From 17637c32d448d0d2eeb27bdb57701d94bd2def75 Mon Sep 17 00:00:00 2001 From: Nabeel S Date: Wed, 25 Dec 2019 13:31:09 +0500 Subject: [PATCH] Pilots cannot use the dashboard or flights without admin rights (#481) * Use auth middleware instead of specific groups for logged in state * Auth check for admin access * Check user admin access for updates * Formatting --- app/Console/Kernel.php | 1 - app/Database/seeds/dev/users.yml | 10 +- .../Controllers/Auth/RegisterController.php | 5 +- app/Http/Kernel.php | 3 - app/Http/Routes/admin.php | 240 ++++++++++++------ app/Http/Routes/api.php | 2 + app/Http/Routes/console.php | 18 -- app/Http/Routes/web.php | 4 +- .../Providers/UpdateServiceProvider.php | 2 +- 9 files changed, 173 insertions(+), 112 deletions(-) delete mode 100755 app/Http/Routes/console.php diff --git a/app/Console/Kernel.php b/app/Console/Kernel.php index ddd6eb6d..cbf1ab25 100755 --- a/app/Console/Kernel.php +++ b/app/Console/Kernel.php @@ -42,7 +42,6 @@ class Kernel extends ConsoleKernel */ protected function commands(): void { - require app_path('Http/Routes/console.php'); $this->load(__DIR__.'/Commands'); $this->load(__DIR__.'/Cron'); } diff --git a/app/Database/seeds/dev/users.yml b/app/Database/seeds/dev/users.yml index 36f5ae46..695430c0 100644 --- a/app/Database/seeds/dev/users.yml +++ b/app/Database/seeds/dev/users.yml @@ -21,10 +21,10 @@ users: updated_at: now - id: 2 pilot_id: 2 - name: Carla Walters - email: carla.walters68@example.com - password: admin - api_key: testuserapikey1 + name: Test User + email: test@phpvms.net + password: test + api_key: testuserapikey airline_id: 1 rank_id: 1 home_airport_id: KJFK @@ -34,7 +34,7 @@ users: transfer_time: 360 created_at: now updated_at: now - state: 0 + state: 1 opt_in: 1 toc_accepted: 1 - id: 3 diff --git a/app/Http/Controllers/Auth/RegisterController.php b/app/Http/Controllers/Auth/RegisterController.php index 90d22a4d..ff52dfe7 100755 --- a/app/Http/Controllers/Auth/RegisterController.php +++ b/app/Http/Controllers/Auth/RegisterController.php @@ -17,9 +17,6 @@ use Illuminate\Http\Request; use Illuminate\Support\Facades\Hash; use Illuminate\Support\Facades\Log; -/** - * Class RegisterController - */ class RegisterController extends Controller { use RegistersUsers; @@ -58,7 +55,7 @@ class RegisterController extends Controller /** * @throws \Exception * - * @return \Illuminate\Contracts\View\Factory|\Illuminate\View\View + * @return mixed */ public function showRegistrationForm() { diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 4718cc62..ae30bc21 100755 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -10,7 +10,6 @@ use App\Http\Middleware\RedirectIfAuthenticated; use App\Http\Middleware\UpdatePending; use App\Http\Middleware\VerifyCsrfToken; use Illuminate\Auth\Middleware\Authenticate; -use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth; use Illuminate\Auth\Middleware\Authorize; use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse; use Illuminate\Foundation\Http\Kernel as HttpKernel; @@ -44,14 +43,12 @@ class Kernel extends HttpKernel ShareErrorsFromSession::class, VerifyCsrfToken::class, SubstituteBindings::class, - //\Spatie\Pjax\Middleware\FilterIfPjax::class, ], ]; protected $routeMiddleware = [ 'api.auth' => ApiAuth::class, 'auth' => Authenticate::class, - 'auth.basic' => AuthenticateWithBasicAuth::class, 'bindings' => SubstituteBindings::class, 'can' => Authorize::class, 'guest' => RedirectIfAuthenticated::class, diff --git a/app/Http/Routes/admin.php b/app/Http/Routes/admin.php index f0f83c75..e80d51e9 100644 --- a/app/Http/Routes/admin.php +++ b/app/Http/Routes/admin.php @@ -2,101 +2,183 @@ /** * Admin Routes */ -Route::group([ - 'namespace' => 'Admin', 'prefix' => 'admin', 'as' => 'admin.', - 'middleware' => ['ability:admin,admin-access'], -], static function () { - // CRUD for airlines - Route::resource('airlines', 'AirlinesController'); +use Illuminate\Support\Facades\Route; - // CRUD for roles - Route::resource('roles', 'RolesController'); +Route::group( + [ + 'namespace' => 'Admin', + 'prefix' => 'admin', + 'as' => 'admin.', + 'middleware' => ['auth', 'ability:admin,admin-access'], + ], + static function () { + // CRUD for airlines + Route::resource('airlines', 'AirlinesController'); - Route::get('airports/export', 'AirportController@export')->name('airports.export'); - Route::match(['get', 'post', 'put'], 'airports/fuel', 'AirportController@fuel'); - Route::match(['get', 'post'], 'airports/import', 'AirportController@import')->name('airports.import'); - Route::match(['get', 'post', 'put', 'delete'], 'airports/{id}/expenses', 'AirportController@expenses'); - Route::resource('airports', 'AirportController'); + // CRUD for roles + Route::resource('roles', 'RolesController'); - // Awards - Route::resource('awards', 'AwardController'); + Route::get('airports/export', 'AirportController@export')->name('airports.export'); + Route::match(['get', 'post', 'put'], 'airports/fuel', 'AirportController@fuel'); - // aircraft and fare associations - Route::get('aircraft/export', 'AircraftController@export')->name('aircraft.export'); - Route::match(['get', 'post'], 'aircraft/import', 'AircraftController@import')->name('aircraft.import'); - Route::match(['get', 'post', 'put', 'delete'], 'aircraft/{id}/expenses', 'AircraftController@expenses'); - Route::resource('aircraft', 'AircraftController'); + Route::match(['get', 'post'], 'airports/import', 'AirportController@import')->name( + 'airports.import' + ); - // expenses - Route::get('expenses/export', 'ExpenseController@export')->name('expenses.export'); - Route::match(['get', 'post'], 'expenses/import', 'ExpenseController@import')->name('expenses.import'); - Route::resource('expenses', 'ExpenseController'); + Route::match( + ['get', 'post', 'put', 'delete'], + 'airports/{id}/expenses', + 'AirportController@expenses' + ); - // fares - Route::get('fares/export', 'FareController@export')->name('fares.export'); - Route::match(['get', 'post'], 'fares/import', 'FareController@import')->name('fares.import'); - Route::resource('fares', 'FareController'); + Route::resource('airports', 'AirportController'); - // files - Route::post('files', 'FileController@store')->name('files.store'); - Route::delete('files/{id}', 'FileController@destroy')->name('files.delete'); + // Awards + Route::resource('awards', 'AwardController'); - // finances - Route::resource('finances', 'FinanceController'); + // aircraft and fare associations + Route::get('aircraft/export', 'AircraftController@export')->name('aircraft.export'); - // flights and aircraft associations - Route::get('flights/export', 'FlightController@export')->name('flights.export'); - Route::match(['get', 'post'], 'flights/import', 'FlightController@import')->name('flights.import'); - Route::match(['get', 'post', 'put', 'delete'], 'flights/{id}/fares', 'FlightController@fares'); - Route::match(['get', 'post', 'put', 'delete'], 'flights/{id}/fields', 'FlightController@field_values'); - Route::match(['get', 'post', 'put', 'delete'], 'flights/{id}/subfleets', 'FlightController@subfleets'); - Route::resource('flights', 'FlightController'); + Route::match(['get', 'post'], 'aircraft/import', 'AircraftController@import')->name( + 'aircraft.import' + ); - Route::resource('flightfields', 'FlightFieldController'); + Route::match( + ['get', 'post', 'put', 'delete'], + 'aircraft/{id}/expenses', + 'AircraftController@expenses' + ); - // pirep related routes - Route::get('pireps/fares', 'PirepController@fares'); - Route::get('pireps/pending', 'PirepController@pending'); - Route::resource('pireps', 'PirepController'); - Route::match(['get', 'post', 'delete'], 'pireps/{id}/comments', 'PirepController@comments'); - Route::match(['post', 'put'], 'pireps/{id}/status', 'PirepController@status')->name('pirep.status'); + Route::resource('aircraft', 'AircraftController'); - Route::resource('pirepfields', 'PirepFieldController'); + // expenses + Route::get('expenses/export', 'ExpenseController@export')->name('expenses.export'); - // rankings - Route::resource('ranks', 'RankController'); - Route::match(['get', 'post', 'put', 'delete'], 'ranks/{id}/subfleets', 'RankController@subfleets'); + Route::match(['get', 'post'], 'expenses/import', 'ExpenseController@import')->name( + 'expenses.import' + ); - // settings - Route::match(['get'], 'settings', 'SettingsController@index'); - Route::match(['post', 'put'], 'settings', 'SettingsController@update')->name('settings.update'); + Route::resource('expenses', 'ExpenseController'); - // maintenance - Route::match(['get'], 'maintenance', 'MaintenanceController@index')->name('maintenance.index'); - Route::match(['post'], 'maintenance', 'MaintenanceController@cache')->name('maintenance.cache'); + // fares + Route::get('fares/export', 'FareController@export')->name('fares.export'); - // subfleet - Route::get('subfleets/export', 'SubfleetController@export')->name('subfleets.export'); - Route::match(['get', 'post'], 'subfleets/import', 'SubfleetController@import')->name('subfleets.import'); - Route::match(['get', 'post', 'put', 'delete'], 'subfleets/{id}/expenses', 'SubfleetController@expenses'); - Route::match(['get', 'post', 'put', 'delete'], 'subfleets/{id}/fares', 'SubfleetController@fares'); - Route::match(['get', 'post', 'put', 'delete'], 'subfleets/{id}/ranks', 'SubfleetController@ranks'); - Route::resource('subfleets', 'SubfleetController'); + Route::match(['get', 'post'], 'fares/import', 'FareController@import')->name( + 'fares.import' + ); - Route::resource('users', 'UserController'); - Route::get( - 'users/{id}/regen_apikey', - 'UserController@regen_apikey' - )->name('users.regen_apikey'); + Route::resource('fares', 'FareController'); - // defaults - Route::get('', ['uses' => 'DashboardController@index'])->middleware('update_pending'); - Route::get('/', ['uses' => 'DashboardController@index'])->middleware('update_pending'); + // files + Route::post('files', 'FileController@store')->name('files.store'); + Route::delete('files/{id}', 'FileController@destroy')->name('files.delete'); - Route::get('dashboard', ['uses' => 'DashboardController@index', 'name' => 'dashboard']); - Route::match( - ['get', 'post', 'delete'], - 'dashboard/news', - ['uses' => 'DashboardController@news'] - )->name('dashboard.news'); -}); + // finances + Route::resource('finances', 'FinanceController'); + + // flights and aircraft associations + Route::get('flights/export', 'FlightController@export')->name('flights.export'); + + Route::match(['get', 'post'], 'flights/import', 'FlightController@import')->name( + 'flights.import' + ); + + Route::match( + ['get', 'post', 'put', 'delete'], + 'flights/{id}/fares', + 'FlightController@fares' + ); + + Route::match( + ['get', 'post', 'put', 'delete'], + 'flights/{id}/fields', + 'FlightController@field_values' + ); + + Route::match( + ['get', 'post', 'put', 'delete'], + 'flights/{id}/subfleets', + 'FlightController@subfleets' + ); + + Route::resource('flights', 'FlightController'); + + Route::resource('flightfields', 'FlightFieldController'); + + // pirep related routes + Route::get('pireps/fares', 'PirepController@fares'); + Route::get('pireps/pending', 'PirepController@pending'); + Route::resource('pireps', 'PirepController'); + Route::match(['get', 'post', 'delete'], 'pireps/{id}/comments', 'PirepController@comments'); + Route::match(['post', 'put'], 'pireps/{id}/status', 'PirepController@status')->name( + 'pirep.status' + ); + + Route::resource('pirepfields', 'PirepFieldController'); + + // rankings + Route::resource('ranks', 'RankController'); + Route::match( + ['get', 'post', 'put', 'delete'], + 'ranks/{id}/subfleets', + 'RankController@subfleets' + ); + + // settings + Route::match(['get'], 'settings', 'SettingsController@index'); + Route::match(['post', 'put'], 'settings', 'SettingsController@update')->name( + 'settings.update' + ); + + // maintenance + Route::match(['get'], 'maintenance', 'MaintenanceController@index')->name( + 'maintenance.index' + ); + Route::match(['post'], 'maintenance', 'MaintenanceController@cache')->name( + 'maintenance.cache' + ); + + // subfleet + Route::get('subfleets/export', 'SubfleetController@export')->name('subfleets.export'); + Route::match(['get', 'post'], 'subfleets/import', 'SubfleetController@import')->name( + 'subfleets.import' + ); + + Route::match( + ['get', 'post', 'put', 'delete'], + 'subfleets/{id}/expenses', + 'SubfleetController@expenses' + ); + + Route::match( + ['get', 'post', 'put', 'delete'], + 'subfleets/{id}/fares', + 'SubfleetController@fares' + ); + + Route::match( + ['get', 'post', 'put', 'delete'], + 'subfleets/{id}/ranks', + 'SubfleetController@ranks' + ); + + Route::resource('subfleets', 'SubfleetController'); + + Route::resource('users', 'UserController'); + Route::get( + 'users/{id}/regen_apikey', + 'UserController@regen_apikey' + )->name('users.regen_apikey'); + + // defaults + Route::get('', ['uses' => 'DashboardController@index'])->middleware('update_pending'); + Route::get('/', ['uses' => 'DashboardController@index'])->middleware('update_pending'); + + Route::get('dashboard', ['uses' => 'DashboardController@index', 'name' => 'dashboard']); + Route::match( + ['get', 'post', 'delete'], + 'dashboard/news', + ['uses' => 'DashboardController@news'] + )->name('dashboard.news'); + } +); diff --git a/app/Http/Routes/api.php b/app/Http/Routes/api.php index 0958f4e8..4069059f 100755 --- a/app/Http/Routes/api.php +++ b/app/Http/Routes/api.php @@ -3,6 +3,8 @@ /** * Public routes */ +use Illuminate\Support\Facades\Route; + Route::group([], function () { Route::get('acars', 'AcarsController@live_flights'); Route::get('acars/geojson', 'AcarsController@pireps_geojson'); diff --git a/app/Http/Routes/console.php b/app/Http/Routes/console.php deleted file mode 100755 index eea1a865..00000000 --- a/app/Http/Routes/console.php +++ /dev/null @@ -1,18 +0,0 @@ -comment(Inspiring::quote()); -}); diff --git a/app/Http/Routes/web.php b/app/Http/Routes/web.php index a10e3e89..36a99e84 100755 --- a/app/Http/Routes/web.php +++ b/app/Http/Routes/web.php @@ -4,6 +4,8 @@ * User doesn't need to be logged in for these */ use App\Http\Middleware\SetActiveTheme; +use Illuminate\Support\Facades\Auth; +use Illuminate\Support\Facades\Route; Route::group([ 'namespace' => 'Frontend', 'prefix' => '', 'as' => 'frontend.', @@ -24,7 +26,7 @@ Route::group([ */ Route::group([ 'namespace' => 'Frontend', 'prefix' => '', 'as' => 'frontend.', - 'middleware' => ['role:admin|user', SetActiveTheme::class], + 'middleware' => ['auth', SetActiveTheme::class], ], function () { Route::resource('dashboard', 'DashboardController'); diff --git a/modules/Updater/Providers/UpdateServiceProvider.php b/modules/Updater/Providers/UpdateServiceProvider.php index 6082d804..cc30a8bb 100644 --- a/modules/Updater/Providers/UpdateServiceProvider.php +++ b/modules/Updater/Providers/UpdateServiceProvider.php @@ -23,7 +23,7 @@ class UpdateServiceProvider extends ServiceProvider Route::group([ 'as' => 'update.', 'prefix' => 'update', - 'middleware' => ['web'], + 'middleware' => ['auth', 'ability:admin,admin-access', 'web'], 'namespace' => 'Modules\Updater\Http\Controllers', ], function () { Route::get('/', 'UpdateController@index')->name('index');