BookStack Code Mirror - bookstack/blobdiff - app/Http/Controllers/UserApiTokenController.php

diff --git a/app/Http/Controllers/UserApiTokenController.php b/app/Http/Controllers/UserApiTokenController.php

index 3bfb0175ec513726f938beb24ff3d84396353265..55675233c38af9552175d69b0eccb561e0034080 100644 (file)

--- a/app/Http/Controllers/UserApiTokenController.php

+++ b/app/Http/Controllers/UserApiTokenController.php

@@ -17,7 +17,7 @@ class UserApiTokenController extends Controller

{

// Ensure user is has access-api permission and is the current user or has permission to manage the current user.

$this->checkPermission('access-api');

- $this->checkPermissionOrCurrentUser('manage-users', $userId);

+ $this->checkPermissionOrCurrentUser('users-manage', $userId);

$user = User::query()->findOrFail($userId);

return view('users.api-tokens.create', [

@@ -31,7 +31,7 @@ class UserApiTokenController extends Controller

public function store(Request $request, int $userId)

{

$this->checkPermission('access-api');

- $this->checkPermissionOrCurrentUser('manage-users', $userId);

+ $this->checkPermissionOrCurrentUser('users-manage', $userId);

$this->validate($request, [

'name' => 'required|max:250',

@@ -40,23 +40,23 @@ class UserApiTokenController extends Controller

$user = User::query()->findOrFail($userId);

$secret = Str::random(32);

- $expiry = $request->get('expires_at', (Carbon::now()->addYears(100))->format('Y-m-d'));

$token = (new ApiToken())->forceFill([

'name' => $request->get('name'),

- 'client_id' => Str::random(32),

- 'client_secret' => Hash::make($secret),

+ 'token_id' => Str::random(32),

+ 'secret' => Hash::make($secret),

'user_id' => $user->id,

- 'expires_at' => $expiry

+ 'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),

]);

- while (ApiToken::query()->where('client_id', '=', $token->client_id)->exists()) {

- $token->client_id = Str::random(32);

+ while (ApiToken::query()->where('token_id', '=', $token->token_id)->exists()) {

+ $token->token_id = Str::random(32);

}

$token->save();

- // TODO - Notification and activity?

+

session()->flash('api-token-secret:' . $token->id, $secret);

+ $this->showSuccessNotification(trans('settings.user_api_token_create_success'));

return redirect($user->getEditUrl('/api-tokens/' . $token->id));

}

@@ -87,9 +87,12 @@ class UserApiTokenController extends Controller

]);

[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);

+ $token->fill([

+ 'name' => $request->get('name'),

+ 'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),

+ ])->save();

- $token->fill($request->all())->save();

- // TODO - Notification and activity?

+ $this->showSuccessNotification(trans('settings.user_api_token_update_success'));

return redirect($user->getEditUrl('/api-tokens/' . $token->id));

}

@@ -113,7 +116,7 @@ class UserApiTokenController extends Controller

[$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);

$token->delete();

- // TODO - Notification and activity?, Might have text in translations already (user_api_token_delete_success)

+ $this->showSuccessNotification(trans('settings.user_api_token_delete_success'));

return redirect($user->getEditUrl('#api_tokens'));

}

@@ -124,8 +127,9 @@ class UserApiTokenController extends Controller

*/

protected function checkPermissionAndFetchUserToken(int $userId, int $tokenId): array

{

- $this->checkPermission('access-api');

- $this->checkPermissionOrCurrentUser('manage-users', $userId);

+ $this->checkPermissionOr('users-manage', function () use ($userId) {

+ return $userId === user()->id && userCan('access-api');

+ });

$user = User::query()->findOrFail($userId);

$token = ApiToken::query()->where('user_id', '=', $user->id)->where('id', '=', $tokenId)->firstOrFail();