endcan + diff --git a/themes/default/views/mail/ticket/admin/create.blade.php b/themes/default/views/mail/ticket/admin/create.blade.php index b0b3f1a3..4ee96a69 100644 --- a/themes/default/views/mail/ticket/admin/create.blade.php +++ b/themes/default/views/mail/ticket/admin/create.blade.php @@ -17,7 +17,7 @@ ___ You can respond to this ticket by simply replying to this email or through the admin area at the url below.
    -{{ route('moderator.ticket.show', ['ticket_id' => $ticket->ticket_id]) }} +{{ route('admin.ticket.show', ['ticket_id' => $ticket->ticket_id]) }}
    {{__('Thanks')}},
    diff --git a/themes/default/views/mail/ticket/admin/reply.blade.php b/themes/default/views/mail/ticket/admin/reply.blade.php index 704db26f..a6f8cceb 100644 --- a/themes/default/views/mail/ticket/admin/reply.blade.php +++ b/themes/default/views/mail/ticket/admin/reply.blade.php @@ -17,7 +17,7 @@ ___ You can respond to this ticket by simply replying to this email or through the admin area at the url below.
    -{{ route('moderator.ticket.show', ['ticket_id' => $ticket->ticket_id]) }} +{{ route('admin.ticket.show', ['ticket_id' => $ticket->ticket_id]) }}
    {{__('Thanks')}},
    diff --git a/themes/default/views/moderator/ticket/blacklist.blade.php b/themes/default/views/moderator/ticket/blacklist.blade.php index 1e91393c..e26304a1 100644 --- a/themes/default/views/moderator/ticket/blacklist.blade.php +++ b/themes/default/views/moderator/ticket/blacklist.blade.php @@ -12,7 +12,7 @@
    1. {{ __('Dashboard') }}
    2. {{ __('Ticket Blacklist') }} + href="{{ route('admin.ticket.blacklist') }}">{{ __('Ticket Blacklist') }}
    @@ -60,7 +60,7 @@ class="fas fa-info-circle">
    - + @csrf
    @@ -56,7 +56,7 @@
    {{__('Add Category')}}
    - + @csrf
    @@ -73,7 +73,7 @@
    {{__('Edit Category')}}
    - + @csrf @method('PATCH')