From 2ef01cc23c6759ea9c8a0043dc33f3fa2bd1276c Mon Sep 17 00:00:00 2001
From: Andy Heathershaw <andy@andys.eu>
Date: Sat, 15 Apr 2017 09:41:15 +0100
Subject: [PATCH] #3: It's now possible to restrict access to the admin panel,
 managing albums and settings functions by user group

---
 app/Group.php                                 | 12 ++++
 .../Controllers/Admin/AlbumController.php     | 22 +++----
 .../Controllers/Admin/DefaultController.php   |  6 +-
 .../Controllers/Admin/GroupController.php     | 36 ++++++++---
 .../Controllers/Admin/PhotoController.php     | 18 +++---
 .../Controllers/Admin/StorageController.php   | 14 ++---
 app/Http/Controllers/Admin/UserController.php | 16 ++---
 app/Http/Controllers/Controller.php           | 11 ++--
 app/Providers/AuthServiceProvider.php         | 59 +++++++++++++++++--
 ...2017_03_21_211508_add_user_upload_flag.php | 32 ----------
 ...2_create_admin_group_permissions_table.php | 40 +++++++++++++
 database/seeds/PermissionsSeeder.php          | 33 +++++++++++
 resources/lang/en/admin.php                   |  1 +
 resources/lang/en/permissions.php             |  5 ++
 .../themes/base/admin/edit_group.blade.php    | 33 +++++++++--
 .../partials/admin_actions_widget.blade.php   | 12 ++--
 .../partials/admin_manage_widget.blade.php    | 13 ++--
 .../partials/admin_stats_widget.blade.php     |  2 +-
 .../themes/base/partials/navbar.blade.php     |  2 +-
 19 files changed, 265 insertions(+), 102 deletions(-)
 delete mode 100644 database/migrations/2017_03_21_211508_add_user_upload_flag.php
 create mode 100644 database/migrations/2017_04_15_083922_create_admin_group_permissions_table.php

diff --git a/app/Group.php b/app/Group.php
index 195e49d..57c7a31 100644
--- a/app/Group.php
+++ b/app/Group.php
@@ -15,6 +15,18 @@ class Group extends Model
         'name'
     ];
 
+    public function adminPermissions()
+    {
+        return $this->belongsToMany(Permission::class, 'admin_group_permissions');
+    }
+
+    public function hasAdminPermission(Group $group, Permission $permission)
+    {
+        return $this->adminPermissions()->where([
+                'permission_id' => $permission->id
+            ])->count() > 0;
+    }
+
     public function users()
     {
         return $this->belongsToMany(User::class, 'user_groups');
diff --git a/app/Http/Controllers/Admin/AlbumController.php b/app/Http/Controllers/Admin/AlbumController.php
index 01c9765..260fd1c 100644
--- a/app/Http/Controllers/Admin/AlbumController.php
+++ b/app/Http/Controllers/Admin/AlbumController.php
@@ -34,7 +34,7 @@ class AlbumController extends Controller
 
     public function analyse($id, $queue_token)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $album = $this->loadAlbum($id);
         $photos = $album->photos()
@@ -57,7 +57,7 @@ class AlbumController extends Controller
      */
     public function create(Request $request)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $albumSources = [];
         foreach (Storage::where('is_active', true)->orderBy('name')->get() as $storage)
@@ -81,7 +81,7 @@ class AlbumController extends Controller
 
     public function delete($id)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $album = $this->loadAlbum($id);
 
@@ -96,7 +96,7 @@ class AlbumController extends Controller
      */
     public function destroy(Request $request, $id)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $album = $this->loadAlbum($id);
 
@@ -124,7 +124,7 @@ class AlbumController extends Controller
      */
     public function edit($id)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $album = $this->loadAlbum($id);
 
@@ -138,7 +138,7 @@ class AlbumController extends Controller
      */
     public function index(Request $request)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $albums = DbHelper::getAlbumsForCurrentUser();
 
@@ -150,7 +150,7 @@ class AlbumController extends Controller
 
     public function setGroupPermissions(Request $request, $id)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         /** @var Album $album */
         $album = $this->loadAlbum($id);
@@ -206,7 +206,7 @@ class AlbumController extends Controller
 
     public function setUserPermissions(Request $request, $id)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         /** @var Album $album */
         $album = $this->loadAlbum($id);
@@ -287,7 +287,7 @@ class AlbumController extends Controller
      */
     public function show(Request $request, $id)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $album = $this->loadAlbum($id);
         $photos = $album->photos()
@@ -371,7 +371,7 @@ class AlbumController extends Controller
      */
     public function store(Requests\StoreAlbumRequest $request)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $album = new Album();
         $album->fill($request->only(['name', 'description', 'storage_id']));
@@ -395,7 +395,7 @@ class AlbumController extends Controller
      */
     public function update(Requests\StoreAlbumRequest $request, $id)
     {
-        $this->authorizeAccessToAdminPanel();
+        $this->authorizeAccessToAdminPanel('admin:manage-albums');
 
         $album = $this->loadAlbum($id);
         $album->fill($request->only(['name', 'description']));
diff --git a/app/Http/Controllers/Admin/DefaultController.php b/app/Http/Controllers/Admin/DefaultController.php
index fcbfb32..89b44e0 100644
--- a/app/Http/Controllers/Admin/DefaultController.php
+++ b/app/Http/Controllers/Admin/DefaultController.php
@@ -55,6 +55,8 @@ class DefaultController extends Controller
 
     public function saveSettings(SaveSettingsRequest $request)
     {
+        $this->authorizeAccessToAdminPanel('admin:configure');
+
         $passwordKeys = [
             'smtp_password'
         ];
@@ -137,7 +139,7 @@ class DefaultController extends Controller
 
     public function settings(Request $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel('admin:configure');
 
         // Load the current configuration
         $config = array_merge(UserConfig::defaults(), UserConfig::getAll());
@@ -162,6 +164,8 @@ class DefaultController extends Controller
 
     public function testMailSettings(SaveSettingsRequest $request)
     {
+        $this->authorizeAccessToAdminPanel('admin:configure');
+
         try
         {
             $validKeys = [
diff --git a/app/Http/Controllers/Admin/GroupController.php b/app/Http/Controllers/Admin/GroupController.php
index 4415c82..70fc14c 100644
--- a/app/Http/Controllers/Admin/GroupController.php
+++ b/app/Http/Controllers/Admin/GroupController.php
@@ -7,6 +7,7 @@ use App\Facade\UserConfig;
 use App\Group;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\StoreGroupRequest;
+use App\Permission;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\App;
 use Illuminate\Support\Facades\View;
@@ -26,14 +27,14 @@ class GroupController extends Controller
      */
     public function create()
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         return Theme::render('admin.create_group');
     }
 
     public function delete($id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $group = Group::where('id', intval($id))->first();
         if (is_null($group))
@@ -52,7 +53,7 @@ class GroupController extends Controller
      */
     public function destroy(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         /** @var Group $group */
         $group = Group::where('id', intval($id))->first();
@@ -87,7 +88,7 @@ class GroupController extends Controller
      */
     public function edit(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $group = Group::where('id', intval($id))->first();
         if (is_null($group))
@@ -100,7 +101,10 @@ class GroupController extends Controller
             $request->session()->flash('_old_input', $group->toArray());
         }
 
-        return Theme::render('admin.edit_group', ['group' => $group]);
+        return Theme::render('admin.edit_group', [
+            'all_permissions' => Permission::where('section', 'admin')->get(),
+            'group' => $group
+        ]);
     }
 
     /**
@@ -110,7 +114,7 @@ class GroupController extends Controller
      */
     public function index(Request $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $groups = Group::orderBy('name')
             ->paginate(UserConfig::get('items_per_page'));
@@ -131,7 +135,7 @@ class GroupController extends Controller
      */
     public function store(StoreGroupRequest $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $group = new Group();
         $group->fill($request->only(['name']));
@@ -149,8 +153,9 @@ class GroupController extends Controller
      */
     public function update(StoreGroupRequest $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
+        /** @var Group $group */
         $group = Group::where('id', intval($id))->first();
         if (is_null($group))
         {
@@ -158,6 +163,21 @@ class GroupController extends Controller
         }
 
         $group->fill($request->only(['name']));
+
+        // Update the admin permissions
+        $group->adminPermissions()->detach();
+        $permissions = $request->get('permissions');
+        if (is_array($permissions) && array_key_exists($id, $permissions))
+        {
+            foreach ($permissions[$id] as $permissionID)
+            {
+                $group->adminPermissions()->attach($permissionID, [
+                    'created_at' => new \DateTime(),
+                    'updated_at' => new \DateTime()
+                ]);
+            }
+        }
+
         $group->save();
 
         return redirect(route('groups.index'));
diff --git a/app/Http/Controllers/Admin/PhotoController.php b/app/Http/Controllers/Admin/PhotoController.php
index 885ec68..e303415 100644
--- a/app/Http/Controllers/Admin/PhotoController.php
+++ b/app/Http/Controllers/Admin/PhotoController.php
@@ -34,7 +34,7 @@ class PhotoController extends Controller
 
     public function analyse($photoId, $queue_token)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         /** @var Photo $photo */
         $photo = Photo::where('id', intval($photoId))->first();
@@ -93,7 +93,7 @@ class PhotoController extends Controller
      */
     public function destroy(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         /** @var Photo $photo */
         $photo = Photo::where('id', intval($id))->first();
@@ -111,7 +111,7 @@ class PhotoController extends Controller
 
     public function flip($photoId, $horizontal, $vertical)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         settype($horizontal, 'boolean');
         settype($vertical, 'boolean');
@@ -129,7 +129,7 @@ class PhotoController extends Controller
 
     public function move(Request $request, $photoId)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $photo = Photo::where('id', intval($photoId))->first();
         if (is_null($photo))
@@ -160,7 +160,7 @@ class PhotoController extends Controller
 
     public function regenerateThumbnails($photoId)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         /** @var Photo $photo */
         $photo = Photo::where('id', intval($photoId))->first();
@@ -190,7 +190,7 @@ class PhotoController extends Controller
 
     public function rotate($photoId, $angle)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $photo = Photo::where('id', intval($photoId))->first();
         if (is_null($photo))
@@ -217,7 +217,7 @@ class PhotoController extends Controller
      */
     public function store(Request $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $photoFiles = $request->files->get('photo');
 
@@ -276,7 +276,7 @@ class PhotoController extends Controller
 
     public function storeBulk(Request $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         // Load the linked album
         $album = $this->loadAlbum($request->get('album_id'));
@@ -404,7 +404,7 @@ class PhotoController extends Controller
 
     public function updateBulk(UpdatePhotosBulkRequest $request, $albumId)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         /** @var Album $album */
         $album = Album::where('id', intval($albumId))->first();
diff --git a/app/Http/Controllers/Admin/StorageController.php b/app/Http/Controllers/Admin/StorageController.php
index 2bbe29a..76d1c3c 100644
--- a/app/Http/Controllers/Admin/StorageController.php
+++ b/app/Http/Controllers/Admin/StorageController.php
@@ -34,7 +34,7 @@ class StorageController extends Controller
      */
     public function index(Request $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $storageLocations = Storage::orderBy('name')
             ->paginate(UserConfig::get('items_per_page'));
@@ -53,7 +53,7 @@ class StorageController extends Controller
      */
     public function create(Request $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $filesystemDefaultLocation = sprintf('%s/storage/app/albums', dirname(dirname(dirname(dirname(__DIR__)))));
 
@@ -72,7 +72,7 @@ class StorageController extends Controller
      */
     public function store(Requests\StoreStorageRequest $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $storage = new Storage();
         $storage->fill($request->only([
@@ -136,7 +136,7 @@ class StorageController extends Controller
      */
     public function delete(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $storage = Storage::where('id', intval($id))->first();
         if (is_null($storage))
@@ -169,7 +169,7 @@ class StorageController extends Controller
      */
     public function edit(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         /** @var Storage $storage */
         $storage = Storage::where('id', intval($id))->first();
@@ -203,7 +203,7 @@ class StorageController extends Controller
      */
     public function update(Requests\StoreStorageRequest $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $storage = Storage::where('id', intval($id))->first();
         if (is_null($storage))
@@ -258,7 +258,7 @@ class StorageController extends Controller
      */
     public function destroy(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $storage = Storage::where('id', intval($id))->first();
         if (is_null($storage))
diff --git a/app/Http/Controllers/Admin/UserController.php b/app/Http/Controllers/Admin/UserController.php
index 5ee1510..2e2e83b 100644
--- a/app/Http/Controllers/Admin/UserController.php
+++ b/app/Http/Controllers/Admin/UserController.php
@@ -24,7 +24,7 @@ class UserController extends Controller
 
     public function delete(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $user = User::where('id', intval($id))->first();
         if (is_null($user))
@@ -48,7 +48,7 @@ class UserController extends Controller
      */
     public function index(Request $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $users = User::orderBy('name')
             ->paginate(UserConfig::get('items_per_page'));
@@ -68,7 +68,7 @@ class UserController extends Controller
      */
     public function create()
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         return Theme::render('admin.create_user');
     }
@@ -81,7 +81,7 @@ class UserController extends Controller
      */
     public function store(Requests\StoreUserRequest $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $user = new User();
         $user->fill($request->only(['name', 'email', 'password']));
@@ -113,7 +113,7 @@ class UserController extends Controller
      */
     public function edit(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $user = User::where('id', intval($id))->first();
         if (is_null($user))
@@ -145,7 +145,7 @@ class UserController extends Controller
      */
     public function update(Requests\StoreUserRequest $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $user = User::where('id', intval($id))->first();
         if (is_null($user))
@@ -214,7 +214,7 @@ class UserController extends Controller
      */
     public function destroy(Request $request, $id)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         /** @var User $user */
         $user = User::where('id', intval($id))->first();
@@ -255,7 +255,7 @@ class UserController extends Controller
      */
     public function searchJson(Request $request)
     {
-        $this->authorize('admin-access');
+        $this->authorizeAccessToAdminPanel();
 
         $limit = intval($request->get('n'));
         if ($limit == 0)
diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
index f46b290..cabd0c1 100644
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@@ -8,6 +8,7 @@ use Illuminate\Http\Request;
 use Illuminate\Routing\Controller as BaseController;
 use Illuminate\Foundation\Validation\ValidatesRequests;
 use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
+use Illuminate\Support\Facades\App;
 use Illuminate\Support\Facades\Artisan;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\DB;
@@ -16,13 +17,13 @@ class Controller extends BaseController
 {
     use AuthorizesRequests, DispatchesJobs, ValidatesRequests;
 
-    protected function authorizeAccessToAdminPanel()
+    protected function authorizeAccessToAdminPanel($additionalPermission = null)
     {
-        // A user can access the admin panel if they are either an administrator, or are allowed to create albums
-        // Further checks within the admin panel determine what a user can do within the panel
-        if (!Auth::user()->can('admin-access') && !Auth::user()->can('admin-create-albums'))
+        $this->authorizeForUser($this->getUser(), 'admin:access');
+
+        if (!is_null($additionalPermission))
         {
-            App::abort(403);
+            $this->authorizeForUser($this->getUser(), $additionalPermission);
         }
     }
 
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index bd4d4fa..73e3c66 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -4,13 +4,22 @@ namespace App\Providers;
 
 use App\Album;
 use App\Facade\UserConfig;
+use App\Group;
+use App\Permission;
 use App\Photo;
 use App\Policies\AlbumPolicy;
+use App\User;
+use function GuzzleHttp\Psr7\mimetype_from_extension;
 use Illuminate\Support\Facades\Gate;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
 
 class AuthServiceProvider extends ServiceProvider
 {
+    /**
+     * @var Permission[]
+     */
+    private $permissions;
+
     /**
      * The policy mappings for the application.
      *
@@ -29,14 +38,19 @@ class AuthServiceProvider extends ServiceProvider
     {
         $this->registerPolicies();
 
-        Gate::define('admin-access', function ($user)
+        Gate::define('admin:access', function ($user)
         {
-            return $user->is_admin;
+            return $this->userHasAdminPermission($user, 'access');
         });
-        Gate::define('admin-create-albums', function ($user)
+        Gate::define('admin:configure', function ($user)
         {
-            return $user->can_create_albums;
+            return $this->userHasAdminPermission($user, 'configure');
         });
+        Gate::define('admin:manage-albums', function ($user)
+        {
+            return $this->userHasAdminPermission($user, 'manage-albums');
+        });
+
         Gate::define('photo.download_original', function ($user, Photo $photo)
         {
             if (!UserConfig::get('restrict_original_download'))
@@ -47,4 +61,41 @@ class AuthServiceProvider extends ServiceProvider
             return ($user->id == $photo->user_id);
         });
     }
+
+    private function userHasAdminPermission(User $user, $permissionDescription)
+    {
+        if ($user->is_admin)
+        {
+            return true;
+        }
+
+        /** @var Group $group */
+        foreach ($user->groups as $group)
+        {
+            if ($group->hasAdminPermission($group, $this->getAdminPermission($permissionDescription)))
+            {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    private function getAdminPermission($description)
+    {
+        if (is_null($this->permissions))
+        {
+            $this->permissions = Permission::where('section', 'admin')->get();
+        }
+
+        foreach ($this->permissions as $permission)
+        {
+            if (strtolower($permission->description) == strtolower($description))
+            {
+                return $permission;
+            }
+        }
+
+        return null;
+    }
 }
diff --git a/database/migrations/2017_03_21_211508_add_user_upload_flag.php b/database/migrations/2017_03_21_211508_add_user_upload_flag.php
deleted file mode 100644
index 54a513a..0000000
--- a/database/migrations/2017_03_21_211508_add_user_upload_flag.php
+++ /dev/null
@@ -1,32 +0,0 @@
-<?php
-
-use Illuminate\Support\Facades\Schema;
-use Illuminate\Database\Schema\Blueprint;
-use Illuminate\Database\Migrations\Migration;
-
-class AddUserUploadFlag extends Migration
-{
-    /**
-     * Run the migrations.
-     *
-     * @return void
-     */
-    public function up()
-    {
-        Schema::table('users', function (Blueprint $table) {
-            $table->boolean('can_create_albums')->default(0);
-        });
-    }
-
-    /**
-     * Reverse the migrations.
-     *
-     * @return void
-     */
-    public function down()
-    {
-        Schema::table('users', function (Blueprint $table) {
-            $table->dropColumn('can_create_albums');
-        });
-    }
-}
diff --git a/database/migrations/2017_04_15_083922_create_admin_group_permissions_table.php b/database/migrations/2017_04_15_083922_create_admin_group_permissions_table.php
new file mode 100644
index 0000000..cb155ca
--- /dev/null
+++ b/database/migrations/2017_04_15_083922_create_admin_group_permissions_table.php
@@ -0,0 +1,40 @@
+<?php
+
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Database\Migrations\Migration;
+
+class CreateAdminGroupPermissionsTable extends Migration
+{
+    /**
+     * Run the migrations.
+     *
+     * @return void
+     */
+    public function up()
+    {
+        Schema::create('admin_group_permissions', function ($table) {
+            $table->unsignedInteger('group_id');
+            $table->unsignedInteger('permission_id');
+
+            $table->foreign('group_id')
+                ->references('id')->on('groups')
+                ->onDelete('cascade');
+            $table->foreign('permission_id')
+                ->references('id')->on('permissions')
+                ->onDelete('no action');
+
+            $table->timestamps();
+        });
+    }
+
+    /**
+     * Reverse the migrations.
+     *
+     * @return void
+     */
+    public function down()
+    {
+        Schema::dropIfExists('admin_group_permissions');
+    }
+}
diff --git a/database/seeds/PermissionsSeeder.php b/database/seeds/PermissionsSeeder.php
index d151356..9274824 100644
--- a/database/seeds/PermissionsSeeder.php
+++ b/database/seeds/PermissionsSeeder.php
@@ -10,6 +10,39 @@ class PermissionsSeeder extends Seeder
      * @return void
      */
     public function run()
+    {
+        $this->seedAlbumPermissions();
+        $this->seedAdminPermissions();
+    }
+
+    private function seedAdminPermissions()
+    {
+        // admin:access = controls if the admin panel is accessible
+        DatabaseSeeder::createOrUpdate('permissions', [
+            'section' => 'admin',
+            'description' => 'access',
+            'is_default' => false,
+            'sort_order' => 0
+        ]);
+
+        // admin:configure = controls if the system is configurable
+        DatabaseSeeder::createOrUpdate('permissions', [
+            'section' => 'admin',
+            'description' => 'configure',
+            'is_default' => false,
+            'sort_order' => 0
+        ]);
+
+        // admin:manage-albums = controls if albums can be managed
+        DatabaseSeeder::createOrUpdate('permissions', [
+            'section' => 'admin',
+            'description' => 'manage-albums',
+            'is_default' => false,
+            'sort_order' => 0
+        ]);
+    }
+
+    private function seedAlbumPermissions()
     {
         // album:list = controls if the album is visible in listings
         DatabaseSeeder::createOrUpdate('permissions', [
diff --git a/resources/lang/en/admin.php b/resources/lang/en/admin.php
index 229eeca..d46d7d6 100644
--- a/resources/lang/en/admin.php
+++ b/resources/lang/en/admin.php
@@ -76,6 +76,7 @@ return [
     'group_details_tab' => 'Details',
     'group_no_users_message' => 'This group has no users assigned to it. Assign users to this group by using the Groups tab on the Edit User page.',
     'group_number_users' => '{0} No users|{1} 1 user|[2,Inf] :count users',
+    'group_permissions_tab' => 'Permissions',
     'group_users_message' => 'The users shown below are linked to this group. To remove a user, click the user\'s name and untick the ":group_name" group from the Groups tab.',
     'group_users_tab' => 'Users',
     'inactive_storage_legend' => 'Inactive storage location that cannot be used for new albums.',
diff --git a/resources/lang/en/permissions.php b/resources/lang/en/permissions.php
index 6a0afb5..ee16160 100644
--- a/resources/lang/en/permissions.php
+++ b/resources/lang/en/permissions.php
@@ -1,5 +1,10 @@
 <?php
 return [
+    'admin' => [
+        'access' => 'Access the administration panel',
+        'configure' => 'Configure the application',
+        'manage-albums' => 'Manage photo albums'
+    ],
     'album' => [
         'delete' => 'Delete this album',
         'delete-other-photos' => 'Delete photos owned by other users',
diff --git a/resources/views/themes/base/admin/edit_group.blade.php b/resources/views/themes/base/admin/edit_group.blade.php
index 9306324..227d346 100644
--- a/resources/views/themes/base/admin/edit_group.blade.php
+++ b/resources/views/themes/base/admin/edit_group.blade.php
@@ -24,6 +24,7 @@
                         <ul class="nav nav-tabs" role="tablist">
                             @include(Theme::viewName('partials.tab'), ['active_tab' => 'details', 'tab_name' => 'details', 'tab_icon' => 'info-circle', 'tab_text' => trans('admin.group_details_tab')])
                             @include(Theme::viewName('partials.tab'), ['active_tab' => 'details', 'tab_name' => 'users', 'tab_icon' => 'users', 'tab_text' => trans('admin.group_users_tab')])
+                            @include(Theme::viewName('partials.tab'), ['active_tab' => 'details', 'tab_name' => 'permissions', 'tab_icon' => 'lock', 'tab_text' => trans('admin.group_permissions_tab')])
                         </ul>
 
                         {{-- Tab panes --}}
@@ -42,11 +43,6 @@
                                                 </div>
                                             @endif
                                         </div>
-
-                                        <div class="text-right">
-                                            <a href="{{ route('groups.index') }}" class="btn btn-link">@lang('forms.cancel_action')</a>
-                                            <button class="btn btn-success" type="submit"><i class="fa fa-fw fa-check"></i> @lang('forms.save_action')</button>
-                                        </div>
                                     </div>
                                 </div>
                             </div>
@@ -65,8 +61,35 @@
                                     <div><a class="btn btn-secondary" href="{{ route('users.index') }}">@lang('admin.users_title')</a></div>
                                 @endif
                             </div>
+
+                            {{-- Permissions --}}
+                            <div role="tabpanel" class="tab-pane" id="permissions-tab">
+                                @php
+                                    $callback = [$group, 'hasAdminPermission'];
+                                    $callback_object = $group;
+                                    $key_id = 'group_' . $group->id;
+                                    $object_id = $group->id
+                                @endphp
+
+                                @include(Theme::viewName('partials.permission_checkbox'), [
+                                    'permission' => Theme::getPermission($all_permissions, 'admin', 'access')
+                                ])
+
+                                @include(Theme::viewName('partials.permission_checkbox'), [
+                                    'permission' => Theme::getPermission($all_permissions, 'admin', 'configure')
+                                ])
+
+                                @include(Theme::viewName('partials.permission_checkbox'), [
+                                    'permission' => Theme::getPermission($all_permissions, 'admin', 'manage-albums')
+                                ])
+                            </div>
                         </div>
                     </div>
+
+                    <div class="text-right mt-3">
+                        <a href="{{ route('groups.index') }}" class="btn btn-link">@lang('forms.cancel_action')</a>
+                        <button class="btn btn-success" type="submit"><i class="fa fa-fw fa-check"></i> @lang('forms.save_action')</button>
+                    </div>
                 </form>
             </div>
         </div>
diff --git a/resources/views/themes/base/partials/admin_actions_widget.blade.php b/resources/views/themes/base/partials/admin_actions_widget.blade.php
index 0bd766e..281533b 100644
--- a/resources/views/themes/base/partials/admin_actions_widget.blade.php
+++ b/resources/views/themes/base/partials/admin_actions_widget.blade.php
@@ -1,6 +1,8 @@
-<div class="card admin-sidebar-card">
-    <div class="card-header">@lang('admin.actions_widget.panel_header')</div>
-    <div class="card-block">
-        <a class="btn btn-link" href="{{ route('albums.create') }}"><i class="fa fa-fw fa-plus"></i> @lang('admin.actions_widget.create_album_link')</a>
+@can('admin:manage-albums')
+    <div class="card admin-sidebar-card">
+        <div class="card-header">@lang('admin.actions_widget.panel_header')</div>
+        <div class="card-block">
+            <a class="btn btn-link" href="{{ route('albums.create') }}"><i class="fa fa-fw fa-plus"></i> @lang('admin.actions_widget.create_album_link')</a>
+        </div>
     </div>
-</div>
\ No newline at end of file
+@endcan
\ No newline at end of file
diff --git a/resources/views/themes/base/partials/admin_manage_widget.blade.php b/resources/views/themes/base/partials/admin_manage_widget.blade.php
index 1469758..a5f420c 100644
--- a/resources/views/themes/base/partials/admin_manage_widget.blade.php
+++ b/resources/views/themes/base/partials/admin_manage_widget.blade.php
@@ -1,12 +1,15 @@
 <div class="card admin-sidebar-card">
     <div class="card-header">@lang('admin.manage_widget.panel_header')</div>
     <div class="card-block">
-        <a class="btn btn-link" href="{{ route('albums.index') }}"><i class="fa fa-fw fa-picture-o"></i> @lang('navigation.breadcrumb.albums')</a>
+        @can('admin:manage-albums')
+            <a class="btn btn-link" href="{{ route('albums.index') }}"><i class="fa fa-fw fa-picture-o"></i> @lang('navigation.breadcrumb.albums')</a>
+        @endcan
 
-        @can('admin-access')
-            <a class="btn btn-link" href="{{ route('users.index') }}"><i class="fa fa-fw fa-user"></i> @lang('navigation.breadcrumb.users')</a>
-            <a class="btn btn-link" href="{{ route('groups.index') }}"><i class="fa fa-fw fa-users"></i> @lang('navigation.breadcrumb.groups')</a>
-            <a class="btn btn-link" href="{{ route('storage.index') }}"><i class="fa fa-fw fa-folder"></i> @lang('navigation.breadcrumb.storage')</a>
+        <a class="btn btn-link" href="{{ route('users.index') }}"><i class="fa fa-fw fa-user"></i> @lang('navigation.breadcrumb.users')</a>
+        <a class="btn btn-link" href="{{ route('groups.index') }}"><i class="fa fa-fw fa-users"></i> @lang('navigation.breadcrumb.groups')</a>
+        <a class="btn btn-link" href="{{ route('storage.index') }}"><i class="fa fa-fw fa-folder"></i> @lang('navigation.breadcrumb.storage')</a>
+
+        @can('admin:configure')
             <a class="btn btn-link" href="{{ route('admin.settings') }}"><i class="fa fa-fw fa-cog"></i> @lang('navigation.breadcrumb.settings')</a>
         @endcan
     </div>
diff --git a/resources/views/themes/base/partials/admin_stats_widget.blade.php b/resources/views/themes/base/partials/admin_stats_widget.blade.php
index 2209b70..9a07cf3 100644
--- a/resources/views/themes/base/partials/admin_stats_widget.blade.php
+++ b/resources/views/themes/base/partials/admin_stats_widget.blade.php
@@ -3,7 +3,7 @@
     <div class="card-block">
         <b>{{ $album_count }}</b> {{ trans_choice('admin.stats_widget.albums', $album_count) }}<br/>
         <b>{{ $photo_count }}</b> {{ trans_choice('admin.stats_widget.photos', $photo_count) }}
-        @can('admin-access')
+        @can('admin:access')
             <br/>
             <b>{{ $user_count }}</b> {{ trans_choice('admin.stats_widget.users', $user_count) }} / <b>{{ $group_count }}</b> {{ trans_choice('admin.stats_widget.groups', $group_count) }}
         @endcan
diff --git a/resources/views/themes/base/partials/navbar.blade.php b/resources/views/themes/base/partials/navbar.blade.php
index 0b5b99b..8d74c77 100644
--- a/resources/views/themes/base/partials/navbar.blade.php
+++ b/resources/views/themes/base/partials/navbar.blade.php
@@ -19,7 +19,7 @@
                 </li>
             @endif
 
-            @if (!Auth::guest() && (Auth::user()->can('admin-access') || Auth::user()->can('admin-create-albums')))
+            @if (!Auth::guest() && (Auth::user()->can('admin:access')))
                 <li class="nav-item">
                     <a class="nav-link" href="{{ route('admin') }}"><i class="fa fa-fw fa-cog"></i> @lang('navigation.navbar.admin')</a>
                 </li>