Skip to content

Commit

Permalink
Restrict access to non-public profiles (#160)
Browse files Browse the repository at this point in the history
* 🔒️ Restrict access to non-public profiles via API

* 🔒️ Restrict access to non-public profiles (frontend context)

Non-public profiles can be viewed by site admin, profile owner, profiles editor, school profiles editor or department profiles editor.

* Corrects wording
  • Loading branch information
betsyecastro authored Oct 25, 2024
1 parent f808d39 commit 8a8f21d
Show file tree
Hide file tree
Showing 4 changed files with 16 additions and 13 deletions.
13 changes: 3 additions & 10 deletions app/Http/Controllers/ProfilesApiController.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,16 +18,17 @@ public function __construct()
// Set the response Cache-Control headers
$this->middleware('cache.headers:' . config('app.api_cache_control'));

$this->middleware('can:view,profile')->only('show');
// CORS middleware is auto-applied to all API routes
}

/**
* Get a listing of all Profiles.
* Get a listing of all public Profiles.
*/
public function index(ProfilesApiRequest $request): JsonResponse
{
return Cache::tags(['profiles', 'profile_data', 'profile_tags'])->remember($request->fullUrl(), 3600, function() use ($request) {
$profile = Profile::select(Profile::apiAttributes())->with(['media']);
$profile = Profile::select(Profile::apiAttributes())->with(['media'])->public();

if ($request->filled('person')) {
$profile = $profile->whereIn('slug', explode(';', $request->person));
Expand All @@ -53,14 +54,6 @@ public function index(ProfilesApiRequest $request): JsonResponse
$profile = $profile->withAnyTags(explode(';', $request->tag), Profile::class);
}

if ($request->filled('public')) {
if ($request->boolean('public')) {
$profile = $profile->public();
} elseif ((bool)$request->input('public') === false) {
$profile = $profile->private();
}
}

if ($request->boolean('with_data')) {
if(count(array_filter($request->query())) <=1){
return response()->json(['error' => 'Please use a filter when pulling data.'], 400);
Expand Down
2 changes: 2 additions & 0 deletions app/Http/Controllers/ProfilesController.php
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ public function __construct()
'updateImage',
]);

$this->middleware('can:view,profile')->only('show');

$this->middleware('can:export,profile')->only('pdfExport');

$this->middleware('can.create.profile')->only('create');
Expand Down
12 changes: 10 additions & 2 deletions app/Policies/ProfilePolicy.php
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,17 @@ public function viewAdminIndex(User $user)
* @param \App\Profile $profile
* @return mixed
*/
public function view(User $user, Profile $profile)
public function view(?User $user, Profile $profile)
{
return true;
if (request()->is('api/*')) {
return $profile->public;
}

return $profile->public ||
$user->hasRole(['site_admin', 'profiles_editor']) ||
$user->owns($profile, true) ||
$this->checkSchoolEditor($user, $profile) ||
$this->checkDepartmentEditor($user, $profile);
}

/**
Expand Down
2 changes: 1 addition & 1 deletion resources/views/profiles/edit/information.blade.php
Original file line number Diff line number Diff line change
Expand Up @@ -313,7 +313,7 @@ class="border-left ml-3"
</div>
</div>
<div class="col col-12 col-xl-5">
<p class="text-muted">Make profile viewable and searchable by website visitors. (If turned off, it will still be accessible via the public API and to site administrators.)</p>
<p class="text-muted">Make profile viewable and searchable by website visitors. If turned off, it will still be accessible to site administrators.</p>
</div>
</fieldset>
{!! Form::submit('Save', array('class' => 'btn btn-primary edit-button')) !!}
Expand Down

0 comments on commit 8a8f21d

Please sign in to comment.