From eb3e38f4a674bcbf0e0245183d84d2af76fa0d6f Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Sat, 30 Mar 2024 15:42:34 +0100
Subject: [PATCH] Add user policy checking

---
 app/Api/v1/Controllers/UserManagerController.php | 14 ++++++++++++++
 app/Policies/UserPolicy.php                      |  8 ++++++++
 2 files changed, 22 insertions(+)

diff --git a/app/Api/v1/Controllers/UserManagerController.php b/app/Api/v1/Controllers/UserManagerController.php
index 7611462c..0231faac 100644
--- a/app/Api/v1/Controllers/UserManagerController.php
+++ b/app/Api/v1/Controllers/UserManagerController.php
@@ -32,6 +32,8 @@ public function index(Request $request)
      */
     public function show(User $user)
     {
+        $this->authorize('view', $user);
+
         return new UserManagerResource($user);
     }
 
@@ -44,6 +46,8 @@ public function resetPassword(Request $request, User $user)
     {
         Log::info(sprintf('Password reset for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
 
+        $this->authorize('update', $user);
+
         $credentials = [
             'token'    => $this->broker()->createToken($user),
             'email'    => $user->email,
@@ -85,6 +89,8 @@ public function resetPassword(Request $request, User $user)
      */
     public function store(UserManagerStoreRequest $request)
     {
+        $this->authorize('create', User::class);
+
         $validated = $request->validated();
 
         $user = User::create([
@@ -117,6 +123,8 @@ public function revokePATs(Request $request, User $user, TokenRepository $tokenR
     {
         Log::info(sprintf('Deletion of all personal access tokens for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
 
+        $this->authorize('update', $user);
+
         $tokens = $tokenRepository->forUser($user->getAuthIdentifier());
 
         $tokens->load('client')->filter(function ($token) {
@@ -139,6 +147,8 @@ public function revokeWebauthnCredentials(Request $request, User $user)
     {
         Log::info(sprintf('Deletion of all security devices for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
 
+        $this->authorize('update', $user);
+
         $user->flushCredentials();
 
         // WebauthnOnly user options need to be reset to prevent impossible login when
@@ -162,6 +172,8 @@ public function revokeWebauthnCredentials(Request $request, User $user)
      */
     public function destroy(Request $request, User $user)
     {
+        $this->authorize('delete', $user);
+
         // This will delete the user and all its 2FAs & Groups thanks to the onCascadeDelete constrains.
         // Deletion will not be done (and returns False) if the user is the only existing admin (see UserObserver clas)
         return $user->delete() === false
@@ -178,6 +190,8 @@ public function destroy(Request $request, User $user)
      */
     public function promote(UserManagerPromoteRequest $request, User $user)
     {
+        $this->authorize('promote', $user);
+
         $user->promoteToAdministrator($request->validated('is_admin'));
         $user->save();
 
diff --git a/app/Policies/UserPolicy.php b/app/Policies/UserPolicy.php
index d7b9c0c5..eb441ce1 100644
--- a/app/Policies/UserPolicy.php
+++ b/app/Policies/UserPolicy.php
@@ -78,4 +78,12 @@ public function delete(User $user, User $model) : bool
 
         return $can;
     }
+
+    /**
+     * Determine whether the user can promote the model.
+     */
+    public function promote(User $user) : bool
+    {
+        return false;
+    }
 }