Updated so permission effect admins more

Asset permissions can now be configured for admins.
joint_permissions will now effect admins more often.
Made so shelves header link will hide if you have no bookshelves view
permission.

diff --git a/app/Repos/PermissionsRepo.php b/app/Repos/PermissionsRepo.php
index 6f7ea1dc8f4284b950aa63cf2c0f2cf85ddd15eb..68c9270bec9ab54af7194ba9f9b58cb532f974a5 100644 (file)
--- a/app/Repos/PermissionsRepo.php
+++ b/app/Repos/PermissionsRepo.php
@@ -80,7 +80,7 @@ class PermissionsRepo
 
     /**
      * Updates an existing role.
 
     /**
      * Updates an existing role.

-     * Ensure Admin role always has all permissions.
+     * Ensure Admin role always have core permissions.

      * @param $roleId
      * @param $roleData
      * @throws PermissionsException
      * @param $roleId
      * @param $roleData
      * @throws PermissionsException


@@ -90,13 +90,18 @@ class PermissionsRepo
         $role = $this->role->findOrFail($roleId);
 
         $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];
         $role = $this->role->findOrFail($roleId);
 
         $permissions = isset($roleData['permissions']) ? array_keys($roleData['permissions']) : [];

-        $this->assignRolePermissions($role, $permissions);
-

         if ($role->system_name === 'admin') {
         if ($role->system_name === 'admin') {

-            $permissions = $this->permission->all()->pluck('id')->toArray();
-            $role->permissions()->sync($permissions);
+            $permissions = array_merge($permissions, [
+                'users-manage',
+                'user-roles-manage',
+                'restrictions-manage-all',
+                'restrictions-manage-own',
+                'settings-manage',
+            ]);

         }
 
         }
 

+        $this->assignRolePermissions($role, $permissions);
+

         $role->fill($roleData);
         $role->save();
         $this->permissionService->buildJointPermissionForRole($role);
         $role->fill($roleData);
         $role->save();
         $this->permissionService->buildJointPermissionForRole($role);

diff --git a/app/Services/PermissionService.php b/app/Services/PermissionService.php
index 13ec1d45baa5df3f9117a1ad1d7a93beb163e274..dade68290569d4ad5548cb7607dcaad73d5ff1c0 100644 (file)
--- a/app/Services/PermissionService.php
+++ b/app/Services/PermissionService.php
@@ -60,7 +60,6 @@ class PermissionService
         $this->book = $book;
         $this->chapter = $chapter;
         $this->page = $page;
         $this->book = $book;
         $this->chapter = $chapter;
         $this->page = $page;

-        // TODO - Update so admin still goes through filters

     }
 
     /**
     }
 
     /**


@@ -520,11 +519,6 @@ class PermissionService
      */
     public function checkOwnableUserAccess(Ownable $ownable, $permission)
     {
      */
     public function checkOwnableUserAccess(Ownable $ownable, $permission)
     {

-        if ($this->isAdmin()) {
-            $this->clean();
-            return true;
-        }
-

         $explodedPermission = explode('-', $permission);
 
         $baseQuery = $ownable->where('id', '=', $ownable->id);
         $explodedPermission = explode('-', $permission);
 
         $baseQuery = $ownable->where('id', '=', $ownable->id);


@@ -617,17 +611,16 @@ class PermissionService
         $query = $this->db->query()->select('*')->from($this->db->raw("({$pageSelect->toSql()} UNION {$chapterSelect->toSql()}) AS U"))
             ->mergeBindings($pageSelect)->mergeBindings($chapterSelect);
 
         $query = $this->db->query()->select('*')->from($this->db->raw("({$pageSelect->toSql()} UNION {$chapterSelect->toSql()}) AS U"))
             ->mergeBindings($pageSelect)->mergeBindings($chapterSelect);
 

-        if (!$this->isAdmin()) {
-            $whereQuery = $this->db->table('joint_permissions as jp')->selectRaw('COUNT(*)')
-                ->whereRaw('jp.entity_id=U.id')->whereRaw('jp.entity_type=U.entity_type')
-                ->where('jp.action', '=', 'view')->whereIn('jp.role_id', $this->getRoles())
-                ->where(function ($query) {
-                    $query->where('jp.has_permission', '=', 1)->orWhere(function ($query) {
-                        $query->where('jp.has_permission_own', '=', 1)->where('jp.created_by', '=', $this->currentUser()->id);
-                    });
+        // Add joint permission filter
+        $whereQuery = $this->db->table('joint_permissions as jp')->selectRaw('COUNT(*)')
+            ->whereRaw('jp.entity_id=U.id')->whereRaw('jp.entity_type=U.entity_type')
+            ->where('jp.action', '=', 'view')->whereIn('jp.role_id', $this->getRoles())
+            ->where(function ($query) {
+                $query->where('jp.has_permission', '=', 1)->orWhere(function ($query) {
+                    $query->where('jp.has_permission_own', '=', 1)->where('jp.created_by', '=', $this->currentUser()->id);

                 });
                 });

-            $query->whereRaw("({$whereQuery->toSql()}) > 0")->mergeBindings($whereQuery);
-        }
+            });
+        $query->whereRaw("({$whereQuery->toSql()}) > 0")->mergeBindings($whereQuery);

 
         $query->orderBy('draft', 'desc')->orderBy('priority', 'asc');
         $this->clean();
 
         $query->orderBy('draft', 'desc')->orderBy('priority', 'asc');
         $this->clean();


@@ -655,11 +648,6 @@ class PermissionService
             });
         }
 
             });
         }
 

-        if ($this->isAdmin()) {
-            $this->clean();
-            return $query;
-        }
-

         $this->currentAction = $action;
         return $this->entityRestrictionQuery($query);
     }
         $this->currentAction = $action;
         return $this->entityRestrictionQuery($query);
     }


@@ -675,10 +663,6 @@ class PermissionService
      */
     public function filterRestrictedEntityRelations($query, $tableName, $entityIdColumn, $entityTypeColumn, $action = 'view')
     {
      */
     public function filterRestrictedEntityRelations($query, $tableName, $entityIdColumn, $entityTypeColumn, $action = 'view')
     {

-        if ($this->isAdmin()) {
-            $this->clean();
-            return $query;
-        }

 
         $this->currentAction = $action;
         $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];
 
         $this->currentAction = $action;
         $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn, 'entityTypeColumn' => $entityTypeColumn];


@@ -711,11 +695,6 @@ class PermissionService
      */
     public function filterRelatedPages($query, $tableName, $entityIdColumn)
     {
      */
     public function filterRelatedPages($query, $tableName, $entityIdColumn)
     {

-        if ($this->isAdmin()) {
-            $this->clean();
-            return $query;
-        }
-

         $this->currentAction = 'view';
         $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn];
 
         $this->currentAction = 'view';
         $tableDetails = ['tableName' => $tableName, 'entityIdColumn' => $entityIdColumn];
 


@@ -740,19 +719,6 @@ class PermissionService
         return $q;
     }
 
         return $q;
     }
 

-    /**
-     * Check if the current user is an admin.
-     * @return bool
-     */
-    private function isAdmin()
-    {
-        if ($this->isAdminUser === null) {
-            $this->isAdminUser = ($this->currentUser()->id !== null) ? $this->currentUser()->hasSystemRole('admin') : false;
-        }
-
-        return $this->isAdminUser;
-    }
-

     /**
      * Get the current user
      * @return User
     /**
      * Get the current user
      * @return User

diff --git a/resources/lang/en/settings.php b/resources/lang/en/settings.php
index e2c2ede2ba2676c5166ed8eaab5199237831021d..80ab77d19f700740e261538f19d2c69f7f296cc4 100755 (executable)
--- a/resources/lang/en/settings.php
+++ b/resources/lang/en/settings.php
@@ -90,6 +90,7 @@ return [
     'role_manage_settings' => 'Manage app settings',
     'role_asset' => 'Asset Permissions',
     'role_asset_desc' => 'These permissions control default access to the assets within the system. Permissions on Books, Chapters and Pages will override these permissions.',
     'role_manage_settings' => 'Manage app settings',
     'role_asset' => 'Asset Permissions',
     'role_asset_desc' => 'These permissions control default access to the assets within the system. Permissions on Books, Chapters and Pages will override these permissions.',

+    'role_asset_admins' => 'Admins are automatically given access to all content but these options may show or hide UI options.',

     'role_all' => 'All',
     'role_own' => 'Own',
     'role_controlled_by_asset' => 'Controlled by the asset they are uploaded to',
     'role_all' => 'All',
     'role_own' => 'Own',
     'role_controlled_by_asset' => 'Controlled by the asset they are uploaded to',

diff --git a/resources/views/base.blade.php b/resources/views/base.blade.php
index 93ee6cdc6c85cb1f75dd108eccd702b7e9e07f9e..016f8e833e08cbbc9e9843e6a8684269c9bb5267 100644 (file)
--- a/resources/views/base.blade.php
+++ b/resources/views/base.blade.php
@@ -52,7 +52,9 @@
                             </form>
                         </div>
                         <div class="links text-center">
                             </form>
                         </div>
                         <div class="links text-center">

-                            <a href="{{ baseUrl('/shelves') }}">@icon('bookshelf'){{ trans('entities.shelves') }}</a>
+                            @if(userCan('bookshelf-view-all') || userCan('bookshelf-view-own'))
+                                <a href="{{ baseUrl('/shelves') }}">@icon('bookshelf'){{ trans('entities.shelves') }}</a>
+                            @endif

                             <a href="{{ baseUrl('/books') }}">@icon('book'){{ trans('entities.books') }}</a>
                             @if(signedInUser() && userCan('settings-manage'))
                                 <a href="{{ baseUrl('/settings') }}">@icon('settings'){{ trans('settings.settings') }}</a>
                             <a href="{{ baseUrl('/books') }}">@icon('book'){{ trans('entities.books') }}</a>
                             @if(signedInUser() && userCan('settings-manage'))
                                 <a href="{{ baseUrl('/settings') }}">@icon('settings'){{ trans('settings.settings') }}</a>

diff --git a/resources/views/settings/roles/form.blade.php b/resources/views/settings/roles/form.blade.php
index 44cdbb3c0d168aae3e98e33589da132717386c0d..619229a655067328ae4f088f745550ed1dbbd761 100644 (file)
--- a/resources/views/settings/roles/form.blade.php
+++ b/resources/views/settings/roles/form.blade.php
@@ -36,6 +36,10 @@
                     <h5>{{ trans('settings.role_asset') }}</h5>
                     <p>{{ trans('settings.role_asset_desc') }}</p>
 
                     <h5>{{ trans('settings.role_asset') }}</h5>
                     <p>{{ trans('settings.role_asset_desc') }}</p>
 

+                    @if (isset($role) && $role->system_name === 'admin')
+                        <p>{{ trans('settings.role_asset_admins') }}</p>
+                    @endif
+

                     <table class="table">
                         <tr>
                             <th width="20%"></th>
                     <table class="table">
                         <tr>
                             <th width="20%"></th>