snipe-it/app/Policies/SnipePermissionsPolicy.php
snipe 7b33f95e83
Fixes/import permissions mask (#6826)
* Check for empty headers in import

* Added import permission

* Fixed model path in docblock

* Added import gate to default blade

* Check if the user is an admin OR idf they have import permissions

* Walked back that admin permission

Since admins are bound by full company support, it makes less sense to let admins have this permission by default, versus having them specifically designated to the import permission
2019-03-18 11:58:08 -07:00

110 lines
2.8 KiB
PHP

<?php
namespace App\Policies;
use App\Models\Company;
use App\Models\User;
use Illuminate\Auth\Access\HandlesAuthorization;
/**
* SnipePermissionsPolicy provides methods for handling the granular permissions used throughout Snipe-IT.
* Each "area" of a permission (which is usually a model, like Assets, Departments, etc), has a setting
* in config/permissions.php like view/create/edit/delete (and sometimes some extra stuff like
* checkout/checkin, etc.)
*
* A Policy should exist for each of these models, however if they only use the standard view/create/edit/delete,
* the policy can be pretty simple, for example with just one method setting the column name:
*
* protected function columnName()
* {
* return 'manufacturers';
* }
*
*/
abstract class SnipePermissionsPolicy
{
/**
* This should return the key of the model in the users json permission string.
*
* @return boolean
*/
//
abstract protected function columnName();
use HandlesAuthorization;
public function before(User $user, $ability, $item)
{
// Lets move all company related checks here.
if ($item instanceof \App\Models\SnipeModel && !Company::isCurrentUserHasAccess($item)) {
return false;
}
// If an admin, they can do all asset related tasks.
if ($user->hasAccess('admin')) {
return true;
}
}
public function index(User $user)
{
return $user->hasAccess($this->columnName().'.view');
}
/**
* Determine whether the user can view the accessory.
*
* @param \App\Models\User $user
* @return mixed
*/
public function view(User $user, $item = null)
{
return $user->hasAccess($this->columnName().'.view');
}
/**
* Determine whether the user can create accessories.
*
* @param \App\Models\User $user
* @return mixed
*/
public function create(User $user)
{
return $user->hasAccess($this->columnName().'.create');
}
/**
* Determine whether the user can update the accessory.
*
* @param \App\Models\User $user
* @return mixed
*/
public function update(User $user, $item = null)
{
return $user->hasAccess($this->columnName().'.edit');
}
/**
* Determine whether the user can delete the accessory.
*
* @param \App\Models\User $user
* @return mixed
*/
public function delete(User $user, $item = null)
{
return $user->hasAccess($this->columnName().'.delete');
}
/**
* Determine whether the user can manage the accessory.
*
* @param \App\Models\User $user
* @return mixed
*/
public function manage(User $user, $item = null)
{
return $user->hasAccess($this->columnName().'.edit');
}
}