From ede71e6927cc981230c0320b4082815b5a77c5df Mon Sep 17 00:00:00 2001
From: Nabeel Shahzad <nabeel@nabeel.sh>
Date: Thu, 1 Apr 2021 09:54:01 -0400
Subject: [PATCH] Fix the PIREP edit permissions

---
 .../Controllers/Frontend/PirepController.php   | 18 ++++++++++++++++--
 app/Http/Requests/UpdatePirepRequest.php       | 10 ----------
 2 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/app/Http/Controllers/Frontend/PirepController.php b/app/Http/Controllers/Frontend/PirepController.php
index 13d1803b..9806ff77 100644
--- a/app/Http/Controllers/Frontend/PirepController.php
+++ b/app/Http/Controllers/Frontend/PirepController.php
@@ -431,13 +431,16 @@ class PirepController extends Controller
      */
     public function edit($id)
     {
+        /** @var Pirep $pirep */
         $pirep = $this->pirepRepo->findWithoutFail($id);
         if (empty($pirep)) {
             Flash::error('Pirep not found');
             return redirect(route('frontend.pireps.index'));
         }
+
         if ($pirep->user_id !== Auth::id()) {
-            throw new Unauthorized(new Exception('You may not edit the PIREP of other users'));
+            Flash::error('Cannot edit someone else\'s PIREP!');
+            return redirect(route('admin.pireps.index'));
         }
 
         // Eager load the subfleet and fares under it
@@ -492,12 +495,21 @@ class PirepController extends Controller
      */
     public function update($id, UpdatePirepRequest $request)
     {
+        /** @var User $user */
+        $user = Auth::user();
+
+        /** @var Pirep $pirep */
         $pirep = $this->pirepRepo->findWithoutFail($id);
         if (empty($pirep)) {
             Flash::error('Pirep not found');
             return redirect(route('admin.pireps.index'));
         }
 
+        if ($user->id !== $pirep->user_id) {
+            Flash::error('Cannot edit someone else\'s PIREP!');
+            return redirect(route('admin.pireps.index'));
+        }
+
         $orig_route = $pirep->route;
         $attrs = $request->all();
         $attrs['submit'] = strtolower($attrs['submit']);
@@ -549,8 +561,10 @@ class PirepController extends Controller
             Flash::error('PIREP not found');
             return redirect(route('admin.pireps.index'));
         }
+
         if ($pirep->user_id !== Auth::id()) {
-            throw new Unauthorized(new Exception('You may not submit the PIREP of other users'));
+            Flash::error('Cannot edit someone else\'s PIREP!');
+            return redirect(route('admin.pireps.index'));
         }
 
         $this->pirepSvc->submit($pirep);
diff --git a/app/Http/Requests/UpdatePirepRequest.php b/app/Http/Requests/UpdatePirepRequest.php
index 3044185b..8ec7a267 100644
--- a/app/Http/Requests/UpdatePirepRequest.php
+++ b/app/Http/Requests/UpdatePirepRequest.php
@@ -5,20 +5,10 @@ namespace App\Http\Requests;
 use App\Contracts\FormRequest;
 use App\Models\Pirep;
 use App\Repositories\PirepFieldRepository;
-use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Log;
 
 class UpdatePirepRequest extends FormRequest
 {
-    /**
-     * Is the user allowed to do this?
-     */
-    public function authorize(): bool
-    {
-        $pirep = Pirep::findOrFail($this->route('pirep'), ['user_id']);
-        return $pirep->user_id === Auth::id();
-    }
-
     /**
      * Get the validation rules that apply to the request.
      *