#2: Properly handle editing tracks and albums that you don't own.

2025-02-18 02:54:21 +01:00 · 2016-03-06 04:27:53 -08:00 · 2016-03-06 04:27:53 -08:00 · b715422c24
commit b715422c24
parent 46941b23d9
15 changed files with 51 additions and 55 deletions
--- a/app/Commands/DeleteTrackCommand.php
+++ b/app/Commands/DeleteTrackCommand.php
@ -20,6 +20,7 @@
 namespace Poniverse\Ponyfm\Commands;
 use Gate;
 use Poniverse\Ponyfm\Models\Track;
 class DeleteTrackCommand extends CommandBase
@ -41,9 +42,7 @@ class DeleteTrackCommand extends CommandBase
     */
    public function authorize()
    {
-        $user = \Auth::user();
+        return Gate::allows('delete', $this->_track);
        return $this->_track && $user != null && $this->_track->user_id == $user->id;
    }
    /**
--- a/app/Commands/EditTrackCommand.php
+++ b/app/Commands/EditTrackCommand.php
@ -142,7 +142,7 @@ class EditTrackCommand extends CommandBase
        } else {
            if (isset($this->_input['cover'])) {
                $cover = $this->_input['cover'];
-                $track->cover_id = Image::upload($cover, Auth::user())->id;
+                $track->cover_id = Image::upload($cover, $track->user_id)->id;
            } else {
                if ($this->_input['remove_cover'] == 'true') {
                    $track->cover_id = null;
--- a/app/Http/Controllers/Api/Web/AlbumsController.php
+++ b/app/Http/Controllers/Api/Web/AlbumsController.php
@ -141,13 +141,13 @@ class AlbumsController extends ApiControllerBase
            200);
    }
-    public function getOwned($id)
+    public function getOwned(User $user)
    {
        $user = User::findOrFail($id);
        $this->authorize('get-albums', $user);
-        $query = Album::summary()->where('user_id', $id)->orderBy('created_at', 'desc')->get();
+        $query = Album::summary()->where('user_id', $user->id)->orderBy('created_at', 'desc')->get();
        $albums = [];
        foreach ($query as $album) {
            $albums[] = [
                'id' => $album->id,
--- a/app/Http/Controllers/Api/Web/ImagesController.php
+++ b/app/Http/Controllers/Api/Web/ImagesController.php
@ -20,17 +20,21 @@
 namespace Poniverse\Ponyfm\Http\Controllers\Api\Web;
 use Auth;
 use Poniverse\Ponyfm\Http\Controllers\ApiControllerBase;
 use Poniverse\Ponyfm\Models\Image;
-use Cover;
+use Poniverse\Ponyfm\Models\User;
-use Illuminate\Support\Facades\Response;
+use Response;
 class ImagesController extends ApiControllerBase
 {
-    public function getOwned()
+    public function getOwned(User $user)
    {
-        $query = Image::where('uploaded_by', \Auth::user()->id);
+        $this->authorize('get-images', $user);
        $query = Image::where('uploaded_by', $user->id);
        $images = [];
        foreach ($query->get() as $image) {
            $images[] = [
                'id' => $image->id,
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@ -132,13 +132,12 @@ Route::group(['prefix' => 'api/web'], function() {
    Route::group(['middleware' => 'auth'], function() {
        Route::get('/account/settings', 'Api\Web\AccountController@getSettings');
        Route::get('/images/owned', 'Api\Web\ImagesController@getOwned');
        Route::get('/tracks/owned', 'Api\Web\TracksController@getOwned');
        Route::get('/tracks/edit/{id}', 'Api\Web\TracksController@getEdit');
-        Route::get('/users/{id}/albums', 'Api\Web\AlbumsController@getOwned')->where('id', '\d+');
+        Route::get('/users/{userId}/albums', 'Api\Web\AlbumsController@getOwned')->where('id', '\d+');
-//        Route::get('/albums/owned', 'Api\Web\AlbumsController@getOwned');
+        Route::get('/users/{userId}/images', 'Api\Web\ImagesController@getOwned')->where('id', '\d+');
        Route::get('/albums/edit/{id}', 'Api\Web\AlbumsController@getEdit');
        Route::get('/playlists/owned', 'Api\Web\PlaylistsController@getOwned');
--- a/app/Models/Image.php
+++ b/app/Models/Image.php
@ -68,7 +68,7 @@ class Image extends Model
    /**
     * @param UploadedFile $file
-     * @param $user
+     * @param int|User $user
     * @param bool $forceReupload forces the image to be re-processed even if a matching hash is found
     * @return Image
     * @throws \Exception
--- a/app/Policies/UserPolicy.php
+++ b/app/Policies/UserPolicy.php
@ -27,4 +27,8 @@ class UserPolicy
    public function getAlbums(User $userToAuthorize, User $user) {
        return $userToAuthorize->id === $user->id || $userToAuthorize->hasRole('admin');
    }
    public function getImages(User $userToAuthorize, User $user) {
        return $userToAuthorize->id === $user->id || $userToAuthorize->hasRole('admin');
    }
 }
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@ -22,6 +22,7 @@ namespace Poniverse\Ponyfm\Providers;
 use Illuminate\Routing\Router;
 use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
 use Poniverse\Ponyfm\Models\User;
 class RouteServiceProvider extends ServiceProvider
 {
@ -42,9 +43,9 @@ class RouteServiceProvider extends ServiceProvider
     */
    public function boot(Router $router)
    {
        //
        parent::boot($router);
        $router->model('userId', User::class);
    }
    /**
--- a/public/templates/directives/track-editor.html
+++ b/public/templates/directives/track-editor.html
@ -82,7 +82,7 @@
        <div class="row-fluid">
            <div class="form-row span6" ng-class="{'has-error': errors.cover != null}">
                <label class="strong">Track Cover: </label>
-                <pfm-image-upload set-image="setCover" image="track.cover_url" />
+                <pfm-image-upload set-image="setCover" image="track.cover_url" user-id="track.user_id"></pfm-image-upload>
            </div>
            <div class="form-row span6" ng-class="{'has-error': errors.released_at != null}">
                <label for="released_at" class="strong">Release Date:</label>
--- a/public/templates/directives/track-player.html
+++ b/public/templates/directives/track-player.html
@ -1,7 +1,7 @@
 <div class="single-player">
    <a href="#" class="play-button" pfm-eat-click ng-click="play()">
-        <i class="icon-play" ng-show="!track.isPlaying"></i>
+        <i class="icon-play" ng-if="!track.isPlaying"></i>
-        <i class="icon-pause" ng-hide="!track.isPlaying"></i>
+        <i class="icon-pause" ng-if="track.isPlaying"></i>
    </a>
    <img pfm-src-loader="::track.covers.thumbnail" pfm-src-size="thumbnail" />
 </div>
--- a/resources/assets/scripts/app/controllers/account-image-select.coffee
+++ b/resources/assets/scripts/app/controllers/account-image-select.coffee
@ -1,26 +0,0 @@
 # Pony.fm - A community for pony fan music.
 # Copyright (C) 2015 Peter Deltchev
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU Affero General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Affero General Public License for more details.
 #
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 module.exports = angular.module('ponyfm').controller "account-image-select", [
    '$scope'
    ($scope) ->
        $scope.images = []
        $scope.isLoading = true
        $.getJSON('/api/web/images/owned').done (images) -> $scope.$apply ->
            $scope.images = images
            $scope.isLoading = false
 ]
--- a/resources/assets/scripts/app/controllers/track.coffee
+++ b/resources/assets/scripts/app/controllers/track.coffee
@ -30,6 +30,11 @@ module.exports = angular.module('ponyfm').controller "track", [
        $scope.$on 'track-updated', () ->
            updateTrackData(true)
        $scope.$on 'track-deleted', () ->
            # This is meant to take you back to whatever state you found
            # this track from.
            $window.history.go(-2)
        $scope.playlists = []
        if auth.data.isLogged
--- a/resources/assets/scripts/app/directives/image-upload.coffee
+++ b/resources/assets/scripts/app/directives/image-upload.coffee
@ -23,6 +23,8 @@ module.exports = angular.module('ponyfm').directive 'pfmImageUpload', () ->
    scope:
        setImage: '=setImage'
        image: '=image'
        # ID of the user to upload images on behalf of
        userId: '=userId'
    compile: (element) ->
        $image = element.find 'img'
@ -31,6 +33,7 @@ module.exports = angular.module('ponyfm').directive 'pfmImageUpload', () ->
    controller: [
        'images', '$scope', 'lightbox'
        (images, $scope, lightbox) ->
            $scope.imageObject = null
            $scope.imageFile = null
            $scope.imageUrl = null
@ -40,7 +43,7 @@ module.exports = angular.module('ponyfm').directive 'pfmImageUpload', () ->
            $scope.$watch 'image', (val) ->
                $scope.imageObject = $scope.imageFile = $scope.imageUrl = null
                $scope.isImageLoaded = false
-                return if !val
+                return unless val?
                $scope.imageUrl = val
                $image.attr 'src', val
@ -50,7 +53,9 @@ module.exports = angular.module('ponyfm').directive 'pfmImageUpload', () ->
                $scope.isImageLoaded = true
                window.setTimeout (() -> window.alignVertically($image)), 0
-            images.refresh().done (images) -> $scope.images = images
+            $scope.$watch 'userId', (val)->
                return unless val?
                images.refresh(false, $scope.userId).done (images) -> $scope.images = images
            $scope.previewImage = () ->
                return if !$scope.isImageLoaded
--- a/resources/assets/scripts/app/directives/track-editor.coffee
+++ b/resources/assets/scripts/app/directives/track-editor.coffee
@ -91,7 +91,7 @@ module.exports = angular.module('ponyfm').directive 'pfmTrackEditor', () ->
                    $scope.track.is_published = true
                    $scope.isDirty = false
                    $scope.errors = {}
-                    images.refresh true
+                    images.refresh(true, track.user_id)
                formData = new FormData();
                _.each $scope.track, (value, name) ->
@ -129,6 +129,7 @@ module.exports = angular.module('ponyfm').directive 'pfmTrackEditor', () ->
            # ========================================
            tracks.getEdit($scope.trackId, true)
            .then (track)->
                images.refresh(true, track.user_id)
                $.when(
                    albums.refresh(false, track.user_id),
                    taxonomies.refresh()
@ -139,6 +140,7 @@ module.exports = angular.module('ponyfm').directive 'pfmTrackEditor', () ->
                    for album in albums
                        albumsDb[album.id] = album
                        $scope.albums.push album
                    $scope.selectedAlbum = if track.album_id then albumsDb[track.album_id] else null
                # Update track data
@ -153,6 +155,7 @@ module.exports = angular.module('ponyfm').directive 'pfmTrackEditor', () ->
                $scope.track =
                    id: track.id
                    title: track.title
                    user_id: track.user_id
                    description: track.description
                    lyrics: track.lyrics
                    is_explicit: track.is_explicit
@ -169,7 +172,6 @@ module.exports = angular.module('ponyfm').directive 'pfmTrackEditor', () ->
                    is_published: track.is_published
                    is_listed: track.is_listed
                $scope.selectedAlbum = if track.album_id then albumsDb[track.album_id] else null
                $scope.selectedSongs = {}
                $scope.selectedSongs[song.id] = song for song in track.show_songs
                updateSongDisplay()
--- a/resources/assets/scripts/app/services/images.coffee
+++ b/resources/assets/scripts/app/services/images.coffee
@ -18,17 +18,21 @@ module.exports = angular.module('ponyfm').factory('images', [
    '$rootScope'
    ($rootScope) ->
        def = null
        currentlyLoadedUserId = null
        self =
            images: []
            isLoading: true
-            refresh: (force) ->
+
-                return def if !force && def
+            refresh: (force, userId = window.pfm.auth.user.id) ->
                return def if !force && def && userId == currentlyLoadedUserId
                def = new $.Deferred()
                self.images = []
                self.isLoading = true
-                $.getJSON('/api/web/images/owned').done (images) -> $rootScope.$apply ->
+                $.getJSON("/api/web/users/#{userId}/images").done (images) -> $rootScope.$apply ->
                    currentlyLoadedUserId = userId
                    self.images = images
                    self.isLoading = false
                    def.resolve images
@ -38,4 +42,3 @@ module.exports = angular.module('ponyfm').factory('images', [
        self.refresh()
        return self
 ])