blue-twilight/app/Providers/AuthServiceProvider.php

<?php

namespace App\Providers;

use App\Album;
use App\Facade\UserConfig;
use App\Group;
use App\Permission;
use App\Photo;
use App\Policies\AlbumPolicy;
use App\Policies\PhotoPolicy;
use App\Policies\UserPolicy;
use App\User;
use function GuzzleHttp\Psr7\mimetype_from_extension;
use Illuminate\Support\Facades\Gate;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;

class AuthServiceProvider extends ServiceProvider
{
    /**
     * @var Permission[]
     */
    private $permissions;

    /**
     * The policy mappings for the application.
     *
     * @var array
     */
    protected $policies = [
        Album::class => AlbumPolicy::class,
        Photo::class => PhotoPolicy::class,
        User::class => UserPolicy::class
    ];

    /**
     * Register any authentication / authorization services.
     *
     * @return void
     */
    public function boot()
    {
        $this->registerPolicies();

        Gate::define('admin:access', function ($user)
        {
            return $this->userHasAdminPermission($user, 'access');
        });
        Gate::define('admin:configure', function ($user)
        {
            return $this->userHasAdminPermission($user, 'configure');
        });
        Gate::define('admin:manage-albums', function ($user)
        {
            return $this->userHasAdminPermission($user, 'manage-albums');
        });
        Gate::define('admin:manage-groups', function ($user)
        {
            return $this->userHasAdminPermission($user, 'manage-groups');
        });
        Gate::define('admin:manage-labels', function ($user)
        {
            return $this->userHasAdminPermission($user, 'manage-labels');
        });
        Gate::define('admin:manage-storage', function ($user)
        {
            return $this->userHasAdminPermission($user, 'manage-storage');
        });
        Gate::define('admin:manage-users', function ($user)
        {
            return $this->userHasAdminPermission($user, 'manage-users');
        });

        Gate::define('photo.download_original', function ($user, Photo $photo)
        {
            if (!UserConfig::get('restrict_original_download'))
            {
                return true;
            }

            return ($user->id == $photo->user_id);
        });

        Gate::define('photo.quick_upload', function($user)
        {
            $can = true;
            $can &= $this->userHasAdminPermission($user, 'access');
            $can &= $this->userHasAdminPermission($user, 'manage-albums');

            return $can;
        });

        Gate::define('statistics.public-access', function ($user)
        {
            return UserConfig::get('public_statistics') || !$user->isAnonymous();
        });
    }

    private function userHasAdminPermission(User $user, $permissionDescription)
    {
        if ($user->is_admin)
        {
            return true;
        }

        /** @var Group $group */
        foreach ($user->groups as $group)
        {
            if ($group->hasAdminPermission($group, $this->getAdminPermission($permissionDescription)))
            {
                return true;
            }
        }

        return false;
    }

    private function getAdminPermission($description)
    {
        if (is_null($this->permissions))
        {
            $this->permissions = Permission::where('section', 'admin')->get();
        }

        foreach ($this->permissions as $permission)
        {
            if (strtolower($permission->description) == strtolower($description))
            {
                return $permission;
            }
        }

        return null;
    }
}