From c33940f64a1e5b59afd700010247382f5b7b2df3 Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Mon, 12 Nov 2018 14:41:23 +0100 Subject: [PATCH] Moved permission checks to Authenticator class --- includes/controller/angeltypes_controller.php | 26 +++----- .../controller/event_config_controller.php | 4 +- includes/controller/rooms_controller.php | 4 +- .../controller/shift_entries_controller.php | 3 +- includes/controller/shifts_controller.php | 16 ++--- .../controller/user_angeltypes_controller.php | 9 +-- .../user_driver_licenses_controller.php | 3 +- .../controller/user_worklog_controller.php | 3 +- includes/controller/users_controller.php | 18 +++--- includes/engelsystem.php | 6 -- includes/model/Shifts_model.php | 11 ++-- includes/pages/admin_free.php | 3 +- includes/pages/admin_news.php | 5 +- includes/pages/admin_questions.php | 4 +- includes/pages/admin_user.php | 5 +- includes/pages/guest_login.php | 7 +-- includes/pages/user_atom.php | 2 +- includes/pages/user_ical.php | 2 +- includes/pages/user_myshifts.php | 7 +-- includes/pages/user_news.php | 11 ++-- includes/pages/user_shifts.php | 6 +- includes/sys_auth.php | 27 --------- includes/sys_menu.php | 20 +++---- includes/view/AngelTypes_view.php | 4 +- includes/view/Rooms_view.php | 4 +- includes/view/ShiftCalendarShiftRenderer.php | 8 +-- includes/view/ShiftTypes_view.php | 3 +- includes/view/Shifts_view.php | 10 ++-- includes/view/User_view.php | 6 +- src/Helpers/Authenticator.php | 60 +++++++++++++++++++ src/Middleware/LegacyMiddleware.php | 6 +- .../Twig/Extensions/Authentication.php | 13 +--- tests/Unit/Helpers/AuthenticatorTest.php | 52 ++++++++++++++++ .../Unit/Middleware/LegacyMiddlewareTest.php | 3 + .../Twig/Extensions/AuthenticationTest.php | 21 +------ 35 files changed, 193 insertions(+), 199 deletions(-) diff --git a/includes/controller/angeltypes_controller.php b/includes/controller/angeltypes_controller.php index 821d101a..6e78db45 100644 --- a/includes/controller/angeltypes_controller.php +++ b/includes/controller/angeltypes_controller.php @@ -78,9 +78,7 @@ function angeltypes_about_controller() */ function angeltype_delete_controller() { - global $privileges; - - if (!in_array('admin_angel_types', $privileges)) { + if (!auth()->can('admin_angel_types')) { redirect(page_link_to('angeltypes')); } @@ -105,10 +103,8 @@ function angeltype_delete_controller() */ function angeltype_edit_controller() { - global $privileges; - // In supporter mode only allow to modify description - $supporter_mode = !in_array('admin_angel_types', $privileges); + $supporter_mode = !auth()->can('admin_angel_types'); $request = request(); if ($request->has('angeltype_id')) { @@ -178,10 +174,9 @@ function angeltype_edit_controller() */ function angeltype_controller() { - global $privileges; $user = auth()->user(); - if (!in_array('angeltypes', $privileges)) { + if (!auth()->can('angeltypes')) { redirect(page_link_to('/')); } @@ -210,8 +205,8 @@ function angeltype_controller() $angeltype, $members, $user_angeltype, - in_array('admin_user_angeltypes', $privileges) || $user_angeltype['supporter'], - in_array('admin_angel_types', $privileges), + auth()->can('admin_user_angeltypes') || $user_angeltype['supporter'], + auth()->can('admin_angel_types'), $user_angeltype['supporter'], $user_driver_license, $user, @@ -250,11 +245,9 @@ function angeltype_controller_shiftsFilterDays($angeltype) */ function angeltype_controller_shiftsFilter($angeltype, $days) { - global $privileges; - $request = request(); $shiftsFilter = new ShiftsFilter( - in_array('user_shifts_admin', $privileges), + auth()->can('user_shifts_admin'), Room_ids(), [$angeltype['id']] ); @@ -278,10 +271,9 @@ function angeltype_controller_shiftsFilter($angeltype, $days) */ function angeltypes_list_controller() { - global $privileges; $user = auth()->user(); - if (!in_array('angeltypes', $privileges)) { + if (!auth()->can('angeltypes')) { redirect(page_link_to('/')); } @@ -296,7 +288,7 @@ function angeltypes_list_controller() ) ]; - if (in_array('admin_angel_types', $privileges)) { + if (auth()->can('admin_angel_types')) { $actions[] = button( page_link_to('angeltypes', ['action' => 'edit', 'angeltype_id' => $angeltype['id']]), __('edit'), @@ -340,7 +332,7 @@ function angeltypes_list_controller() return [ angeltypes_title(), - AngelTypes_list_view($angeltypes, in_array('admin_angel_types', $privileges)) + AngelTypes_list_view($angeltypes, auth()->can('admin_angel_types')) ]; } diff --git a/includes/controller/event_config_controller.php b/includes/controller/event_config_controller.php index e9b27cba..ff68c3ea 100644 --- a/includes/controller/event_config_controller.php +++ b/includes/controller/event_config_controller.php @@ -16,9 +16,7 @@ function event_config_title() */ function event_config_edit_controller() { - global $privileges; - - if (!in_array('admin_event_config', $privileges)) { + if (!auth()->can('admin_event_config')) { redirect(page_link_to('/')); } diff --git a/includes/controller/rooms_controller.php b/includes/controller/rooms_controller.php index f95184f0..01d4fd37 100644 --- a/includes/controller/rooms_controller.php +++ b/includes/controller/rooms_controller.php @@ -14,9 +14,7 @@ use Engelsystem\ShiftsFilterRenderer; */ function room_controller() { - global $privileges; - - if (!in_array('view_rooms', $privileges)) { + if (!auth()->can('view_rooms')) { redirect(page_link_to()); } diff --git a/includes/controller/shift_entries_controller.php b/includes/controller/shift_entries_controller.php index 16f0c0a1..a6659598 100644 --- a/includes/controller/shift_entries_controller.php +++ b/includes/controller/shift_entries_controller.php @@ -35,7 +35,6 @@ function shift_entries_controller() */ function shift_entry_create_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -50,7 +49,7 @@ function shift_entry_create_controller() $angeltype = AngelType($request->input('angeltype_id')); - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { return shift_entry_create_controller_admin($shift, $angeltype); } diff --git a/includes/controller/shifts_controller.php b/includes/controller/shifts_controller.php index 375ea6b6..caf124ba 100644 --- a/includes/controller/shifts_controller.php +++ b/includes/controller/shifts_controller.php @@ -43,13 +43,11 @@ function shift_edit_link($shift) */ function shift_edit_controller() { - global $privileges; - $msg = ''; $valid = true; $request = request(); - if (!in_array('admin_shifts', $privileges)) { + if (!auth()->can('admin_shifts')) { redirect(page_link_to('user_shifts')); } @@ -203,10 +201,9 @@ function shift_edit_controller() */ function shift_delete_controller() { - global $privileges; $request = request(); - if (!in_array('user_shifts_admin', $privileges)) { + if (!auth()->can('user_shifts_admin')) { redirect(page_link_to('user_shifts')); } @@ -253,11 +250,10 @@ function shift_delete_controller() */ function shift_controller() { - global $privileges; $user = auth()->user(); $request = request(); - if (!in_array('user_shifts', $privileges)) { + if (!auth()->can('user_shifts')) { redirect(page_link_to('/')); } @@ -332,9 +328,7 @@ function shifts_controller() */ function shift_next_controller() { - global $privileges; - - if (!in_array('user_shifts', $privileges)) { + if (!auth()->can('user_shifts')) { redirect(page_link_to('/')); } @@ -363,7 +357,7 @@ function shifts_json_export_controller() if (!$user) { engelsystem_error('Key invalid.'); } - if (!in_array('shifts_json_export', privileges_for_user($user->id))) { + if (!auth()->can('shifts_json_export')) { engelsystem_error('No privilege for shifts_json_export.'); } diff --git a/includes/controller/user_angeltypes_controller.php b/includes/controller/user_angeltypes_controller.php index e03bd293..ad62416a 100644 --- a/includes/controller/user_angeltypes_controller.php +++ b/includes/controller/user_angeltypes_controller.php @@ -80,7 +80,6 @@ function user_angeltypes_delete_all_controller() */ function user_angeltypes_confirm_all_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -95,7 +94,7 @@ function user_angeltypes_confirm_all_controller() redirect(page_link_to('angeltypes')); } - if (!in_array('admin_user_angeltypes', $privileges) && !User_is_AngelType_supporter($user, $angeltype)) { + if (!auth()->can('admin_user_angeltypes') && !User_is_AngelType_supporter($user, $angeltype)) { error(__('You are not allowed to confirm all users for this angeltype.')); redirect(page_link_to('angeltypes')); } @@ -235,11 +234,10 @@ function user_angeltype_delete_controller() */ function user_angeltype_update_controller() { - global $privileges; $supporter = false; $request = request(); - if (!in_array('admin_angel_types', $privileges)) { + if (!auth()->can('admin_angel_types')) { error(__('You are not allowed to set supporter rights.')); redirect(page_link_to('angeltypes')); } @@ -360,7 +358,6 @@ function user_angeltype_add_controller() */ function user_angeltype_join_controller($angeltype) { - global $privileges; $user = auth()->user(); $user_angeltype = UserAngelType_by_User_and_AngelType($user->id, $angeltype); @@ -380,7 +377,7 @@ function user_angeltype_join_controller($angeltype) )); success($success_message); - if (in_array('admin_user_angeltypes', $privileges)) { + if (auth()->can('admin_user_angeltypes')) { UserAngelType_confirm($user_angeltype_id, $user->id); engelsystem_log(sprintf( 'User %s confirmed as %s.', diff --git a/includes/controller/user_driver_licenses_controller.php b/includes/controller/user_driver_licenses_controller.php index 69179b35..9dc15f15 100644 --- a/includes/controller/user_driver_licenses_controller.php +++ b/includes/controller/user_driver_licenses_controller.php @@ -96,13 +96,12 @@ function user_driver_license_load_user() */ function user_driver_license_edit_controller() { - global $privileges; $user = auth()->user(); $request = request(); $user_source = user_driver_license_load_user(); // only privilege admin_user can edit other users driver license information - if ($user->id != $user_source->id && !in_array('admin_user', $privileges)) { + if ($user->id != $user_source->id && !auth()->can('admin_user')) { redirect(user_driver_license_edit_link()); } diff --git a/includes/controller/user_worklog_controller.php b/includes/controller/user_worklog_controller.php index 4eaa5e91..bf0eb1cf 100644 --- a/includes/controller/user_worklog_controller.php +++ b/includes/controller/user_worklog_controller.php @@ -182,10 +182,9 @@ function user_worklog_delete_link($userWorkLog, $parameters = []) */ function user_worklog_controller() { - global $privileges; $user = auth()->user(); - if (!in_array('admin_user_worklog', $privileges)) { + if (!auth()->can('admin_user_worklog')) { redirect(user_link($user->id)); } diff --git a/includes/controller/users_controller.php b/includes/controller/users_controller.php index 51b6e432..2fcd90b9 100644 --- a/includes/controller/users_controller.php +++ b/includes/controller/users_controller.php @@ -46,7 +46,6 @@ function users_controller() */ function user_delete_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -56,7 +55,7 @@ function user_delete_controller() $user_source = $user; } - if (!in_array('admin_user', $privileges)) { + if (!auth()->can('admin_user')) { redirect(page_link_to('')); } @@ -138,7 +137,6 @@ function user_link($userId) */ function user_edit_vouchers_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -148,7 +146,7 @@ function user_edit_vouchers_controller() $user_source = $user; } - if (!in_array('admin_user', $privileges)) { + if (!auth()->can('admin_user')) { redirect(page_link_to('')); } @@ -190,7 +188,6 @@ function user_edit_vouchers_controller() */ function user_controller() { - global $privileges; $user = auth()->user(); $request = request(); @@ -203,7 +200,7 @@ function user_controller() } } - $shifts = Shifts_by_user($user_source->id, in_array('user_shifts_admin', $privileges)); + $shifts = Shifts_by_user($user_source->id, auth()->can('user_shifts_admin')); foreach ($shifts as &$shift) { // TODO: Move queries to model $shift['needed_angeltypes'] = DB::select(' @@ -242,15 +239,15 @@ function user_controller() $user_source->name, User_view( $user_source, - in_array('admin_user', $privileges), + auth()->can('admin_user'), User_is_freeloader($user_source), User_angeltypes($user_source->id), User_groups($user_source->id), $shifts, $user->id == $user_source->id, $tshirt_score, - in_array('admin_active', $privileges), - in_array('admin_user_worklog', $privileges), + auth()->can('admin_active'), + auth()->can('admin_user_worklog'), UserWorkLogsForUser($user_source->id) ) ]; @@ -263,10 +260,9 @@ function user_controller() */ function users_list_controller() { - global $privileges; $request = request(); - if (!in_array('admin_user', $privileges)) { + if (!auth()->can('admin_user')) { redirect(page_link_to('')); } diff --git a/includes/engelsystem.php b/includes/engelsystem.php index caebe09b..ca121cc2 100644 --- a/includes/engelsystem.php +++ b/includes/engelsystem.php @@ -21,9 +21,3 @@ if ($app->get('config')->get('maintenance')) { echo $maintenance; die(); } - - -/** - * Init authorization - */ -load_auth(); diff --git a/includes/model/Shifts_model.php b/includes/model/Shifts_model.php index d6fbe3b6..4be65dda 100644 --- a/includes/model/Shifts_model.php +++ b/includes/model/Shifts_model.php @@ -422,17 +422,16 @@ function Shift_signup_allowed_admin($needed_angeltype, $shift_entries) */ function Shift_signout_allowed($shift, $angeltype, $signout_user_id) { - global $privileges; $user = auth()->user(); // user shifts admin can sign out any user at any time - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { return true; } // angeltype supporter can sign out any user at any time from their supported angeltype if ( - in_array('shiftentry_edit_angeltype_supporter', $privileges) + auth()->can('shiftentry_edit_angeltype_supporter') && User_is_AngelType_supporter($user, $angeltype) ) { return true; @@ -466,14 +465,12 @@ function Shift_signup_allowed( $needed_angeltype, $shift_entries ) { - global $privileges; - - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { return Shift_signup_allowed_admin($needed_angeltype, $shift_entries); } if ( - in_array('shiftentry_edit_angeltype_supporter', $privileges) + auth()->can('shiftentry_edit_angeltype_supporter') && User_is_AngelType_supporter(auth()->user(), $angeltype) ) { return Shift_signup_allowed_angeltype_supporter($needed_angeltype, $shift_entries); diff --git a/includes/pages/admin_free.php b/includes/pages/admin_free.php index d8787f36..7b694659 100644 --- a/includes/pages/admin_free.php +++ b/includes/pages/admin_free.php @@ -17,7 +17,6 @@ function admin_free_title() */ function admin_free() { - global $privileges; $request = request(); $search = ''; @@ -88,7 +87,7 @@ function admin_free() 'dect' => $usr->contact->dect, 'email' => $usr->settings->email_human ? ($usr->contact->email ? $usr->contact->email : $usr->email) : glyph('eye-close'), 'actions' => - in_array('admin_user', $privileges) + auth()->can('admin_user') ? button(page_link_to('admin_user', ['id' => $usr->id]), __('edit'), 'btn-xs') : '' ]; diff --git a/includes/pages/admin_news.php b/includes/pages/admin_news.php index 90aeb439..21245eb9 100644 --- a/includes/pages/admin_news.php +++ b/includes/pages/admin_news.php @@ -8,7 +8,6 @@ use Engelsystem\Models\User\User; */ function admin_news() { - global $privileges; $user = auth()->user(); $request = request(); @@ -32,7 +31,7 @@ function admin_news() case 'edit': $user_source = User::find($news['UID']); if ( - !in_array('admin_news_html', $privileges) + !auth()->can('admin_news_html') && strip_tags($news['Text']) != $news['Text'] ) { $html .= warning( @@ -62,7 +61,7 @@ function admin_news() case 'save': $text = $request->postData('eText'); - if (!in_array('admin_news_html', $privileges)) { + if (!auth()->can('admin_news_html')) { $text = strip_tags($text); } diff --git a/includes/pages/admin_questions.php b/includes/pages/admin_questions.php index 60df1ebf..0b5940cc 100644 --- a/includes/pages/admin_questions.php +++ b/includes/pages/admin_questions.php @@ -18,10 +18,10 @@ function admin_questions_title() */ function admin_new_questions() { - global $privileges, $page; + global $page; if ($page != 'admin_questions') { - if (in_array('admin_questions', $privileges)) { + if (auth()->can('admin_questions')) { $new_messages = count(DB::select('SELECT `QID` FROM `Questions` WHERE `AID` IS NULL')); if ($new_messages > 0) { diff --git a/includes/pages/admin_user.php b/includes/pages/admin_user.php index 3894e724..63993fc9 100644 --- a/includes/pages/admin_user.php +++ b/includes/pages/admin_user.php @@ -16,7 +16,6 @@ function admin_user_title() */ function admin_user() { - global $privileges; $user = auth()->user(); $tshirt_sizes = config('tshirt_sizes'); $request = request(); @@ -83,7 +82,7 @@ function admin_user() $html .= html_options('eAktiv', $options, $user_source->state->active) . '' . "\n"; // Aktiv erzwingen - if (in_array('admin_active', $privileges)) { + if (auth()->can('admin_active')) { $html .= ' ' . __('Force active') . '' . "\n"; $html .= html_options('force_active', $options, $user_source->state->force_active) . '' . "\n"; } @@ -249,7 +248,7 @@ function admin_user() case 'save': $force_active = $user->state->force_active; $user_source = User::find($user_id); - if (in_array('admin_active', $privileges)) { + if (auth()->can('admin_active')) { $force_active = $request->input('force_active'); } if ($user_source->settings->email_human) { diff --git a/includes/pages/guest_login.php b/includes/pages/guest_login.php index e1c6dfa4..2df09d79 100644 --- a/includes/pages/guest_login.php +++ b/includes/pages/guest_login.php @@ -39,7 +39,6 @@ function logout_title() */ function guest_register() { - global $privileges; $authUser = auth()->user(); $tshirt_sizes = config('tshirt_sizes'); $enable_tshirt_size = config('enable_tshirt_size'); @@ -71,7 +70,7 @@ function guest_register() } } - if (!in_array('register', $privileges) || (!$authUser && !config('registration_enabled'))) { + if (!auth()->can('register') || (!$authUser && !config('registration_enabled'))) { error(__('Registration is disabled.')); return page_with_title(register_title(), [ @@ -472,9 +471,7 @@ function guest_login() */ function get_register_hint() { - global $privileges; - - if (in_array('register', $privileges) && config('registration_enabled')) { + if (auth()->can('register') && config('registration_enabled')) { return join('', [ '

' . __('Please sign up, if you want to help us!') . '

', buttons([ diff --git a/includes/pages/user_atom.php b/includes/pages/user_atom.php index 6aafb74f..e624ceb4 100644 --- a/includes/pages/user_atom.php +++ b/includes/pages/user_atom.php @@ -17,7 +17,7 @@ function user_atom() if (empty($user)) { engelsystem_error('Key invalid.'); } - if (!in_array('atom', privileges_for_user($user->id))) { + if (!auth()->can('atom')) { engelsystem_error('No privilege for atom.'); } diff --git a/includes/pages/user_ical.php b/includes/pages/user_ical.php index 8a80d681..ee3a8340 100644 --- a/includes/pages/user_ical.php +++ b/includes/pages/user_ical.php @@ -15,7 +15,7 @@ function user_ical() if (!$user) { engelsystem_error('Key invalid.'); } - if (!in_array('ical', privileges_for_user($user->id))) { + if (!auth()->can('ical')) { engelsystem_error('No privilege for ical.'); } diff --git a/includes/pages/user_myshifts.php b/includes/pages/user_myshifts.php index 1eab016d..11bbc9f4 100644 --- a/includes/pages/user_myshifts.php +++ b/includes/pages/user_myshifts.php @@ -18,13 +18,12 @@ function myshifts_title() */ function user_myshifts() { - global $privileges; $user = auth()->user(); $request = request(); if ( $request->has('id') - && in_array('user_shifts_admin', $privileges) + && auth()->can('user_shifts_admin') && preg_match('/^\d{1,}$/', $request->input('id')) && User::find($request->input('id')) ) { @@ -79,7 +78,7 @@ function user_myshifts() if ($request->hasPostData('submit')) { $valid = true; - if (in_array('user_shifts_admin', $privileges)) { + if (auth()->can('user_shifts_admin')) { $freeloaded = $request->has('freeloaded'); $freeload_comment = strip_request_item_nl('freeload_comment'); if ($freeloaded && $freeload_comment == '') { @@ -120,7 +119,7 @@ function user_myshifts() $shift['Comment'], $shift['freeloaded'], $shift['freeload_comment'], - in_array('user_shifts_admin', $privileges) + auth()->can('user_shifts_admin') ); } else { redirect(page_link_to('user_myshifts')); diff --git a/includes/pages/user_news.php b/includes/pages/user_news.php index e101be6b..34be033f 100644 --- a/includes/pages/user_news.php +++ b/includes/pages/user_news.php @@ -91,7 +91,7 @@ function news_text($news) */ function display_news($news) { - global $privileges, $page; + global $page; $html = ''; $html .= '
'; @@ -101,7 +101,7 @@ function display_news($news) $html .= '
' . news_text($news) . '
'; $html .= '