FGFS-4.1/phpvms
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix the PIREP edit permissions

Browse Source
This commit is contained in:
Nabeel Shahzad
2021-04-01 09:54:01 -04:00
parent 3f84f84309
commit ede71e6927
2 changed files with 16 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
app/Http/Controllers/Frontend/PirepController.php
View File

@@ -431,13 +431,16 @@ class PirepController extends Controller
*/
public function edit($id)
{
/** @var Pirep $pirep */
$pirep = $this->pirepRepo->findWithoutFail($id);
if (empty($pirep)) {
Flash::error('Pirep not found');
return redirect(route('frontend.pireps.index'));
}
if ($pirep->user_id !== Auth::id()) {
throw new Unauthorized(new Exception('You may not edit the PIREP of other users'));
Flash::error('Cannot edit someone else\'s PIREP!');
return redirect(route('admin.pireps.index'));
}
// Eager load the subfleet and fares under it
@@ -492,12 +495,21 @@ class PirepController extends Controller
*/
public function update($id, UpdatePirepRequest $request)
{
/** @var User $user */
$user = Auth::user();
/** @var Pirep $pirep */
$pirep = $this->pirepRepo->findWithoutFail($id);
if (empty($pirep)) {
Flash::error('Pirep not found');
return redirect(route('admin.pireps.index'));
}
if ($user->id !== $pirep->user_id) {
Flash::error('Cannot edit someone else\'s PIREP!');
return redirect(route('admin.pireps.index'));
}
$orig_route = $pirep->route;
$attrs = $request->all();
$attrs['submit'] = strtolower($attrs['submit']);
@@ -549,8 +561,10 @@ class PirepController extends Controller
Flash::error('PIREP not found');
return redirect(route('admin.pireps.index'));
}
if ($pirep->user_id !== Auth::id()) {
throw new Unauthorized(new Exception('You may not submit the PIREP of other users'));
Flash::error('Cannot edit someone else\'s PIREP!');
return redirect(route('admin.pireps.index'));
}
$this->pirepSvc->submit($pirep);