diff --git a/app/Commands/DeleteTrackCommand.php b/app/Commands/DeleteTrackCommand.php
index 9fa22835..fde024ca 100644
--- a/app/Commands/DeleteTrackCommand.php
+++ b/app/Commands/DeleteTrackCommand.php
@@ -20,6 +20,7 @@
namespace Poniverse\Ponyfm\Commands;
+use Gate;
use Poniverse\Ponyfm\Models\Track;
class DeleteTrackCommand extends CommandBase
@@ -41,9 +42,7 @@ class DeleteTrackCommand extends CommandBase
*/
public function authorize()
{
- $user = \Auth::user();
-
- return $this->_track && $user != null && $this->_track->user_id == $user->id;
+ return Gate::allows('delete', $this->_track);
}
/**
diff --git a/app/Commands/EditTrackCommand.php b/app/Commands/EditTrackCommand.php
index b7329ef0..0e2ee814 100644
--- a/app/Commands/EditTrackCommand.php
+++ b/app/Commands/EditTrackCommand.php
@@ -20,6 +20,7 @@
namespace Poniverse\Ponyfm\Commands;
+use Gate;
use Poniverse\Ponyfm\Models\Album;
use Poniverse\Ponyfm\Models\Image;
use Poniverse\Ponyfm\Models\Track;
@@ -46,9 +47,7 @@ class EditTrackCommand extends CommandBase
*/
public function authorize()
{
- $user = \Auth::user();
-
- return $this->_track && $user != null && $this->_track->user_id == $user->id;
+ return $this->_track && Gate::allows('edit', $this->_track);
}
/**
@@ -143,7 +142,7 @@ class EditTrackCommand extends CommandBase
} else {
if (isset($this->_input['cover'])) {
$cover = $this->_input['cover'];
- $track->cover_id = Image::upload($cover, Auth::user())->id;
+ $track->cover_id = Image::upload($cover, $track->user_id)->id;
} else {
if ($this->_input['remove_cover'] == 'true') {
$track->cover_id = null;
diff --git a/app/Http/Controllers/Api/Web/AlbumsController.php b/app/Http/Controllers/Api/Web/AlbumsController.php
index a494d28c..f5056802 100644
--- a/app/Http/Controllers/Api/Web/AlbumsController.php
+++ b/app/Http/Controllers/Api/Web/AlbumsController.php
@@ -30,6 +30,7 @@ use Poniverse\Ponyfm\Models\Image;
use Poniverse\Ponyfm\Models\ResourceLogItem;
use Auth;
use Input;
+use Poniverse\Ponyfm\Models\User;
use Response;
use Poniverse\Ponyfm\Models\Track;
@@ -140,10 +141,13 @@ class AlbumsController extends ApiControllerBase
200);
}
- public function getOwned()
+ public function getOwned(User $user)
{
- $query = Album::summary()->where('user_id', \Auth::user()->id)->orderBy('created_at', 'desc')->get();
+ $this->authorize('get-albums', $user);
+
+ $query = Album::summary()->where('user_id', $user->id)->orderBy('created_at', 'desc')->get();
$albums = [];
+
foreach ($query as $album) {
$albums[] = [
'id' => $album->id,
diff --git a/app/Http/Controllers/Api/Web/ImagesController.php b/app/Http/Controllers/Api/Web/ImagesController.php
index a7071211..390da1a4 100644
--- a/app/Http/Controllers/Api/Web/ImagesController.php
+++ b/app/Http/Controllers/Api/Web/ImagesController.php
@@ -20,17 +20,21 @@
namespace Poniverse\Ponyfm\Http\Controllers\Api\Web;
+use Auth;
use Poniverse\Ponyfm\Http\Controllers\ApiControllerBase;
use Poniverse\Ponyfm\Models\Image;
-use Cover;
-use Illuminate\Support\Facades\Response;
+use Poniverse\Ponyfm\Models\User;
+use Response;
class ImagesController extends ApiControllerBase
{
- public function getOwned()
+ public function getOwned(User $user)
{
- $query = Image::where('uploaded_by', \Auth::user()->id);
+ $this->authorize('get-images', $user);
+
+ $query = Image::where('uploaded_by', $user->id);
$images = [];
+
foreach ($query->get() as $image) {
$images[] = [
'id' => $image->id,
diff --git a/app/Http/Controllers/Api/Web/TracksController.php b/app/Http/Controllers/Api/Web/TracksController.php
index 70f39c2a..29ac29ff 100644
--- a/app/Http/Controllers/Api/Web/TracksController.php
+++ b/app/Http/Controllers/Api/Web/TracksController.php
@@ -183,9 +183,7 @@ class TracksController extends ApiControllerBase
return $this->notFound('Track ' . $id . ' not found!');
}
- if ($track->user_id != Auth::user()->id) {
- return $this->notAuthorized();
- }
+ $this->authorize('edit', $track);
return Response::json(Track::mapPrivateTrackShow($track), 200);
}
diff --git a/app/Http/routes.php b/app/Http/routes.php
index f232a0f9..349c006d 100644
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@@ -132,12 +132,12 @@ Route::group(['prefix' => 'api/web'], function() {
Route::group(['middleware' => 'auth'], function() {
Route::get('/account/settings', 'Api\Web\AccountController@getSettings');
- Route::get('/images/owned', 'Api\Web\ImagesController@getOwned');
-
Route::get('/tracks/owned', 'Api\Web\TracksController@getOwned');
Route::get('/tracks/edit/{id}', 'Api\Web\TracksController@getEdit');
- Route::get('/albums/owned', 'Api\Web\AlbumsController@getOwned');
+ Route::get('/users/{userId}/albums', 'Api\Web\AlbumsController@getOwned')->where('id', '\d+');
+ Route::get('/users/{userId}/images', 'Api\Web\ImagesController@getOwned')->where('id', '\d+');
+
Route::get('/albums/edit/{id}', 'Api\Web\AlbumsController@getEdit');
Route::get('/playlists/owned', 'Api\Web\PlaylistsController@getOwned');
diff --git a/app/Models/Image.php b/app/Models/Image.php
index 75ac2c20..95d9ff13 100644
--- a/app/Models/Image.php
+++ b/app/Models/Image.php
@@ -68,7 +68,7 @@ class Image extends Model
/**
* @param UploadedFile $file
- * @param $user
+ * @param int|User $user
* @param bool $forceReupload forces the image to be re-processed even if a matching hash is found
* @return Image
* @throws \Exception
diff --git a/app/Models/Track.php b/app/Models/Track.php
index 0dcfdd7e..cbfd510d 100644
--- a/app/Models/Track.php
+++ b/app/Models/Track.php
@@ -24,6 +24,7 @@ use Auth;
use Cache;
use Config;
use DB;
+use Gate;
use Poniverse\Ponyfm\Contracts\Searchable;
use Poniverse\Ponyfm\Exceptions\TrackFileNotFoundException;
use Poniverse\Ponyfm\Traits\IndexedInElasticsearchTrait;
@@ -423,8 +424,8 @@ class Track extends Model implements Searchable
],
'user_data' => $userData,
'permissions' => [
- 'delete' => Auth::check() && Auth::user()->id == $track->user_id,
- 'edit' => Auth::check() && Auth::user()->id == $track->user_id
+ 'delete' => Gate::allows('delete', $track),
+ 'edit' => Gate::allows('edit', $track)
]
];
}
diff --git a/app/Policies/AlbumPolicy.php b/app/Policies/AlbumPolicy.php
new file mode 100644
index 00000000..a5836e65
--- /dev/null
+++ b/app/Policies/AlbumPolicy.php
@@ -0,0 +1,35 @@
+.
+ */
+
+namespace Poniverse\Ponyfm\Policies;
+
+use Poniverse\Ponyfm\Models\Album;
+use Poniverse\Ponyfm\Models\User;
+
+class AlbumPolicy
+{
+ public function edit(User $user, Album $album) {
+ return $user->id === $album->user_id || $user->hasRole('admin');
+ }
+
+ public function delete(User $user, Album $album) {
+ return $user->id === $album->user_id || $user->hasRole('admin');
+ }
+}
diff --git a/app/Policies/UserPolicy.php b/app/Policies/UserPolicy.php
new file mode 100644
index 00000000..ac81c6d3
--- /dev/null
+++ b/app/Policies/UserPolicy.php
@@ -0,0 +1,34 @@
+.
+ */
+
+namespace Poniverse\Ponyfm\Policies;
+
+use Poniverse\Ponyfm\Models\User;
+
+class UserPolicy
+{
+ public function getAlbums(User $userToAuthorize, User $user) {
+ return $userToAuthorize->id === $user->id || $userToAuthorize->hasRole('admin');
+ }
+
+ public function getImages(User $userToAuthorize, User $user) {
+ return $userToAuthorize->id === $user->id || $userToAuthorize->hasRole('admin');
+ }
+}
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index 96b1b6c1..7656ba92 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -22,11 +22,14 @@ namespace Poniverse\Ponyfm\Providers;
use Illuminate\Contracts\Auth\Access\Gate as GateContract;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
+use Poniverse\Ponyfm\Models\Album;
use Poniverse\Ponyfm\Models\Genre;
+use Poniverse\Ponyfm\Policies\AlbumPolicy;
use Poniverse\Ponyfm\Policies\GenrePolicy;
use Poniverse\Ponyfm\Policies\TrackPolicy;
use Poniverse\Ponyfm\Models\Track;
use Poniverse\Ponyfm\Models\User;
+use Poniverse\Ponyfm\Policies\UserPolicy;
class AuthServiceProvider extends ServiceProvider
{
@@ -38,6 +41,8 @@ class AuthServiceProvider extends ServiceProvider
protected $policies = [
Genre::class => GenrePolicy::class,
Track::class => TrackPolicy::class,
+ Album::class => AlbumPolicy::class,
+ User::class => UserPolicy::class,
];
/**
diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
index 6c785098..39111b4f 100644
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@@ -22,6 +22,7 @@ namespace Poniverse\Ponyfm\Providers;
use Illuminate\Routing\Router;
use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
+use Poniverse\Ponyfm\Models\User;
class RouteServiceProvider extends ServiceProvider
{
@@ -42,9 +43,9 @@ class RouteServiceProvider extends ServiceProvider
*/
public function boot(Router $router)
{
- //
-
parent::boot($router);
+
+ $router->model('userId', User::class);
}
/**
diff --git a/public/templates/directives/track-editor.html b/public/templates/directives/track-editor.html
index 54a2f905..1fd4ef9c 100644
--- a/public/templates/directives/track-editor.html
+++ b/public/templates/directives/track-editor.html
@@ -1,4 +1,4 @@
-