#3: Implemented security when viewing an album and its photos
This commit is contained in:
parent
33275a8733
commit
045935c554
@ -1,6 +1,6 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<project version="4">
|
||||
<component name="PublishConfigData" serverName="Development">
|
||||
<component name="PublishConfigData" autoUpload="On explicit save action" serverName="Development">
|
||||
<serverData>
|
||||
<paths name="Development">
|
||||
<serverdata>
|
||||
@ -10,5 +10,6 @@
|
||||
</serverdata>
|
||||
</paths>
|
||||
</serverData>
|
||||
<option name="myAutoUpload" value="ON_EXPLICIT_SAVE" />
|
||||
</component>
|
||||
</project>
|
@ -66,10 +66,8 @@ class DbHelper
|
||||
->withCount('photos');
|
||||
}
|
||||
|
||||
public static function getAlbumByAliasForCurrentUser($urlAlias)
|
||||
public static function getAlbumByAlias($urlAlias)
|
||||
{
|
||||
$album = Album::where('url_alias', $urlAlias)->first();
|
||||
|
||||
return $album;
|
||||
return Album::where('url_alias', $urlAlias)->first();
|
||||
}
|
||||
}
|
@ -17,13 +17,15 @@ class AlbumController extends Controller
|
||||
{
|
||||
public function index(Request $request, $albumUrlAlias)
|
||||
{
|
||||
$album = DbHelper::getAlbumByAliasForCurrentUser($albumUrlAlias);
|
||||
$album = DbHelper::getAlbumByAlias($albumUrlAlias);
|
||||
if (is_null($album))
|
||||
{
|
||||
App::abort(404);
|
||||
return null;
|
||||
}
|
||||
|
||||
$this->authorizeForUser($this->getUser(), 'view', $album);
|
||||
|
||||
$validViews = UserConfig::allowedAlbumViews();
|
||||
$requestedView = strtolower($request->get('view'));
|
||||
if (!in_array($requestedView, $validViews))
|
||||
@ -36,8 +38,6 @@ class AlbumController extends Controller
|
||||
}
|
||||
}
|
||||
|
||||
$this->authorizeForUser($this->getUser(), 'album.view', $album);
|
||||
|
||||
if ($album->photos()->count() == 0)
|
||||
{
|
||||
$requestedView = 'empty';
|
||||
|
@ -20,14 +20,14 @@ class PhotoController extends Controller
|
||||
{
|
||||
public function download(Request $request, $albumUrlAlias, $photoFilename)
|
||||
{
|
||||
$album = DbHelper::getAlbumByAliasForCurrentUser($albumUrlAlias);
|
||||
$album = DbHelper::getAlbumByAlias($albumUrlAlias);
|
||||
if (is_null($album))
|
||||
{
|
||||
App::abort(404);
|
||||
return null;
|
||||
}
|
||||
|
||||
$this->authorizeForUser($this->getUser(), 'album.view', $album);
|
||||
$this->authorizeForUser($this->getUser(), 'view', $album);
|
||||
|
||||
if (UserConfig::get('hotlink_protection'))
|
||||
{
|
||||
@ -75,14 +75,14 @@ class PhotoController extends Controller
|
||||
|
||||
public function show(Request $request, $albumUrlAlias, $photoFilename)
|
||||
{
|
||||
$album = DbHelper::getAlbumByAliasForCurrentUser($albumUrlAlias);
|
||||
$album = DbHelper::getAlbumByAlias($albumUrlAlias);
|
||||
if (is_null($album))
|
||||
{
|
||||
App::abort(404);
|
||||
return null;
|
||||
}
|
||||
|
||||
$this->authorizeForUser($this->getUser(), 'album.view', $album);
|
||||
$this->authorizeForUser($this->getUser(), 'view', $album);
|
||||
|
||||
$photo = PhotoController::loadPhotoByAlbumAndFilename($album, $photoFilename);
|
||||
|
||||
|
@ -45,6 +45,37 @@ class AlbumPolicy
|
||||
'description' => 'edit'
|
||||
])->first();
|
||||
|
||||
return $this->userHasPermission($user, $album, $permission);
|
||||
}
|
||||
|
||||
public function view(User $user, Album $album)
|
||||
{
|
||||
if ($user->id == $album->user_id)
|
||||
{
|
||||
// The album's owner and can do everything
|
||||
return true;
|
||||
}
|
||||
|
||||
// Get the edit permission
|
||||
$permission = Permission::where([
|
||||
'section' => 'album',
|
||||
'description' => 'view'
|
||||
])->first();
|
||||
|
||||
return $this->userHasPermission($user, $album, $permission);
|
||||
}
|
||||
|
||||
private function userHasPermission(User $user, Album $album, Permission $permission)
|
||||
{
|
||||
if ($user->isAnonymous())
|
||||
{
|
||||
$query = Album::query()->join('album_anonymous_permissions', 'album_anonymous_permissions.album_id', '=', 'albums.id')
|
||||
->join('permissions', 'permissions.id', '=', 'album_anonymous_permissions.permission_id')
|
||||
->where('permissions.id', $permission->id);
|
||||
|
||||
return $query->count() > 0;
|
||||
}
|
||||
|
||||
// If any of the user's groups are granted the permission
|
||||
/** @var Group $group */
|
||||
foreach ($user->groups as $group)
|
||||
|
@ -45,4 +45,9 @@ class User extends Authenticatable
|
||||
{
|
||||
return $this->belongsToMany(Group::class, 'user_groups');
|
||||
}
|
||||
|
||||
public function isAnonymous()
|
||||
{
|
||||
return $this->id == -1 && $this->name == 'Anonymous';
|
||||
}
|
||||
}
|
||||
|
@ -35,7 +35,7 @@
|
||||
<h4 class="card-title"><a href="{{ $photo->url() }}">{{ $photo->name }}</a></h4>
|
||||
</div>
|
||||
<div class="card-footer">
|
||||
<small class="text-muted"><i class="fa fa-fw fa-calendar"></i> {{ date('Y-m-d H:i', $photo->taken_at) }}</small>
|
||||
<small class="text-muted"><i class="fa fa-fw fa-calendar"></i> {{ date('Y-m-d H:i', strtotime(!is_null($photo->taken_at) ? $photo->taken_at : $photo->created_at)) }}</small>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -2,21 +2,15 @@
|
||||
@section('title', $photo->name)
|
||||
|
||||
@section('breadcrumb')
|
||||
<div class="breadcrumb">
|
||||
<div class="container">
|
||||
<ol class="breadcrumb">
|
||||
<li><a href="{{ route('home') }}">Gallery</a></li>
|
||||
<li><a href="{{ $return_album_url }}">{{ $photo->album->name }}</a></li>
|
||||
<li class="active">{{ $photo->name }}</li>
|
||||
</ol>
|
||||
</div>
|
||||
</div>
|
||||
<li class="breadcrumb-item"><a href="{{ route('home') }}">Gallery</a></li>
|
||||
<li class="breadcrumb-item"><a href="{{ $return_album_url }}">{{ $photo->album->name }}</a></li>
|
||||
<li class="breadcrumb-item active">{{ $photo->name }}</li>
|
||||
@endsection
|
||||
|
||||
@section('content')
|
||||
<div class="container">
|
||||
<div class="row">
|
||||
<div class="col-xs-12">
|
||||
<div class="col">
|
||||
<h1>{{ $photo->name }}</h1>
|
||||
@if (strlen($photo->description) > 0)
|
||||
<p>{{ $photo->description }}</p>
|
||||
@ -25,7 +19,7 @@
|
||||
</div>
|
||||
|
||||
<div class="row">
|
||||
<div class="col-xs-12 col-sm-8 content-body">
|
||||
<div class="col-sm-8 content-body">
|
||||
@if ($is_original_allowed)
|
||||
<a href="{{ $photo->thumbnailUrl() }}">
|
||||
@endif
|
||||
@ -35,11 +29,11 @@
|
||||
@endif
|
||||
</div>
|
||||
|
||||
<div class="col-xs-12 col-sm-4">
|
||||
<div class="panel panel-default">
|
||||
<div class="panel-heading">Information about this photo:</div>
|
||||
<div class="panel-body no-padding">
|
||||
<table class="table table-striped photo-metadata no-margin-bottom">
|
||||
<div class="col-sm-4">
|
||||
<div class="card">
|
||||
<div class="card-header">Information about this photo:</div>
|
||||
<div class="card-block" style="padding: 0;">
|
||||
<table class="table table-striped photo-metadata mb-0">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Name</th>
|
||||
@ -87,8 +81,8 @@
|
||||
</div>
|
||||
|
||||
<div class="row">
|
||||
<div class="col-xs-12">
|
||||
<a href="{{ $return_album_url }}" class="btn btn-default">@lang('gallery.back_to_album', ['name' => $photo->album->name])</a>
|
||||
<div class="col mt-4">
|
||||
<a href="{{ $return_album_url }}" class="btn btn-secondary">« @lang('gallery.back_to_album', ['name' => $photo->album->name])</a>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
@ -12,12 +12,8 @@
|
||||
<div class="col-md-4">
|
||||
<h5>Album Permissions</h5>
|
||||
|
||||
@php ($permission = Theme::getPermission($all_permissions, 'album', 'list'))
|
||||
<div class="checkbox">
|
||||
<label for="permission|{{ $key_id }}|{{ $permission->id }}">
|
||||
<input id="permission|{{ $key_id }}|{{ $permission->id }}" name="permissions[{{ $object_id }}][]" value="{{ $permission->id }}" type="checkbox"{{ call_user_func($callback, $callback_object, $permission) ? ' checked="checked"' : '' }} /> {{ trans(sprintf('permissions.%s.%s', $permission->section, $permission->description)) }}
|
||||
</label>
|
||||
</div>
|
||||
@include(Theme::viewName('partials.permission_checkbox'), ['permission' => Theme::getPermission($all_permissions, 'album', 'list')])
|
||||
@include(Theme::viewName('partials.permission_checkbox'), ['permission' => Theme::getPermission($all_permissions, 'album', 'view')])
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
@ -0,0 +1,5 @@
|
||||
<div class="checkbox">
|
||||
<label for="permission|{{ $key_id }}|{{ $permission->id }}">
|
||||
<input id="permission|{{ $key_id }}|{{ $permission->id }}" name="permissions[{{ $object_id }}][]" value="{{ $permission->id }}" type="checkbox"{{ call_user_func($callback, $callback_object, $permission) ? ' checked="checked"' : '' }} /> {{ trans(sprintf('permissions.%s.%s', $permission->section, $permission->description)) }}
|
||||
</label>
|
||||
</div>
|
Loading…
Reference in New Issue
Block a user