diff --git a/app/Commands/SaveAccountSettingsCommand.php b/app/Commands/SaveAccountSettingsCommand.php index 23f1af78..6531e7dc 100644 --- a/app/Commands/SaveAccountSettingsCommand.php +++ b/app/Commands/SaveAccountSettingsCommand.php @@ -22,6 +22,7 @@ namespace Poniverse\Ponyfm\Commands; use Poniverse\Ponyfm\Models\Image; use Poniverse\Ponyfm\Models\User; +use Gate; use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Validator; @@ -29,11 +30,15 @@ class SaveAccountSettingsCommand extends CommandBase { private $_input; private $_slug; + private $_user; + private $_current; function __construct($input, $slug) { $this->_input = $input; $this->_slug = $slug; + $this->_user = null; + $this->_current = null; } /** @@ -41,7 +46,25 @@ class SaveAccountSettingsCommand extends CommandBase */ public function authorize() { - return Auth::user() != null || Auth::user()->hasRole('admin'); + if (Auth::user() != null) { + $this->_current = Auth::user(); + + if ($this->_slug == $this->_current->slug) { + $this->_user = $this->_current; + } else { + $this->_user = User::where('slug', $this->_slug)->whereNull('disabled_at')->first(); + } + + if ($this->_user == null) { + return false; + } + + if (Gate::allows('edit', $this->_user)) { + return true; + } + } + + return false; } /** @@ -50,17 +73,8 @@ class SaveAccountSettingsCommand extends CommandBase */ public function execute() { - $user = null; - $current_user = Auth::user(); - - if ($this->_slug == -1 || $this->_slug == $current_user->slug) { - $user = $current_user; - } else if ($current_user->hasRole('admin')) { - $user = User::where('slug', $this->_slug)->whereNull('disabled_at')->first(); - } - - if ($user == null) { - if ($current_user->hasRole('admin')) { + if ($this->_user == null) { + if ($_current->hasRole('admin')) { return CommandResponse::fail(['Not found']); } else { return CommandResponse::fail(['Permission denied']); @@ -73,7 +87,7 @@ class SaveAccountSettingsCommand extends CommandBase ]; if ($this->_input['sync_names'] == 'true') { - $this->_input['display_name'] = $user->username; + $this->_input['display_name'] = $this->_user->username; } if ($this->_input['uses_gravatar'] == 'true') { @@ -90,7 +104,7 @@ class SaveAccountSettingsCommand extends CommandBase } if ($this->_input['uses_gravatar'] != 'true') { - if ($user->avatar_id == null && !isset($this->_input['avatar']) && !isset($this->_input['avatar_id'])) { + if ($this->_user->avatar_id == null && !isset($this->_input['avatar']) && !isset($this->_input['avatar_id'])) { $validator->messages()->add('avatar', 'You must upload or select an avatar if you are not using gravatar!'); @@ -98,26 +112,26 @@ class SaveAccountSettingsCommand extends CommandBase } } - $user->bio = $this->_input['bio']; - $user->display_name = $this->_input['display_name']; - $user->sync_names = $this->_input['sync_names'] == 'true'; - $user->can_see_explicit_content = $this->_input['can_see_explicit_content'] == 'true'; - $user->uses_gravatar = $this->_input['uses_gravatar'] == 'true'; + $this->_user->bio = $this->_input['bio']; + $this->_user->display_name = $this->_input['display_name']; + $this->_user->sync_names = $this->_input['sync_names'] == 'true'; + $this->_user->can_see_explicit_content = $this->_input['can_see_explicit_content'] == 'true'; + $this->_user->uses_gravatar = $this->_input['uses_gravatar'] == 'true'; - if ($user->uses_gravatar) { - $user->avatar_id = null; - $user->gravatar = $this->_input['gravatar']; + if ($this->_user->uses_gravatar) { + $this->_user->avatar_id = null; + $this->_user->gravatar = $this->_input['gravatar']; } else { if (isset($this->_input['avatar_id'])) { - $user->avatar_id = $this->_input['avatar_id']; + $this->_user->avatar_id = $this->_input['avatar_id']; } else { if (isset($this->_input['avatar'])) { - $user->avatar_id = Image::upload($this->_input['avatar'], $user)->id; + $this->_user->avatar_id = Image::upload($this->_input['avatar'], $this->_user)->id; } } } - $user->save(); + $this->_user->save(); return CommandResponse::succeed(); } diff --git a/app/Http/Controllers/Api/Web/AccountController.php b/app/Http/Controllers/Api/Web/AccountController.php index 7dd0bd7f..051283d5 100644 --- a/app/Http/Controllers/Api/Web/AccountController.php +++ b/app/Http/Controllers/Api/Web/AccountController.php @@ -24,27 +24,30 @@ use Poniverse\Ponyfm\Http\Controllers\ApiControllerBase; use Poniverse\Ponyfm\Commands\SaveAccountSettingsCommand; use Poniverse\Ponyfm\Models\User; use Cover; +use Gate; use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Input; use Illuminate\Support\Facades\Response; class AccountController extends ApiControllerBase { - public function getSettings($slug = -1) + public function getSettings($slug) { $user = null; $current_user = Auth::user(); - if ($slug == -1 || $slug == $current_user->slug) { - $user = $current_user; - } else if ($current_user->hasRole('admin')) { - $user = User::where('slug', $slug)->whereNull('disabled_at')->first(); - } - - if ($user == null) { - if ($current_user->hasRole('admin')) { - return Response::json(['error' => 'User does not exist'], 404); + if ($current_user != null) { + if ($slug == $current_user->slug) { + $user = $current_user; } else { + $user = User::where('slug', $slug)->whereNull('disabled_at')->first(); + } + + if ($user == null) { + return Response::json(['error' => 'User does not exist'], 404); + } + + if (Gate::denies('edit', $user)) { return Response::json(['error' => 'You cannot do that. So stop trying!'], 403); } } @@ -63,7 +66,7 @@ class AccountController extends ApiControllerBase ], 200); } - public function postSave($slug = -1) + public function postSave($slug) { return $this->execute(new SaveAccountSettingsCommand(Input::all(), $slug)); } diff --git a/app/Http/routes.php b/app/Http/routes.php index ba83079f..7e9a47cd 100644 --- a/app/Http/routes.php +++ b/app/Http/routes.php @@ -123,7 +123,6 @@ Route::group(['prefix' => 'api/web'], function() { Route::post('/comments/{type}/{id}', 'Api\Web\CommentsController@postCreate')->where('id', '\d+'); - Route::post('/account/settings/save', 'Api\Web\AccountController@postSave'); Route::post('/account/settings/save/{slug}', 'Api\Web\AccountController@postSave'); Route::post('/favourites/toggle', 'Api\Web\FavouritesController@postToggle'); @@ -134,7 +133,6 @@ Route::group(['prefix' => 'api/web'], function() { }); Route::group(['middleware' => 'auth'], function() { - Route::get('/account/settings', 'Api\Web\AccountController@getSettings'); Route::get('/account/settings/{slug}', 'Api\Web\AccountController@getSettings'); Route::get('/tracks/owned', 'Api\Web\TracksController@getOwned');