From 50b4ebda71d044cba8c994c2ee2c682d1d4ede75 Mon Sep 17 00:00:00 2001 From: "m.zargarov" Date: Sat, 22 Jun 2024 23:59:16 +0400 Subject: [PATCH] add authoriztion --- app/Http/Controllers/GradeController.php | 29 ++++++++++- .../Controllers/GradeSubjectController.php | 1 - .../Controllers/GradeTeacherController.php | 1 - app/Http/Controllers/LessonController.php | 29 ++++++++++- app/Http/Controllers/ScoreController.php | 1 - app/Http/Controllers/StudentController.php | 29 ++++++++++- app/Http/Controllers/SubjectController.php | 26 ++++++++-- .../Controllers/SubjectTeacherController.php | 1 - app/Http/Controllers/TeacherController.php | 29 ++++++++++- app/Http/Middleware/AdminAction.php | 26 ++++++++++ app/Http/Middleware/TeacherAction.php | 26 ++++++++++ app/Policies/GradePolicy.php | 51 ++++++++++++++++++ app/Policies/LessonPolicy.php | 52 +++++++++++++++++++ app/Policies/StudentPolicy.php | 50 ++++++++++++++++++ app/Policies/SubjectPolicy.php | 34 ++++++++++++ app/Policies/TeacherPolicy.php | 51 ++++++++++++++++++ app/Services/SubjectService.php | 24 +++++++++ routes/web.php | 16 ++++-- 18 files changed, 460 insertions(+), 16 deletions(-) create mode 100644 app/Http/Middleware/AdminAction.php create mode 100644 app/Http/Middleware/TeacherAction.php create mode 100644 app/Policies/GradePolicy.php create mode 100644 app/Policies/LessonPolicy.php create mode 100644 app/Policies/StudentPolicy.php create mode 100644 app/Policies/SubjectPolicy.php create mode 100644 app/Policies/TeacherPolicy.php create mode 100644 app/Services/SubjectService.php diff --git a/app/Http/Controllers/GradeController.php b/app/Http/Controllers/GradeController.php index 0c94466..13f4f72 100644 --- a/app/Http/Controllers/GradeController.php +++ b/app/Http/Controllers/GradeController.php @@ -4,7 +4,6 @@ namespace App\Http\Controllers; use App\Http\Requests\GradePostRequest; use App\Models\Grade; -use App\Services\ServiceInterface; use Illuminate\Http\RedirectResponse; use Illuminate\View\View; @@ -15,6 +14,10 @@ class GradeController extends Controller */ public function index(): View { + if(request()->user()->cannot('viewAny', Grade::class)) { + abort(403); + } + return view('grades.index', [ 'grades' => Grade::filter()->paginate(5)->withQueryString(), ]); @@ -25,6 +28,10 @@ class GradeController extends Controller */ public function create(): View { + if(request()->user()->cannot('create', Grade::class)) { + abort(403); + } + return view('grades.create'); } @@ -33,6 +40,10 @@ class GradeController extends Controller */ public function store(GradePostRequest $request): RedirectResponse { + if(request()->user()->cannot('create', Grade::class)) { + abort(403); + } + return redirect()->route('grades.show', Grade::create($request->validated())); } @@ -41,6 +52,10 @@ class GradeController extends Controller */ public function show(Grade $grade): View { + if(request()->user()->cannot('view', $grade)) { + abort(403); + } + return view('grades.show', [ 'grade' => $grade, 'subjects' => $grade->subjects, @@ -52,6 +67,10 @@ class GradeController extends Controller */ public function edit(Grade $grade): View { + if(request()->user()->cannot('update', Grade::class)) { + abort(403); + } + return view('grades.edit', [ 'grade' => $grade, ]); @@ -62,6 +81,10 @@ class GradeController extends Controller */ public function update(GradePostRequest $request, Grade $grade): RedirectResponse { + if(request()->user()->cannot('update', Grade::class)) { + abort(403); + } + return redirect()->route('grades.show', $grade->update($request->validated())); } @@ -70,6 +93,10 @@ class GradeController extends Controller */ public function destroy(Grade $grade): RedirectResponse { + if(request()->user()->cannot('delete', Grade::class)) { + abort(403); + } + $grade->delete(); return redirect()->route('grades.index'); diff --git a/app/Http/Controllers/GradeSubjectController.php b/app/Http/Controllers/GradeSubjectController.php index d7ee45d..0d8a69a 100644 --- a/app/Http/Controllers/GradeSubjectController.php +++ b/app/Http/Controllers/GradeSubjectController.php @@ -5,7 +5,6 @@ namespace App\Http\Controllers; use App\Http\Requests\GradeSubjectPostRequest; use App\Models\Grade; use App\Models\Subject; -use App\Services\ServiceInterface; use Illuminate\Http\RedirectResponse; use Illuminate\View\View; diff --git a/app/Http/Controllers/GradeTeacherController.php b/app/Http/Controllers/GradeTeacherController.php index 64e6bd2..0e20ad5 100644 --- a/app/Http/Controllers/GradeTeacherController.php +++ b/app/Http/Controllers/GradeTeacherController.php @@ -6,7 +6,6 @@ use App\Http\Requests\GradeTeacherPostRequest; use App\Models\Grade; use App\Models\Subject; use App\Models\Teacher; -use App\Services\ServiceInterface; use Illuminate\Http\RedirectResponse; use Illuminate\View\View; diff --git a/app/Http/Controllers/LessonController.php b/app/Http/Controllers/LessonController.php index f9dec72..3d109c3 100644 --- a/app/Http/Controllers/LessonController.php +++ b/app/Http/Controllers/LessonController.php @@ -7,7 +7,6 @@ use App\Enums\TypeLesson; use App\Http\Requests\LessonPostRequest; use App\Models\Grade; use App\Models\Lesson; -use App\Services\ServiceInterface; use Illuminate\Http\RedirectResponse; use Illuminate\View\View; @@ -25,6 +24,10 @@ class LessonController extends Controller */ public function index(Grade $grade): View { + if(request()->user()->cannot('viewAny', $grade)) { + abort(403); + } + return view('grade-lesson.index', [ 'lessons' => $grade->lessons()->filter()->get(), 'grade' => $grade, @@ -37,6 +40,10 @@ class LessonController extends Controller */ public function create(Grade $grade): View { + if(request()->user()->cannot('create', Lesson::class)) { + abort(403); + } + return view('grade-lesson.create', [ 'types' => TypeLesson::cases(), 'grade' => $grade, @@ -48,6 +55,10 @@ class LessonController extends Controller */ public function store(LessonPostRequest $request, Grade $grade): RedirectResponse { + if(request()->user()->cannot('create', [Lesson::class, $grade])) { + abort(403); + } + $lesson = Lesson::create($request->validated()); $lesson ->students() @@ -66,6 +77,10 @@ class LessonController extends Controller */ public function show(Grade $grade, Lesson $lesson): View { + if(request()->user()->cannot('view', $lesson)) { + abort(403); + } + return view('grade-lesson.show', [ 'lesson' => $lesson, 'grade' => $grade, @@ -77,6 +92,10 @@ class LessonController extends Controller */ public function edit(Grade $grade, Lesson $lesson): View { + if(request()->user()->cannot('update', $lesson)) { + abort(403); + } + return view('grade-lesson.edit', [ 'lesson' => $lesson, 'grade' => $grade, @@ -89,6 +108,10 @@ class LessonController extends Controller */ public function update(LessonPostRequest $request, Grade $grade, Lesson $lesson): RedirectResponse { + if(request()->user()->cannot('update', $lesson)) { + abort(403); + } + return redirect()->route( 'grades.lessons.show',[ $grade, @@ -102,6 +125,10 @@ class LessonController extends Controller */ public function destroy(Grade $grade, Lesson $lesson): RedirectResponse { + if(request()->user()->cannot('update', $lesson)) { + abort(403); + } + $lesson->delete(); return redirect()->route('grades.lessons.index', $grade); diff --git a/app/Http/Controllers/ScoreController.php b/app/Http/Controllers/ScoreController.php index 4bc97af..e6eb4f0 100644 --- a/app/Http/Controllers/ScoreController.php +++ b/app/Http/Controllers/ScoreController.php @@ -5,7 +5,6 @@ namespace App\Http\Controllers; use App\Enums\ScoreEnum; use App\Models\Lesson; use App\Services\ScoreService; -use App\Services\ServiceInterface; use Illuminate\Http\Request; class ScoreController extends Controller diff --git a/app/Http/Controllers/StudentController.php b/app/Http/Controllers/StudentController.php index 5217ca6..f0fd10b 100644 --- a/app/Http/Controllers/StudentController.php +++ b/app/Http/Controllers/StudentController.php @@ -5,7 +5,6 @@ namespace App\Http\Controllers; use App\Http\Requests\StudentPostRequest; use App\Models\Grade; use App\Models\Student; -use App\Services\ServiceInterface; use App\Services\StudentService; use Illuminate\Http\RedirectResponse; use Illuminate\View\View; @@ -22,6 +21,10 @@ class StudentController extends Controller */ public function index(): View { + if(request()->user()->cannot('viewAny', Student::class)) { + abort(403); + } + return view('students.index', [ 'students' => Student::filter()->paginate(5)->withQueryString(), ]); @@ -32,6 +35,10 @@ class StudentController extends Controller */ public function create(): View { + if(request()->user()->cannot('create', Student::class)) { + abort(403); + } + return view('students.create', [ 'grades' => Grade::all(), ]); @@ -42,6 +49,10 @@ class StudentController extends Controller */ public function store(StudentPostRequest $request): RedirectResponse { + if(request()->user()->cannot('create', Student::class)) { + abort(403); + } + return redirect()->route( 'students.show', $this->service->create($request->validated()) @@ -53,6 +64,10 @@ class StudentController extends Controller */ public function show(Student $student): View { + if(request()->user()->cannot('view', $student)) { + abort(403); + } + return view('students.show', [ 'student' => $student, 'grades' => Grade::all(), @@ -64,6 +79,10 @@ class StudentController extends Controller */ public function edit(Student $student): View { + if(request()->user()->cannot('update', $student)) { + abort(403); + } + return view('students.edit', [ 'student' => $student, 'grades' => Grade::all(), @@ -75,6 +94,10 @@ class StudentController extends Controller */ public function update(StudentPostRequest $request, Student $student): RedirectResponse { + if(request()->user()->cannot('update', $student)) { + abort(403); + } + return redirect()->route( 'students.show', $this->service->update($student, $request->validated()) @@ -86,6 +109,10 @@ class StudentController extends Controller */ public function destroy(Student $student): RedirectResponse { + if(request()->user()->cannot('delete', $student)) { + abort(403); + } + $student->user()->delete(); $student->delete(); diff --git a/app/Http/Controllers/SubjectController.php b/app/Http/Controllers/SubjectController.php index 1e7733d..57cba13 100644 --- a/app/Http/Controllers/SubjectController.php +++ b/app/Http/Controllers/SubjectController.php @@ -4,7 +4,7 @@ namespace App\Http\Controllers; use App\Http\Requests\SubjectPostRequest; use App\Models\Subject; -use App\Services\ServiceInterface; +use App\Services\SubjectService; use Illuminate\Http\RedirectResponse; use Illuminate\View\View; @@ -13,10 +13,10 @@ class SubjectController extends Controller /** * Display a listing of the resource. */ - public function index(): View + public function index(SubjectService $service): View { return view('subjects.index', [ - 'subjects' => Subject::filter()->paginate(5)->withQueryString(), + 'subjects' => $service->getSubjects(), ]); } @@ -25,6 +25,10 @@ class SubjectController extends Controller */ public function create(): View { + if(request()->user()->cannot('create', Subject::class)) { + abort(403); + } + return view('subjects.create'); } @@ -33,6 +37,10 @@ class SubjectController extends Controller */ public function store(SubjectPostRequest $request): RedirectResponse { + if(request()->user()->cannot('create', Subject::class)) { + abort(403); + } + return redirect()->route( 'subjects.show', Subject::create($request->validated()), @@ -54,6 +62,10 @@ class SubjectController extends Controller */ public function edit(Subject $subject): View { + if(request()->user()->cannot('update', $subject)) { + abort(403); + } + return view('subjects.edit', [ 'subject' => $subject, ]); @@ -64,6 +76,10 @@ class SubjectController extends Controller */ public function update(SubjectPostRequest $request, Subject $subject): RedirectResponse { + if(request()->user()->cannot('update', $subject)) { + abort(403); + } + return redirect()->route( 'subjects.show', $subject->update($request->validated()) @@ -75,6 +91,10 @@ class SubjectController extends Controller */ public function destroy(Subject $subject): RedirectResponse { + if(request()->user()->cannot('delete', $subject)) { + abort(403); + } + $subject->delete(); return redirect()->route('subjects.index'); diff --git a/app/Http/Controllers/SubjectTeacherController.php b/app/Http/Controllers/SubjectTeacherController.php index efa3299..880ce4b 100644 --- a/app/Http/Controllers/SubjectTeacherController.php +++ b/app/Http/Controllers/SubjectTeacherController.php @@ -5,7 +5,6 @@ namespace App\Http\Controllers; use App\Http\Requests\SubjectTeacherPostRequest; use App\Models\Subject; use App\Models\Teacher; -use App\Services\ServiceInterface; use Illuminate\Http\RedirectResponse; use Illuminate\View\View; diff --git a/app/Http/Controllers/TeacherController.php b/app/Http/Controllers/TeacherController.php index edaa9e0..13fa149 100644 --- a/app/Http/Controllers/TeacherController.php +++ b/app/Http/Controllers/TeacherController.php @@ -4,7 +4,6 @@ namespace App\Http\Controllers; use App\Http\Requests\TeacherPostRequest; use App\Models\Teacher; -use App\Services\ServiceInterface; use App\Services\TeacherService; use Illuminate\Http\RedirectResponse; use Illuminate\View\View; @@ -21,6 +20,10 @@ class TeacherController extends Controller */ public function index(): View { + if(request()->user()->cannot('viewAny', Teacher::class)) { + abort(403); + } + return view('teachers.index', [ 'teachers' => Teacher::filter()->paginate(5)->withQueryString(), ]); @@ -31,6 +34,10 @@ class TeacherController extends Controller */ public function create(): View { + if(request()->user()->cannot('create', Teacher::class)) { + abort(403); + } + return view('teachers.create'); } @@ -39,6 +46,10 @@ class TeacherController extends Controller */ public function store(TeacherPostRequest $request): RedirectResponse { + if(request()->user()->cannot('create', Teacher::class)) { + abort(403); + } + return redirect()->route( 'teachers.show', $this->service->create($request->validated()) @@ -50,6 +61,10 @@ class TeacherController extends Controller */ public function show(Teacher $teacher): View { + if(request()->user()->cannot('view', $teacher)) { + abort(403); + } + return view('teachers.show', [ 'teacher' => $teacher, 'subjects' => $teacher->subjects, @@ -61,6 +76,10 @@ class TeacherController extends Controller */ public function edit(Teacher $teacher): View { + if(request()->user()->cannot('update', $teacher)) { + abort(403); + } + return view('teachers.edit', [ 'teacher' => $teacher, ]); @@ -71,6 +90,10 @@ class TeacherController extends Controller */ public function update(TeacherPostRequest $request, Teacher $teacher): RedirectResponse { + if(request()->user()->cannot('update', $teacher)) { + abort(403); + } + return redirect()->route( 'teachers.show', $this->service->update($teacher, $request->validated()) @@ -82,6 +105,10 @@ class TeacherController extends Controller */ public function destroy(Teacher $teacher): RedirectResponse { + if(request()->user()->cannot('update', $teacher)) { + abort(403); + } + $teacher->user()->delete(); $teacher->delete(); diff --git a/app/Http/Middleware/AdminAction.php b/app/Http/Middleware/AdminAction.php new file mode 100644 index 0000000..804f3d3 --- /dev/null +++ b/app/Http/Middleware/AdminAction.php @@ -0,0 +1,26 @@ +userable_type != Admin::class) { + abort(403); + } + + return $next($request); + } +} diff --git a/app/Http/Middleware/TeacherAction.php b/app/Http/Middleware/TeacherAction.php new file mode 100644 index 0000000..d3581cf --- /dev/null +++ b/app/Http/Middleware/TeacherAction.php @@ -0,0 +1,26 @@ +userable_type != Student::class) { + abort(403); + } + + return $next($request); + } +} diff --git a/app/Policies/GradePolicy.php b/app/Policies/GradePolicy.php new file mode 100644 index 0000000..8c63ca2 --- /dev/null +++ b/app/Policies/GradePolicy.php @@ -0,0 +1,51 @@ +userable_type != Student::class; + } + + /** + * Determine whether the user can view the model. + */ + public function view(User $user, Grade $grade): bool + { + return $user->userable_type != Student::class; + } + + /** + * Determine whether the user can create models. + */ + public function create(User $user): bool + { + return $user->userable_type == Admin::class; + } + + /** + * Determine whether the user can update the model. + */ + public function update(User $user, Grade $grade): bool + { + return $user->userable_type == Admin::class; + } + + /** + * Determine whether the user can delete the model. + */ + public function delete(User $user, Grade $grade): bool + { + return $user->userable_type == Admin::class; + } +} diff --git a/app/Policies/LessonPolicy.php b/app/Policies/LessonPolicy.php new file mode 100644 index 0000000..14d8503 --- /dev/null +++ b/app/Policies/LessonPolicy.php @@ -0,0 +1,52 @@ +userable_type != Student::class || $user->userable->grade_id == $grade->id; + } + + /** + * Determine whether the user can view the model. + */ + public function view(User $user, Lesson $lesson): bool + { + return $user->userable_type != Student::class || $user->userable->grade_id == $lesson->grade_id; + } + + /** + * Determine whether the user can create models. + */ + public function create(User $user): bool + { + return $user->userable_type == Admin::class; + } + + /** + * Determine whether the user can update the model. + */ + public function update(User $user, Lesson $lesson): bool + { + return $user->userable_type == Admin::class; + } + + /** + * Determine whether the user can delete the model. + */ + public function delete(User $user, Lesson $lesson): bool + { + return $user->userable_type == Admin::class; + } +} diff --git a/app/Policies/StudentPolicy.php b/app/Policies/StudentPolicy.php new file mode 100644 index 0000000..b30c231 --- /dev/null +++ b/app/Policies/StudentPolicy.php @@ -0,0 +1,50 @@ +userable_type != Student::class; + } + + /** + * Determine whether the user can view the model. + */ + public function view(User $user, Student $student): bool + { + return $user->userable_type != Student::class; + } + + /** + * Determine whether the user can create models. + */ + public function create(User $user): bool + { + return $user->userable_type != Admin::class; + } + + /** + * Determine whether the user can update the model. + */ + public function update(User $user, Student $student): bool + { + return $user->userable_type != Admin::class; + } + + /** + * Determine whether the user can delete the model. + */ + public function delete(User $user, Student $student): bool + { + return $user->userable_type != Admin::class; + } +} diff --git a/app/Policies/SubjectPolicy.php b/app/Policies/SubjectPolicy.php new file mode 100644 index 0000000..d62acbb --- /dev/null +++ b/app/Policies/SubjectPolicy.php @@ -0,0 +1,34 @@ +userable_type == Admin::class; + } + + /** + * Determine whether the user can update the model. + */ + public function update(User $user, Subject $subject): bool + { + return $user->userable_type == Admin::class; + } + + /** + * Determine whether the user can delete the model. + */ + public function delete(User $user, Subject $subject): bool + { + return $user->userable_type == Admin::class; + } +} diff --git a/app/Policies/TeacherPolicy.php b/app/Policies/TeacherPolicy.php new file mode 100644 index 0000000..ac37cca --- /dev/null +++ b/app/Policies/TeacherPolicy.php @@ -0,0 +1,51 @@ +userable_type != Student::class; + } + + /** + * Determine whether the user can view the model. + */ + public function view(User $user, Teacher $teacher): bool + { + return $user->userable_type == Teacher::class; + } + + /** + * Determine whether the user can create models. + */ + public function create(User $user): bool + { + return $user->userable_type == Admin::class; + } + + /** + * Determine whether the user can update the model. + */ + public function update(User $user, Teacher $teacher): bool + { + return $user->userable_type == Admin::class; + } + + /** + * Determine whether the user can delete the model. + */ + public function delete(User $user, Teacher $teacher): bool + { + return $user->userable_type == Admin::class; + } +} diff --git a/app/Services/SubjectService.php b/app/Services/SubjectService.php new file mode 100644 index 0000000..854de9f --- /dev/null +++ b/app/Services/SubjectService.php @@ -0,0 +1,24 @@ +userable_type == Student::class) { + $student = Auth::user()->userable; + + return Subject::whereIn('id', $student->grade->subjects->pluck('id')) + ->filter() + ->paginate(5) + ->withQueryString(); + } + + return Subject::filter()->paginate(5)->withQueryString(); + } +} diff --git a/routes/web.php b/routes/web.php index 88ba507..97b6bfb 100644 --- a/routes/web.php +++ b/routes/web.php @@ -1,6 +1,8 @@ group(function () { 'grades.lessons' => LessonController::class, ]); - Route::resource('teachers.subjects', SubjectTeacherController::class)->except('index'); - Route::resource('teachers.subjects.grades', GradeTeacherController::class)->except('index', 'show'); - Route::resource('grades.subjects', GradeSubjectController::class)->except('index', 'show'); - Route::get('lessons/{lesson}/scores', [ScoreController::class, 'show'])->name('lessons.scores.show'); - Route::put('lessons/{lesson}/scores', [ScoreController::class, 'update'])->name('lessons.scores.update'); + Route::middleware([AdminAction::class])->group(function () { + Route::resource('teachers.subjects', SubjectTeacherController::class)->except('index'); + Route::resource('teachers.subjects.grades', GradeTeacherController::class)->except('index', 'show'); + Route::resource('grades.subjects', GradeSubjectController::class)->except('index', 'show'); + }); + Route::middleware([TeacherAction::class])->group(function () { + Route::get('lessons/{lesson}/scores', [ScoreController::class, 'show'])->name('lessons.scores.show'); + Route::put('lessons/{lesson}/scores', [ScoreController::class, 'update'])->name('lessons.scores.update'); + }); }); require __DIR__.'/auth.php';