From 8b397750e8d0200ed9c82c4da88c7a18b7c66ec4 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Fri, 26 Jan 2024 18:14:02 +0100
Subject: [PATCH] Control & Promote administrator status via a method rather
 than a prop

---
 app/Extensions/RemoteUserProvider.php         |  2 +-
 app/Http/Controllers/Auth/LoginController.php | 13 +++++++----
 .../Controllers/Auth/RegisterController.php   | 10 ++++++---
 .../Controllers/Auth/SocialiteController.php  |  2 +-
 app/Http/Controllers/Auth/UserController.php  |  2 +-
 app/Http/Controllers/SystemController.php     |  2 +-
 app/Http/Middleware/AdminOnly.php             |  2 +-
 app/Models/User.php                           | 22 +++++++++++++++++++
 8 files changed, 43 insertions(+), 12 deletions(-)

diff --git a/app/Extensions/RemoteUserProvider.php b/app/Extensions/RemoteUserProvider.php
index 90cdcb5e..b43e7f5a 100644
--- a/app/Extensions/RemoteUserProvider.php
+++ b/app/Extensions/RemoteUserProvider.php
@@ -63,7 +63,7 @@ public function retrieveById($identifier)
             Log::info(sprintf('Remote user %s created with email address %s', var_export($user->name, true), var_export($user->email, true)));
 
             if (User::count() === 1) {
-                $user->is_admin = true;
+                $user->promoteToAdministrator();
                 $user->save();
             }
         } else {
diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index 3e39148a..a1b6bac3 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -107,16 +107,21 @@ protected function sendLoginResponse(Request $request)
     {
         $this->clearLoginAttempts($request);
 
-        $name = $this->guard()->user()?->name;
+        /**
+         * @var \App\Models\User|null
+         */
+        $user = $this->guard()->user();
+        $name = $user?->name;
 
         $this->authenticated($request, $this->guard()->user());
 
         return response()->json([
             'message'     => 'authenticated',
+            'id'          => $user->id,
             'name'        => $name,
-            'email'       => $this->guard()->user()->email,
-            'preferences' => $this->guard()->user()->preferences,
-            'is_admin'    => $this->guard()->user()->is_admin,
+            'email'       => $user->email,
+            'preferences' => $user->preferences,
+            'is_admin'    => $user->isAdministrator(),
         ], Response::HTTP_OK);
     }
 
diff --git a/app/Http/Controllers/Auth/RegisterController.php b/app/Http/Controllers/Auth/RegisterController.php
index b97774ef..9ce7d1fe 100644
--- a/app/Http/Controllers/Auth/RegisterController.php
+++ b/app/Http/Controllers/Auth/RegisterController.php
@@ -43,13 +43,17 @@ public function register(UserStoreRequest $request)
         event(new Registered($user = $this->create($validated)));
 
         $this->guard()->login($user);
+        /**
+         * @var \App\Models\User|null
+         */
+        $user = $this->guard()->user();
 
         return response()->json([
             'message'     => 'account created',
             'name'        => $user->name,
             'email'       => $user->email,
-            'preferences' => $this->guard()->user()->preferences,
-            'is_admin'    => $this->guard()->user()->is_admin,
+            'preferences' => $user->preferences,
+            'is_admin'    => $user->isAdministrator(),
         ], 201);
     }
 
@@ -69,7 +73,7 @@ protected function create(array $data)
         Log::info(sprintf('User ID #%s created', $user->id));
 
         if (User::count() == 1) {
-            $user->is_admin = true;
+            $user->promoteToAdministrator();
             $user->save();
             Log::notice(sprintf('User ID #%s set as administrator', $user->id));
         }
diff --git a/app/Http/Controllers/Auth/SocialiteController.php b/app/Http/Controllers/Auth/SocialiteController.php
index 21702a8f..27471a86 100644
--- a/app/Http/Controllers/Auth/SocialiteController.php
+++ b/app/Http/Controllers/Auth/SocialiteController.php
@@ -56,7 +56,7 @@ public function callback(Request $request, string $driver)
             if (User::where('email', $socialiteEmail)->exists()) {
                 return redirect('/error?err=sso_email_already_used');
             } elseif (User::count() === 0) {
-                $user->is_admin = true;
+                $user->promoteToAdministrator();
             } elseif (Settings::get('disableRegistration')) {
                 return redirect('/error?err=sso_no_register');
             }
diff --git a/app/Http/Controllers/Auth/UserController.php b/app/Http/Controllers/Auth/UserController.php
index cf3f82a9..a1d9631c 100644
--- a/app/Http/Controllers/Auth/UserController.php
+++ b/app/Http/Controllers/Auth/UserController.php
@@ -59,7 +59,7 @@ public function delete(UserDeleteRequest $request)
 
         Log::info(sprintf('Deletion of user ID #%s requested', $user->id));
 
-        if ($user->is_admin && User::admins()->count() == 1) {
+        if ($user->isAdministrator() && User::admins()->count() == 1) {
             return response()->json(['message' => __('errors.cannot_delete_the_only_admin')], 400);
         }
 
diff --git a/app/Http/Controllers/SystemController.php b/app/Http/Controllers/SystemController.php
index 9b921843..934f4367 100644
--- a/app/Http/Controllers/SystemController.php
+++ b/app/Http/Controllers/SystemController.php
@@ -45,7 +45,7 @@ public function infos(Request $request)
             $infos['common']['Trusted proxies']            = config('2fauth.config.trustedProxies') ?: 'none';
 
             // Admin settings
-            if ($request->user()->is_admin == true) {
+            if ($request->user()->isAdministrator()) {
                 $infos['admin_settings']['useEncryption']  = Settings::get('useEncryption');
                 $infos['admin_settings']['lastRadarScan']  = Carbon::parse(Settings::get('lastRadarScan'))->format('Y-m-d H:i:s');
                 $infos['admin_settings']['checkForUpdate'] = Settings::get('checkForUpdate');
diff --git a/app/Http/Middleware/AdminOnly.php b/app/Http/Middleware/AdminOnly.php
index a0b5ea43..22d0b554 100644
--- a/app/Http/Middleware/AdminOnly.php
+++ b/app/Http/Middleware/AdminOnly.php
@@ -16,7 +16,7 @@ class AdminOnly
      */
     public function handle($request, Closure $next)
     {
-        if (! Auth::user()->is_admin) {
+        if (! Auth::user()->isAdministrator()) {
             throw new AuthorizationException;
         }
 
diff --git a/app/Models/User.php b/app/Models/User.php
index e32ac488..7079c3d9 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -8,6 +8,7 @@
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Str;
 use Laragear\WebAuthn\WebAuthnAuthentication;
 use Laravel\Passport\HasApiTokens;
 
@@ -86,6 +87,27 @@ public function scopeAdmins($query)
         return $query->where('is_admin', true);
     }
 
+    /**
+     * Determine if the user is an administrator.
+     *
+     * @return boolean
+     */
+    public function isAdministrator()
+    {
+        return $this->is_admin;
+    }
+
+    /**
+     * Grant administrator permissions to the user.
+     *
+     * @param  bool  $promote  
+     * @return void
+     */
+    public function promoteToAdministrator(bool $promote = true)
+    {
+        $this->is_admin = $promote;
+    }
+
     /**
      * Send the password reset notification.
      *