extern/2FAuth
1
0
Fork 0
mirror of https://github.com/Bubka/2FAuth.git synced 2024-11-22 16:23:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add user policy checking

Browse Source
This commit is contained in:
Bubka 2024-03-30 15:42:34 +01:00
parent fdccbbcc55
commit eb3e38f4a6
2 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
app/Api/v1/Controllers/UserManagerController.php
View File

@ -32,6 +32,8 @@ public function index(Request $request)
*/
public function show(User $user)
{
$this->authorize('view', $user);
return new UserManagerResource($user);
}
@ -44,6 +46,8 @@ public function resetPassword(Request $request, User $user)
{
Log::info(sprintf('Password reset for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
$this->authorize('update', $user);
$credentials = [
'token' => $this->broker()->createToken($user),
'email' => $user->email,
@ -85,6 +89,8 @@ public function resetPassword(Request $request, User $user)
*/
public function store(UserManagerStoreRequest $request)
{
$this->authorize('create', User::class);
$validated = $request->validated();
$user = User::create([
@ -117,6 +123,8 @@ public function revokePATs(Request $request, User $user, TokenRepository $tokenR
{
Log::info(sprintf('Deletion of all personal access tokens for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
$this->authorize('update', $user);
$tokens = $tokenRepository->forUser($user->getAuthIdentifier());
$tokens->load('client')->filter(function ($token) {
@ -139,6 +147,8 @@ public function revokeWebauthnCredentials(Request $request, User $user)
{
Log::info(sprintf('Deletion of all security devices for User ID #%s requested by User ID #%s', $user->id, $request->user()->id));
$this->authorize('update', $user);
$user->flushCredentials();
// WebauthnOnly user options need to be reset to prevent impossible login when
@ -162,6 +172,8 @@ public function revokeWebauthnCredentials(Request $request, User $user)
*/
public function destroy(Request $request, User $user)
{
$this->authorize('delete', $user);
// This will delete the user and all its 2FAs & Groups thanks to the onCascadeDelete constrains.
// Deletion will not be done (and returns False) if the user is the only existing admin (see UserObserver clas)
return $user->delete() === false
@ -178,6 +190,8 @@ public function destroy(Request $request, User $user)
*/
public function promote(UserManagerPromoteRequest $request, User $user)
{
$this->authorize('promote', $user);
$user->promoteToAdministrator($request->validated('is_admin'));
$user->save();

8
app/Policies/UserPolicy.php
View File

@ -78,4 +78,12 @@ public function delete(User $user, User $model) : bool
return $can;
}
/**
* Determine whether the user can promote the model.
*/
public function promote(User $user) : bool
{
return false;
}
}