From 40122a94461d6c1389346433ab8477d4f87752de Mon Sep 17 00:00:00 2001
From: Josef Citrine <josefcitrine@googlemail.com>
Date: Tue, 17 May 2016 00:30:05 +0100
Subject: [PATCH] Admins can edit users

---
 app/Commands/SaveAccountSettingsCommand.php   | 24 +++++++++++++++---
 .../Controllers/Api/Web/AccountController.php | 25 ++++++++++++++++---
 app/Http/routes.php                           |  2 ++
 app/Policies/UserPolicy.php                   |  2 +-
 .../app/controllers/account-settings.coffee   |  8 +++---
 5 files changed, 49 insertions(+), 12 deletions(-)

diff --git a/app/Commands/SaveAccountSettingsCommand.php b/app/Commands/SaveAccountSettingsCommand.php
index 2c535125..23f1af78 100644
--- a/app/Commands/SaveAccountSettingsCommand.php
+++ b/app/Commands/SaveAccountSettingsCommand.php
@@ -21,16 +21,19 @@
 namespace Poniverse\Ponyfm\Commands;
 
 use Poniverse\Ponyfm\Models\Image;
+use Poniverse\Ponyfm\Models\User;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Validator;
 
 class SaveAccountSettingsCommand extends CommandBase
 {
     private $_input;
+    private $_slug;
 
-    function __construct($input)
+    function __construct($input, $slug)
     {
         $this->_input = $input;
+        $this->_slug = $slug;
     }
 
     /**
@@ -38,7 +41,7 @@ class SaveAccountSettingsCommand extends CommandBase
      */
     public function authorize()
     {
-        return Auth::user() != null;
+        return Auth::user() != null || Auth::user()->hasRole('admin');
     }
 
     /**
@@ -47,7 +50,22 @@ class SaveAccountSettingsCommand extends CommandBase
      */
     public function execute()
     {
-        $user = Auth::user();
+        $user = null;
+        $current_user = Auth::user();
+
+        if ($this->_slug == -1 || $this->_slug == $current_user->slug) {
+            $user = $current_user;
+        } else if ($current_user->hasRole('admin')) {
+            $user = User::where('slug', $this->_slug)->whereNull('disabled_at')->first();
+        }
+
+        if ($user == null) {
+            if ($current_user->hasRole('admin')) {
+                return CommandResponse::fail(['Not found']);
+            } else {
+                return CommandResponse::fail(['Permission denied']);
+            }
+        }
 
         $rules = [
             'display_name' => 'required|min:3|max:26',
diff --git a/app/Http/Controllers/Api/Web/AccountController.php b/app/Http/Controllers/Api/Web/AccountController.php
index 70173f57..7dd0bd7f 100644
--- a/app/Http/Controllers/Api/Web/AccountController.php
+++ b/app/Http/Controllers/Api/Web/AccountController.php
@@ -22,6 +22,7 @@ namespace Poniverse\Ponyfm\Http\Controllers\Api\Web;
 
 use Poniverse\Ponyfm\Http\Controllers\ApiControllerBase;
 use Poniverse\Ponyfm\Commands\SaveAccountSettingsCommand;
+use Poniverse\Ponyfm\Models\User;
 use Cover;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Input;
@@ -29,9 +30,25 @@ use Illuminate\Support\Facades\Response;
 
 class AccountController extends ApiControllerBase
 {
-    public function getSettings()
+    public function getSettings($slug = -1)
     {
-        $user = Auth::user();
+        $user = null;
+        $current_user = Auth::user();
+
+        if ($slug == -1 || $slug == $current_user->slug) {
+            $user = $current_user;
+        } else if ($current_user->hasRole('admin')) {
+            $user = User::where('slug', $slug)->whereNull('disabled_at')->first();
+        }
+
+        if ($user == null) {
+            if ($current_user->hasRole('admin')) {
+                return Response::json(['error' => 'User does not exist'], 404);
+            } else {
+                return Response::json(['error' => 'You cannot do that. So stop trying!'], 403);
+            }
+        }
+
 
         return Response::json([
             'id'  => $user->id,
@@ -46,8 +63,8 @@ class AccountController extends ApiControllerBase
         ], 200);
     }
 
-    public function postSave()
+    public function postSave($slug = -1)
     {
-        return $this->execute(new SaveAccountSettingsCommand(Input::all()));
+        return $this->execute(new SaveAccountSettingsCommand(Input::all(), $slug));
     }
 }
diff --git a/app/Http/routes.php b/app/Http/routes.php
index 62dceb63..ba83079f 100644
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@@ -124,6 +124,7 @@ Route::group(['prefix' => 'api/web'], function() {
         Route::post('/comments/{type}/{id}', 'Api\Web\CommentsController@postCreate')->where('id', '\d+');
 
         Route::post('/account/settings/save', 'Api\Web\AccountController@postSave');
+        Route::post('/account/settings/save/{slug}', 'Api\Web\AccountController@postSave');
 
         Route::post('/favourites/toggle', 'Api\Web\FavouritesController@postToggle');
 
@@ -134,6 +135,7 @@ Route::group(['prefix' => 'api/web'], function() {
 
     Route::group(['middleware' => 'auth'], function() {
         Route::get('/account/settings', 'Api\Web\AccountController@getSettings');
+        Route::get('/account/settings/{slug}', 'Api\Web\AccountController@getSettings');
 
         Route::get('/tracks/owned', 'Api\Web\TracksController@getOwned');
         Route::get('/tracks/edit/{id}', 'Api\Web\TracksController@getEdit');
diff --git a/app/Policies/UserPolicy.php b/app/Policies/UserPolicy.php
index 7fc5fd53..7a533e1e 100644
--- a/app/Policies/UserPolicy.php
+++ b/app/Policies/UserPolicy.php
@@ -33,6 +33,6 @@ class UserPolicy
     }
 
     public function edit(User $userToAuthorize, User $user) {
-        return $userToAuthorize->id === $user->id;
+        return $userToAuthorize->id === $user->id || $userToAuthorize->hasRole('admin');
     }
 }
diff --git a/resources/assets/scripts/app/controllers/account-settings.coffee b/resources/assets/scripts/app/controllers/account-settings.coffee
index 4f7a03d8..d8d4ad9d 100644
--- a/resources/assets/scripts/app/controllers/account-settings.coffee
+++ b/resources/assets/scripts/app/controllers/account-settings.coffee
@@ -15,8 +15,8 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 module.exports = angular.module('ponyfm').controller "account-settings", [
-    '$scope', 'auth'
-    ($scope, auth) ->
+    '$scope', 'auth', '$state'
+    ($scope, auth, $state) ->
         $scope.settings = {}
         $scope.errors = {}
         $scope.isDirty = false
@@ -25,7 +25,7 @@ module.exports = angular.module('ponyfm').controller "account-settings", [
             $scope.isDirty = true
 
         $scope.refresh = () ->
-            $.getJSON('/api/web/account/settings')
+            $.getJSON('/api/web/account/settings/' + $state.params.slug)
                 .done (res) -> $scope.$apply ->
                     $scope.settings = res
 
@@ -66,7 +66,7 @@ module.exports = angular.module('ponyfm').controller "account-settings", [
                 else
                     formData.append name, value
 
-            xhr.open 'POST', '/api/web/account/settings/save', true
+            xhr.open 'POST', '/api/web/account/settings/save/' + $state.params.slug, true
             xhr.setRequestHeader 'X-XSRF-TOKEN', $.cookie('XSRF-TOKEN')
             $scope.isSaving = true
             xhr.send formData