snipe-it/app/Policies/SnipePermissionsPolicy.php
Daniel Meltzer 3cea12565b Add missing policies (#4330)
* Add Authorizable trait and interface to our user model so we have access to User::can/User::cant.  We should take a look at where else our user model has diverged from Larvel since it was created...

* Policy cleanup/fixes.

This commit adds policies for the missing backend/"settings" areas.  The
permissions were implemented a while back but the policies did not, so
authorizing actions was failing.

In addition, this condenses a lot of code in the policies into base
classes.  Most of the files were identical except for table names, so we
move all of the checks into a base class and override the table name in
each policy.

* Use a better name and permission for the check in the default layout.
2017-10-27 18:01:11 -07:00

91 lines
2.2 KiB
PHP

<?php
namespace App\Policies;
use App\Models\Company;
use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;
abstract class SnipePermissionsPolicy
{
// This should return the key of the model in the users json permission string.
abstract protected function columnName();
use HandlesAuthorization;
public function before(User $user, $ability, $item)
{
// Lets move all company related checks here.
if ($item instanceof \App\Models\SnipeModel && !Company::isCurrentUserHasAccess($item)) {
return false;
}
// If an admin, they can do all asset related tasks.
if ($user->hasAccess('admin')) {
return true;
}
}
public function index(User $user)
{
// dd('here');
return $user->hasAccess($this->columnName().'.view');
}
/**
* Determine whether the user can view the accessory.
*
* @param \App\User $user
* @return mixed
*/
public function view(User $user, $item = null)
{
//
return $user->hasAccess($this->columnName().'.view');
}
/**
* Determine whether the user can create accessories.
*
* @param \App\User $user
* @return mixed
*/
public function create(User $user)
{
//
return $user->hasAccess($this->columnName().'.create');
}
/**
* Determine whether the user can update the accessory.
*
* @param \App\User $user
* @return mixed
*/
public function update(User $user, $item = null)
{
//
return $user->hasAccess($this->columnName().'.edit');
}
/**
* Determine whether the user can delete the accessory.
*
* @param \App\User $user
* @return mixed
*/
public function delete(User $user, $item = null)
{
//
return $user->hasAccess($this->columnName().'.delete');
}
/**
* Determine whether the user can manage the accessory.
*
* @param \App\User $user
* @return mixed
*/
public function manage(User $user, $item = null)
{
return $user->hasAccess($this->columnName().'.edit');
}
}