From f6d7ea19e4df08cb80c3875060d5b51333e9f025 Mon Sep 17 00:00:00 2001 From: snipe Date: Wed, 25 Sep 2024 19:44:39 +0100 Subject: [PATCH 1/5] Set view as base permission, drill down for more intrusive actions Signed-off-by: snipe --- app/Http/Controllers/Users/BulkUsersController.php | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/app/Http/Controllers/Users/BulkUsersController.php b/app/Http/Controllers/Users/BulkUsersController.php index 36b20973a7..602f58f5f6 100644 --- a/app/Http/Controllers/Users/BulkUsersController.php +++ b/app/Http/Controllers/Users/BulkUsersController.php @@ -36,7 +36,7 @@ class BulkUsersController extends Controller */ public function edit(Request $request) { - $this->authorize('update', User::class); + $this->authorize('view', User::class); // Make sure there were users selected if (($request->filled('ids')) && (count($request->input('ids')) > 0)) { @@ -48,16 +48,18 @@ class BulkUsersController extends Controller // bulk edit, display the bulk edit form if ($request->input('bulk_actions') == 'edit') { + $this->authorize('update', User::class); return view('users/bulk-edit', compact('users')) ->with('groups', Group::pluck('name', 'id')); // bulk delete, display the bulk delete confirmation form } elseif ($request->input('bulk_actions') == 'delete') { + $this->authorize('delete', User::class); return view('users/confirm-bulk-delete')->with('users', $users)->with('statuslabel_list', Helper::statusLabelList()); // merge, confirm they have at least 2 users selected and display the merge screen } elseif ($request->input('bulk_actions') == 'merge') { - + $this->authorize('update', User::class); if (($request->filled('ids')) && (count($request->input('ids')) > 1)) { return view('users/confirm-merge')->with('users', $users); // Not enough users selected, send them back From 2218c94aa30fe83c460239cfdb4044c49e79baf6 Mon Sep 17 00:00:00 2001 From: snipe Date: Wed, 25 Sep 2024 20:29:23 +0100 Subject: [PATCH 2/5] Gates the dropdown based on user permissions Signed-off-by: snipe --- .../partials/users-bulk-actions.blade.php | 45 +++++++++++-------- 1 file changed, 27 insertions(+), 18 deletions(-) diff --git a/resources/views/partials/users-bulk-actions.blade.php b/resources/views/partials/users-bulk-actions.blade.php index a1dbd25476..20d607a46f 100644 --- a/resources/views/partials/users-bulk-actions.blade.php +++ b/resources/views/partials/users-bulk-actions.blade.php @@ -1,24 +1,33 @@ -
+@can('view', \App\Models\User::class) +
{{ Form::open([ 'method' => 'POST', 'route' => ['users/bulkedit'], 'class' => 'form-inline', 'id' => 'usersBulkForm']) }} -@if (request('status')!='deleted') - @can('delete', \App\Models\User::class) -
- - - -
- @endcan -@endif - {{ Form::close() }} -
+ @if (request('status')!='deleted') + @can('delete', \App\Models\User::class) +
+ + + +
+ @endcan + @endif + {{ Form::close() }} +
+@endcan From edca3f432ce1384e0b087d8209787e60beac1219 Mon Sep 17 00:00:00 2001 From: snipe Date: Wed, 25 Sep 2024 20:30:58 +0100 Subject: [PATCH 3/5] Removed gate for delete Signed-off-by: snipe --- .../partials/users-bulk-actions.blade.php | 32 +++++++++---------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/resources/views/partials/users-bulk-actions.blade.php b/resources/views/partials/users-bulk-actions.blade.php index 20d607a46f..ef800d18a0 100644 --- a/resources/views/partials/users-bulk-actions.blade.php +++ b/resources/views/partials/users-bulk-actions.blade.php @@ -7,26 +7,24 @@ 'id' => 'usersBulkForm']) }} @if (request('status')!='deleted') - @can('delete', \App\Models\User::class) -
- - - @can('update', \App\Models\User::class) - - - @endcan + @can('update', \App\Models\User::class) + + + @endcan - @can('delete', \App\Models\User::class) - - @endcan + @can('delete', \App\Models\User::class) + + @endcan - - - - -
- @endcan + + + + + @endif {{ Form::close() }} From c02647a0fa025d9807b242a4707a2525e578000c Mon Sep 17 00:00:00 2001 From: snipe Date: Wed, 25 Sep 2024 20:32:03 +0100 Subject: [PATCH 4/5] Moved merge into delete gate, since they do technically delete Signed-off-by: snipe --- resources/views/partials/users-bulk-actions.blade.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/views/partials/users-bulk-actions.blade.php b/resources/views/partials/users-bulk-actions.blade.php index ef800d18a0..5f9b09ccca 100644 --- a/resources/views/partials/users-bulk-actions.blade.php +++ b/resources/views/partials/users-bulk-actions.blade.php @@ -13,11 +13,11 @@ @can('update', \App\Models\User::class) - @endcan @can('delete', \App\Models\User::class) + @endcan From 3f0245f88f03b7e7ec3e7903a6b88027c5e5c01d Mon Sep 17 00:00:00 2001 From: snipe Date: Wed, 25 Sep 2024 20:33:00 +0100 Subject: [PATCH 5/5] Make controller gate match dropdown gate Signed-off-by: snipe --- app/Http/Controllers/Users/BulkUsersController.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/Http/Controllers/Users/BulkUsersController.php b/app/Http/Controllers/Users/BulkUsersController.php index 602f58f5f6..fbf08c9820 100644 --- a/app/Http/Controllers/Users/BulkUsersController.php +++ b/app/Http/Controllers/Users/BulkUsersController.php @@ -59,7 +59,7 @@ class BulkUsersController extends Controller // merge, confirm they have at least 2 users selected and display the merge screen } elseif ($request->input('bulk_actions') == 'merge') { - $this->authorize('update', User::class); + $this->authorize('delete', User::class); if (($request->filled('ids')) && (count($request->input('ids')) > 1)) { return view('users/confirm-merge')->with('users', $users); // Not enough users selected, send them back