extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2025-06-19 19:28:08 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add user policy checking

Browse Source
This commit is contained in:
Bubka 2024-03-30 15:42:34 +01:00
parent fdccbbcc55
commit eb3e38f4a6
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/Api/v1/Controllers/UserManagerController.php
View File

@ -32,6 +32,8 @@ class UserManagerController extends Controller
*/ */
public function show(User $user) public function show(User $user)
{ {
$this->authorize('view', $user);
return new UserManagerResource($user); return new UserManagerResource($user);
} }
@ -44,6 +46,8 @@ class UserManagerController extends Controller
{ {
Log::info(sprintf('Password reset for User ID #%s requested by User ID #%s', $user->id, $request->user()->id)); Log::info(sprintf('Password reset for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
$this->authorize('update', $user);
$credentials = [ $credentials = [
'token' => $this->broker()->createToken($user), 'token' => $this->broker()->createToken($user),
'email' => $user->email, 'email' => $user->email,
@ -85,6 +89,8 @@ class UserManagerController extends Controller
*/ */
public function store(UserManagerStoreRequest $request) public function store(UserManagerStoreRequest $request)
{ {
$this->authorize('create', User::class);
$validated = $request->validated(); $validated = $request->validated();
$user = User::create([ $user = User::create([
@ -117,6 +123,8 @@ class UserManagerController extends Controller
{ {
Log::info(sprintf('Deletion of all personal access tokens for User ID #%s requested by User ID #%s', $user->id, $request->user()->id)); Log::info(sprintf('Deletion of all personal access tokens for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
$this->authorize('update', $user);
$tokens = $tokenRepository->forUser($user->getAuthIdentifier()); $tokens = $tokenRepository->forUser($user->getAuthIdentifier());
$tokens->load('client')->filter(function ($token) { $tokens->load('client')->filter(function ($token) {
@ -139,6 +147,8 @@ class UserManagerController extends Controller
{ {
Log::info(sprintf('Deletion of all security devices for User ID #%s requested by User ID #%s', $user->id, $request->user()->id)); Log::info(sprintf('Deletion of all security devices for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
$this->authorize('update', $user);
$user->flushCredentials(); $user->flushCredentials();
// WebauthnOnly user options need to be reset to prevent impossible login when // WebauthnOnly user options need to be reset to prevent impossible login when
@ -162,6 +172,8 @@ class UserManagerController extends Controller
*/ */
public function destroy(Request $request, User $user) public function destroy(Request $request, User $user)
{ {
$this->authorize('delete', $user);
// This will delete the user and all its 2FAs & Groups thanks to the onCascadeDelete constrains. // This will delete the user and all its 2FAs & Groups thanks to the onCascadeDelete constrains.
// Deletion will not be done (and returns False) if the user is the only existing admin (see UserObserver clas) // Deletion will not be done (and returns False) if the user is the only existing admin (see UserObserver clas)
return $user->delete() === false return $user->delete() === false
@ -178,6 +190,8 @@ class UserManagerController extends Controller
*/ */
public function promote(UserManagerPromoteRequest $request, User $user) public function promote(UserManagerPromoteRequest $request, User $user)
{ {
$this->authorize('promote', $user);
$user->promoteToAdministrator($request->validated('is_admin')); $user->promoteToAdministrator($request->validated('is_admin'));
$user->save(); $user->save();

8
app/Policies/UserPolicy.php
View File

@ -78,4 +78,12 @@ class UserPolicy
return $can; return $can;
} }
/**
* Determine whether the user can promote the model.
*/
public function promote(User $user) : bool
{
return false;
}
} }