Check that the user has permission to create their own API keys

Signed-off-by: snipe <snipe@snipe.net>

app/Http/Controllers/Api/ProfileController.php

@@ -10,6 +10,7 @@ use Illuminate\Support\Facades\Auth;
 use Illuminate\Http\Request;
 use Laravel\Passport\TokenRepository;
 use Illuminate\Contracts\Validation\Factory as ValidationFactory;
+use Gate;
 
 class ProfileController extends Controller
 {
@@ -79,6 +80,10 @@ class ProfileController extends Controller
      */
     public function createApiToken(Request $request) {
 
+        if (!Gate::allows('self.api')) {
+            abort(403);
+        }
+
         $accessTokenName = $request->input('name', 'Auth Token');
 
         if ($accessToken = Auth::user()->createToken($accessTokenName)->accessToken) {
@@ -100,6 +105,10 @@ class ProfileController extends Controller
      */
     public function deleteApiToken($tokenId) {
 
+        if (!Gate::allows('self.api')) {
+            abort(403);
+        }
+
         $token = $this->tokenRepository->findForUser(
             $tokenId, Auth::user()->getAuthIdentifier()
         );
@@ -125,6 +134,10 @@ class ProfileController extends Controller
      */
     public function showApiTokens(Request $request) {
 
+        if (!Gate::allows('self.api')) {
+            abort(403);
+        }
+        
         $tokens = $this->tokenRepository->forUser(Auth::user()->getAuthIdentifier());
 
         return $tokens->load('client')->filter(function ($token) {