From 773f504bccb819cdb5ca08b18ac029e940d63628 Mon Sep 17 00:00:00 2001 From: Betsy Castro <5490820+betsyecastro@users.noreply.github.com> Date: Fri, 16 Aug 2024 08:18:11 -0500 Subject: [PATCH 1/3] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Restrict=20access?= =?UTF-8?q?=20to=20non-public=20profiles=20via=20API?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- app/Http/Controllers/ProfilesApiController.php | 13 +++---------- app/Policies/ProfilePolicy.php | 6 +++++- resources/views/profiles/edit/information.blade.php | 2 +- 3 files changed, 9 insertions(+), 12 deletions(-) diff --git a/app/Http/Controllers/ProfilesApiController.php b/app/Http/Controllers/ProfilesApiController.php index ccec910e..2c641d91 100644 --- a/app/Http/Controllers/ProfilesApiController.php +++ b/app/Http/Controllers/ProfilesApiController.php @@ -18,16 +18,17 @@ public function __construct() // Set the response Cache-Control headers $this->middleware('cache.headers:' . config('app.api_cache_control')); + $this->middleware('can:view,profile')->only('show'); // CORS middleware is auto-applied to all API routes } /** - * Get a listing of all Profiles. + * Get a listing of all public Profiles. */ public function index(ProfilesApiRequest $request): JsonResponse { return Cache::tags(['profiles', 'profile_data', 'profile_tags'])->remember($request->fullUrl(), 3600, function() use ($request) { - $profile = Profile::select(Profile::apiAttributes())->with(['media']); + $profile = Profile::select(Profile::apiAttributes())->with(['media'])->public(); if ($request->filled('person')) { $profile = $profile->whereIn('slug', explode(';', $request->person)); @@ -53,14 +54,6 @@ public function index(ProfilesApiRequest $request): JsonResponse $profile = $profile->withAnyTags(explode(';', $request->tag), Profile::class); } - if ($request->filled('public')) { - if ($request->boolean('public')) { - $profile = $profile->public(); - } elseif ((bool)$request->input('public') === false) { - $profile = $profile->private(); - } - } - if ($request->boolean('with_data')) { if(count(array_filter($request->query())) <=1){ return response()->json(['error' => 'Please use a filter when pulling data.'], 400); diff --git a/app/Policies/ProfilePolicy.php b/app/Policies/ProfilePolicy.php index 4e63222a..84a87bda 100644 --- a/app/Policies/ProfilePolicy.php +++ b/app/Policies/ProfilePolicy.php @@ -78,8 +78,12 @@ public function viewAdminIndex(User $user) * @param \App\Profile $profile * @return mixed */ - public function view(User $user, Profile $profile) + public function view(?User $user, Profile $profile) { + if (request()->is('api/*')) { + return $profile->public; + } + return true; } diff --git a/resources/views/profiles/edit/information.blade.php b/resources/views/profiles/edit/information.blade.php index 9bd46a0a..26f8ed45 100644 --- a/resources/views/profiles/edit/information.blade.php +++ b/resources/views/profiles/edit/information.blade.php @@ -313,7 +313,7 @@ class="border-left ml-3"
-

Make profile viewable and searchable by website visitors. (If turned off, it will still be accessible via the public API and to site administrators.)

+

Make profile viewable and searchable by website visitors. (If turned off, it will still be accessible to site administrators.)

{!! Form::submit('Save', array('class' => 'btn btn-primary edit-button')) !!} From 425e7fcf331aaf391bb2a99ec73b299179c981bd Mon Sep 17 00:00:00 2001 From: Betsy Castro <5490820+betsyecastro@users.noreply.github.com> Date: Tue, 20 Aug 2024 15:21:43 -0500 Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Restrict=20access?= =?UTF-8?q?=20to=20non-public=20profiles=20(frontend=20context)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Non-public profiles can be viewed by site admin, profile owner, profiles editor, school profiles editor or department profiles editor. --- app/Http/Controllers/ProfilesController.php | 2 ++ app/Policies/ProfilePolicy.php | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/app/Http/Controllers/ProfilesController.php b/app/Http/Controllers/ProfilesController.php index b61a720f..34caee05 100644 --- a/app/Http/Controllers/ProfilesController.php +++ b/app/Http/Controllers/ProfilesController.php @@ -44,6 +44,8 @@ public function __construct() 'updateImage', ]); + $this->middleware('can:view,profile')->only('show'); + $this->middleware('can:export,profile')->only('pdfExport'); $this->middleware('can.create.profile')->only('create'); diff --git a/app/Policies/ProfilePolicy.php b/app/Policies/ProfilePolicy.php index 84a87bda..ad4b42d8 100644 --- a/app/Policies/ProfilePolicy.php +++ b/app/Policies/ProfilePolicy.php @@ -84,7 +84,11 @@ public function view(?User $user, Profile $profile) return $profile->public; } - return true; + return $profile->public || + $user->hasRole(['site_admin', 'profiles_editor']) || + $user->owns($profile, true) || + $this->checkSchoolEditor($user, $profile) || + $this->checkDepartmentEditor($user, $profile); } /** From cd332e801126145d4764571841c26efef475f28a Mon Sep 17 00:00:00 2001 From: Betsy Castro Date: Fri, 25 Oct 2024 11:32:29 -0500 Subject: [PATCH 3/3] Corrects wording --- resources/views/profiles/edit/information.blade.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/resources/views/profiles/edit/information.blade.php b/resources/views/profiles/edit/information.blade.php index 26f8ed45..422ebe09 100644 --- a/resources/views/profiles/edit/information.blade.php +++ b/resources/views/profiles/edit/information.blade.php @@ -313,7 +313,7 @@ class="border-left ml-3"
-

Make profile viewable and searchable by website visitors. (If turned off, it will still be accessible to site administrators.)

+

Make profile viewable and searchable by website visitors. If turned off, it will still be accessible to site administrators.

{!! Form::submit('Save', array('class' => 'btn btn-primary edit-button')) !!}