#71, #111: Implemented security checking in the JSON feed methods. Also users now automatically inherit the anonymous permissions by way of an additional check specifically against the anonymous user first
This commit is contained in:
parent
2394bbd077
commit
f36aa61506
@ -16,6 +16,25 @@ class PermissionsHelper
|
||||
public function getAlbumIDs($permission = 'list', User $user = null)
|
||||
{
|
||||
$result = [];
|
||||
|
||||
// First check if the anonymous user can do what is being requested - if so, the permission would also inherit
|
||||
// to logged-in users
|
||||
$anonymousUsersCan = DB::table('album_permissions_cache')
|
||||
->join('permissions', 'permissions.id', '=', 'album_permissions_cache.permission_id')
|
||||
->where([
|
||||
['album_permissions_cache.user_id', null],
|
||||
['permissions.section', 'album'],
|
||||
['permissions.description', $permission]
|
||||
])
|
||||
->select('album_permissions_cache.album_id')
|
||||
->distinct()
|
||||
->get();
|
||||
|
||||
foreach ($anonymousUsersCan as $item)
|
||||
{
|
||||
$result[] = $item->album_id;
|
||||
}
|
||||
|
||||
$query = DB::table('album_permissions_cache')
|
||||
->join('permissions', 'permissions.id', '=', 'album_permissions_cache.permission_id')
|
||||
->where([
|
||||
@ -28,9 +47,12 @@ class PermissionsHelper
|
||||
->get();
|
||||
|
||||
foreach ($query as $item)
|
||||
{
|
||||
if (!in_array($item->album_id, $result))
|
||||
{
|
||||
$result[] = $item->album_id;
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
@ -42,6 +64,23 @@ class PermissionsHelper
|
||||
|
||||
public function userCan_Album(Album $album, User $user, $permission)
|
||||
{
|
||||
// First check if the anonymous user can do what is being requested - if so, the permission would also inherit
|
||||
// to logged-in users
|
||||
$anonymousUsersCan = DB::table('album_permissions_cache')
|
||||
->join('permissions', 'permissions.id', '=', 'album_permissions_cache.permission_id')
|
||||
->where([
|
||||
['album_permissions_cache.album_id', $album->id],
|
||||
['album_permissions_cache.user_id', null],
|
||||
['permissions.section', 'album'],
|
||||
['permissions.description', $permission]
|
||||
])
|
||||
->count() > 0;
|
||||
|
||||
if ($anonymousUsersCan)
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
return DB::table('album_permissions_cache')
|
||||
->join('permissions', 'permissions.id', '=', 'album_permissions_cache.permission_id')
|
||||
->where([
|
||||
|
@ -23,6 +23,7 @@ use App\Services\AlbumService;
|
||||
use App\Services\PhotoService;
|
||||
use App\Storage;
|
||||
use App\User;
|
||||
use App\UserActivity;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Support\Facades\App;
|
||||
use Illuminate\Support\Facades\Auth;
|
||||
@ -698,6 +699,9 @@ class AlbumController extends Controller
|
||||
}
|
||||
}
|
||||
|
||||
// Add an activity record
|
||||
$this->createActivityRecord($album, 'album.created');
|
||||
|
||||
// Rebuild the permissions cache
|
||||
$helper = new PermissionsHelper();
|
||||
$helper->rebuildCache();
|
||||
@ -782,6 +786,21 @@ class AlbumController extends Controller
|
||||
return redirect(route('albums.show', ['id' => $id]));
|
||||
}
|
||||
|
||||
private function createActivityRecord(Album $album, $type, $activityDateTime = null)
|
||||
{
|
||||
if (is_null($activityDateTime))
|
||||
{
|
||||
$activityDateTime = new \DateTime();
|
||||
}
|
||||
|
||||
$userActivity = new UserActivity();
|
||||
$userActivity->user_id = $this->getUser()->id;
|
||||
$userActivity->activity_at = $activityDateTime;
|
||||
$userActivity->type = $type;
|
||||
$userActivity->album_id = $album->id;
|
||||
$userActivity->save();
|
||||
}
|
||||
|
||||
/**
|
||||
* @param $id
|
||||
* @return Album
|
||||
|
@ -70,8 +70,31 @@ class UserController extends Controller
|
||||
$params = [];
|
||||
$params['user_name'] = $userName;
|
||||
$params['user_url'] = $userProfileUrl;
|
||||
|
||||
if (!is_null($activity->photo))
|
||||
{
|
||||
// Check the user has access
|
||||
if (!$this->getUser()->can('view', $activity->photo))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
$params['photo_name'] = $activity->photo->name;
|
||||
$params['photo_url'] = $activity->photo->url();
|
||||
}
|
||||
|
||||
if (!is_null($activity->album))
|
||||
{
|
||||
// Check the user has access
|
||||
if (!$this->getUser()->can('view', $activity->album))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
$params['album_name'] = $activity->album->name;
|
||||
$params['album_url'] = $activity->album->url();
|
||||
}
|
||||
|
||||
$newItem['params'] = $params;
|
||||
|
||||
$result[] = $newItem;
|
||||
@ -238,6 +261,7 @@ class UserController extends Controller
|
||||
$result = [];
|
||||
$activities = UserActivity::with('photo')
|
||||
->with('photoComment')
|
||||
->with('album')
|
||||
->where([
|
||||
'user_id' => $user->id
|
||||
])
|
||||
@ -261,8 +285,31 @@ class UserController extends Controller
|
||||
$params = [];
|
||||
$params['user_name'] = $userName;
|
||||
$params['user_url'] = $userProfileUrl;
|
||||
|
||||
if (!is_null($activity->photo))
|
||||
{
|
||||
// Check the user has access
|
||||
if (!$this->getUser()->can('view', $activity->photo))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
$params['photo_name'] = $activity->photo->name;
|
||||
$params['photo_url'] = $activity->photo->url();
|
||||
}
|
||||
|
||||
if (!is_null($activity->album))
|
||||
{
|
||||
// Check the user has access
|
||||
if (!$this->getUser()->can('view', $activity->album))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
$params['album_name'] = $activity->album->name;
|
||||
$params['album_url'] = $activity->album->url();
|
||||
}
|
||||
|
||||
$newItem['params'] = $params;
|
||||
|
||||
$result[] = $newItem;
|
||||
|
@ -83,4 +83,15 @@ class PhotoPolicy
|
||||
|
||||
return $user->can('post-comment', $photo->album);
|
||||
}
|
||||
|
||||
public function view(User $user, Photo $photo)
|
||||
{
|
||||
if ($user->id == $photo->user_id)
|
||||
{
|
||||
// The photo's owner can do everything
|
||||
return true;
|
||||
}
|
||||
|
||||
return $user->can('view', $photo->album);
|
||||
}
|
||||
}
|
||||
|
@ -8,6 +8,11 @@ class UserActivity extends Model
|
||||
{
|
||||
protected $table = 'user_activity';
|
||||
|
||||
public function album()
|
||||
{
|
||||
return $this->belongsTo(Album::class);
|
||||
}
|
||||
|
||||
public function photo()
|
||||
{
|
||||
return $this->belongsTo(Photo::class);
|
||||
|
@ -0,0 +1,39 @@
|
||||
<?php
|
||||
|
||||
use Illuminate\Support\Facades\Schema;
|
||||
use Illuminate\Database\Schema\Blueprint;
|
||||
use Illuminate\Database\Migrations\Migration;
|
||||
|
||||
class AddAlbumActivityColumn extends Migration
|
||||
{
|
||||
/**
|
||||
* Run the migrations.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function up()
|
||||
{
|
||||
Schema::table('user_activity', function (Blueprint $table)
|
||||
{
|
||||
$table->unsignedInteger('album_id')->nullable(true);
|
||||
|
||||
$table->foreign('album_id')
|
||||
->references('id')->on('albums')
|
||||
->onDelete('cascade');
|
||||
});
|
||||
}
|
||||
|
||||
/**
|
||||
* Reverse the migrations.
|
||||
*
|
||||
* @return void
|
||||
*/
|
||||
public function down()
|
||||
{
|
||||
Schema::table('user_activity', function (Blueprint $table)
|
||||
{
|
||||
$table->dropForeign('user_activity_album_id_foreign');
|
||||
$table->dropColumn('album_id');
|
||||
});
|
||||
}
|
||||
}
|
@ -181,6 +181,16 @@ function UserViewModel(urls)
|
||||
'<a href="' + data[i].params.photo_url + '">' + data[i].params.photo_name + '</a>'
|
||||
);
|
||||
}
|
||||
|
||||
// Album name
|
||||
if (data[i].params.album_name && data[i].params.album_url)
|
||||
{
|
||||
data[i].description = data[i].description
|
||||
.replace(
|
||||
':album_name',
|
||||
'<a href="' + data[i].params.album_url + '">' + data[i].params.album_name + '</a>'
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
self.feed_items = data;
|
||||
|
@ -93,6 +93,9 @@ return [
|
||||
'title' => 'My Activity Feed'
|
||||
],
|
||||
'user_feed_type' => [
|
||||
'album' => [
|
||||
'created' => ':user_name created the :album_name album.'
|
||||
],
|
||||
'photo' => [
|
||||
'comment_replied' => ':user_name replied to a comment on the :photo_name photo.',
|
||||
'commented' => ':user_name commented on the :photo_name photo.',
|
||||
|
Loading…
Reference in New Issue
Block a user