From 1e320835c24108395f326860031a13bb98ae989a Mon Sep 17 00:00:00 2001 From: exciler Date: Sun, 28 Mar 2021 15:57:16 +0200 Subject: [PATCH] fix map-info-box display (#1104) * fix map-info-box display * Check user on PIREP show/edit/update/submit * add missing use * refactoring according to comments; use UpdatePirepRequest for authorization and make user available to view Co-authored-by: Andreas Palm Co-authored-by: Nabeel S --- app/Http/Controllers/Frontend/PirepController.php | 9 +++++++++ app/Http/Requests/UpdatePirepRequest.php | 10 ++++++++++ public/assets/frontend/css/styles.css | 1 - resources/views/layouts/default/pireps/show.blade.php | 2 +- .../views/layouts/default/widgets/live_map.blade.php | 2 +- 5 files changed, 21 insertions(+), 3 deletions(-) diff --git a/app/Http/Controllers/Frontend/PirepController.php b/app/Http/Controllers/Frontend/PirepController.php index 9d6609f8..13d1803b 100644 --- a/app/Http/Controllers/Frontend/PirepController.php +++ b/app/Http/Controllers/Frontend/PirepController.php @@ -3,6 +3,7 @@ namespace App\Http\Controllers\Frontend; use App\Contracts\Controller; +use App\Exceptions\Unauthorized; use App\Http\Requests\CreatePirepRequest; use App\Http\Requests\UpdatePirepRequest; use App\Models\Enums\PirepSource; @@ -26,6 +27,7 @@ use App\Services\UserService; use App\Support\Units\Fuel; use App\Support\Units\Time; use Carbon\Carbon; +use Exception; use Illuminate\Http\Request; use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Log; @@ -211,6 +213,7 @@ class PirepController extends Controller return view('pireps.show', [ 'pirep' => $pirep, 'map_features' => $map_features, + 'user' => Auth::user(), ]); } @@ -433,6 +436,9 @@ class PirepController extends Controller Flash::error('Pirep not found'); return redirect(route('frontend.pireps.index')); } + if ($pirep->user_id !== Auth::id()) { + throw new Unauthorized(new Exception('You may not edit the PIREP of other users')); + } // Eager load the subfleet and fares under it if ($pirep->aircraft) { @@ -543,6 +549,9 @@ class PirepController extends Controller Flash::error('PIREP not found'); return redirect(route('admin.pireps.index')); } + if ($pirep->user_id !== Auth::id()) { + throw new Unauthorized(new Exception('You may not submit the PIREP of other users')); + } $this->pirepSvc->submit($pirep); return redirect(route('frontend.pireps.show', [$pirep->id])); diff --git a/app/Http/Requests/UpdatePirepRequest.php b/app/Http/Requests/UpdatePirepRequest.php index 8ec7a267..fa0cf0e2 100644 --- a/app/Http/Requests/UpdatePirepRequest.php +++ b/app/Http/Requests/UpdatePirepRequest.php @@ -5,10 +5,20 @@ namespace App\Http\Requests; use App\Contracts\FormRequest; use App\Models\Pirep; use App\Repositories\PirepFieldRepository; +use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Log; class UpdatePirepRequest extends FormRequest { + /** + * Is the user allowed to do this? + */ + public function authorize(): bool + { + $pirep = Pirep::findOrFail($this->route('id'), ['user_id']); + return $pirep->user_id === Auth::id(); + } + /** * Get the validation rules that apply to the request. * diff --git a/public/assets/frontend/css/styles.css b/public/assets/frontend/css/styles.css index c9a8652c..d2b20383 100644 --- a/public/assets/frontend/css/styles.css +++ b/public/assets/frontend/css/styles.css @@ -6,7 +6,6 @@ } .map-info-box { - display: none; position: absolute; bottom: 0; padding: 20px; diff --git a/resources/views/layouts/default/pireps/show.blade.php b/resources/views/layouts/default/pireps/show.blade.php index 530a2c98..04506684 100644 --- a/resources/views/layouts/default/pireps/show.blade.php +++ b/resources/views/layouts/default/pireps/show.blade.php @@ -15,7 +15,7 @@ class="btn btn-outline-info">View SimBrief @endif - @if(!$pirep->read_only) + @if(!$pirep->read_only && $pirep->user_id === $user->id)