diff --git a/app/Modules/Main/Http/Controllers/Company/CreateAgentController.php b/app/Modules/Main/Http/Controllers/Company/CreateAgentController.php index 9e24035..3e0db4a 100644 --- a/app/Modules/Main/Http/Controllers/Company/CreateAgentController.php +++ b/app/Modules/Main/Http/Controllers/Company/CreateAgentController.php @@ -16,21 +16,11 @@ class CreateAgentController extends Controller { public function __invoke(Request $request, Company $company) { - if (!$company) + if ($request->user()->cannot('update', $company)) { - $admin = CompanyAdmin::where('user_id', auth()->id()); - if (!$admin->count()) - { - abort(404); - return; - } - $admin = $admin->first(); - $company = Company::find($admin->company_id); - } - if (!$company) - { - return back()->with('error', 'Не удалось установить принадлежность создаваемого агента'); + abort(403, 'Unauthorized action'); } + $user = User::where('email', $request->email)->orWhere('phone', $request->phone)->first(); if ($user) { diff --git a/app/Modules/Main/Http/Controllers/Company/CreateCompanyController.php b/app/Modules/Main/Http/Controllers/Company/CreateCompanyController.php index 9dd682c..733d686 100644 --- a/app/Modules/Main/Http/Controllers/Company/CreateCompanyController.php +++ b/app/Modules/Main/Http/Controllers/Company/CreateCompanyController.php @@ -16,6 +16,11 @@ class CreateCompanyController extends Controller */ public function __invoke(Request $request) { + if ($request->user()->cannot('create', Company::class)) + { + abort(403, 'Unauthorized action'); + } + $company = false; $request->enum('type', CompanyType::class); $validated = $request->validate([ diff --git a/app/Modules/Main/Http/Controllers/Company/CreateCompanyFormController.php b/app/Modules/Main/Http/Controllers/Company/CreateCompanyFormController.php index e1c0c68..bc09da5 100644 --- a/app/Modules/Main/Http/Controllers/Company/CreateCompanyFormController.php +++ b/app/Modules/Main/Http/Controllers/Company/CreateCompanyFormController.php @@ -15,6 +15,10 @@ class CreateCompanyFormController extends Controller */ public function __invoke(Request $request) { + if ($request->user()->cannot('create', Company::class)) + { + abort(403, 'Unauthorized action'); + } $type = false; $city_id = false; if ($request->has('type')) diff --git a/app/Modules/Main/Http/Controllers/Company/DeleteAgentController.php b/app/Modules/Main/Http/Controllers/Company/DeleteAgentController.php index d5c5316..aa039d1 100644 --- a/app/Modules/Main/Http/Controllers/Company/DeleteAgentController.php +++ b/app/Modules/Main/Http/Controllers/Company/DeleteAgentController.php @@ -10,8 +10,13 @@ class DeleteAgentController extends Controller { - public function __invoke(Agent $agent) + public function __invoke(Request $request, Agent $agent) { + if ($request->user()->cannot('update', $agent->company)) + { + abort(403, 'Unauthorized action'); + } + $admin = CompanyAdmin::where('user_id', auth()->id()) ->where( 'company_id', diff --git a/app/Modules/Main/Http/Controllers/Company/DetailsController.php b/app/Modules/Main/Http/Controllers/Company/DetailsController.php index a1d7a3b..a5dd75f 100644 --- a/app/Modules/Main/Http/Controllers/Company/DetailsController.php +++ b/app/Modules/Main/Http/Controllers/Company/DetailsController.php @@ -54,6 +54,11 @@ public function index($companyId = null) } public function store(Request $request, Company $company) { + if ($request->user()->cannot('update', $company)) + { + abort(403, 'Unauthorized action'); + } + $userId = auth()->user()->id; $admin = CompanyAdmin::where('user_id', $userId)->get(); if ($admin->count() == 1) diff --git a/app/Modules/Main/Http/Policies/CompanyPolicy.php b/app/Modules/Main/Http/Policies/CompanyPolicy.php new file mode 100644 index 0000000..31618d1 --- /dev/null +++ b/app/Modules/Main/Http/Policies/CompanyPolicy.php @@ -0,0 +1,36 @@ +id)->where('role_id', Role::SUPER_ADMIN)->count() == 1) + { + return true; + } + return false; + } + public function update(User $user, Company $company): bool + { + if (UserRole::where('user_id', $user->id)->where('role_id', Role::SUPER_ADMIN)->count() == 1) + { + return true; + } + if ( + CompanyAdmin::where('user_id', $user->id)->where('company_id', $company->id)->count() == 1 + && UserRole::where('user_id', $user->id)->where('role_id', Role::COMPANY_ADMIN)->count() == 1 + ) + { + return true; + } + return false; + } +} diff --git a/app/Modules/Main/Models/Company/Company.php b/app/Modules/Main/Models/Company/Company.php index ded1e6e..418d692 100644 --- a/app/Modules/Main/Models/Company/Company.php +++ b/app/Modules/Main/Models/Company/Company.php @@ -7,6 +7,7 @@ use Modules\Payment\Traits\Paymentable; use Modules\Main\Models\City; use Modules\Bitrix\Traits\Bitrixable; + class Company extends Model { use HasFactory; diff --git a/app/Modules/Main/Providers/ModuleServiceProvider.php b/app/Modules/Main/Providers/ModuleServiceProvider.php index d6b43e1..44455c7 100644 --- a/app/Modules/Main/Providers/ModuleServiceProvider.php +++ b/app/Modules/Main/Providers/ModuleServiceProvider.php @@ -5,6 +5,8 @@ use Illuminate\Support\ServiceProvider; use Illuminate\Support\Facades\Blade; use Livewire\Livewire; +use Illuminate\Support\Facades\Gate; + class ModuleServiceProvider extends ServiceProvider { @@ -23,6 +25,7 @@ public function boot() $this->registerConfig(); $this->registerComponent(); $this->registerLivewire(); + $this->registerPolicies(); } protected function registerViews() @@ -69,4 +72,9 @@ protected function registerComponent() { //Blade::component('', \Modules\\Http\Components\::class); } + + protected function registerPolicies() + { + Gate::policy(\Modules\Main\Models\Company\Company::class, \Modules\Main\Http\Policies\CompanyPolicy::class); + } } \ No newline at end of file