fix map-info-box display (#1104)

* fix map-info-box display * Check user on PIREP show/edit/update/submit * add missing use * refactoring according to comments; use UpdatePirepRequest for authorization and make user available to view Co-authored-by: Andreas Palm <ap@ewsp.de> Co-authored-by: Nabeel S <nabeelio@users.noreply.github.com>
2021-03-28 15:57:16 +02:00 · 2021-03-28 15:57:16 +02:00 · 1e320835c2
commit 1e320835c2
parent d4c301a36c
5 changed files with 21 additions and 3 deletions
--- a/app/Http/Controllers/Frontend/PirepController.php
+++ b/app/Http/Controllers/Frontend/PirepController.php
@ -3,6 +3,7 @@
 namespace App\Http\Controllers\Frontend;

 use App\Contracts\Controller;
+use App\Exceptions\Unauthorized;
 use App\Http\Requests\CreatePirepRequest;
 use App\Http\Requests\UpdatePirepRequest;
 use App\Models\Enums\PirepSource;
@ -26,6 +27,7 @@ use App\Services\UserService;
 use App\Support\Units\Fuel;
 use App\Support\Units\Time;
 use Carbon\Carbon;
+use Exception;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Log;
@ -211,6 +213,7 @@ class PirepController extends Controller
        return view('pireps.show', [
            'pirep'        => $pirep,
            'map_features' => $map_features,
+            'user'         => Auth::user(),
        ]);
    }

@ -433,6 +436,9 @@ class PirepController extends Controller
            Flash::error('Pirep not found');
            return redirect(route('frontend.pireps.index'));
        }
+        if ($pirep->user_id !== Auth::id()) {
+            throw new Unauthorized(new Exception('You may not edit the PIREP of other users'));
+        }

        // Eager load the subfleet and fares under it
        if ($pirep->aircraft) {
@ -543,6 +549,9 @@ class PirepController extends Controller
            Flash::error('PIREP not found');
            return redirect(route('admin.pireps.index'));
        }
+        if ($pirep->user_id !== Auth::id()) {
+            throw new Unauthorized(new Exception('You may not submit the PIREP of other users'));
+        }

        $this->pirepSvc->submit($pirep);
        return redirect(route('frontend.pireps.show', [$pirep->id]));
--- a/app/Http/Requests/UpdatePirepRequest.php
+++ b/app/Http/Requests/UpdatePirepRequest.php
@ -5,10 +5,20 @@ namespace App\Http\Requests;
 use App\Contracts\FormRequest;
 use App\Models\Pirep;
 use App\Repositories\PirepFieldRepository;
+use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Log;

 class UpdatePirepRequest extends FormRequest
 {
+    /**
+     * Is the user allowed to do this?
+     */
+    public function authorize(): bool
+    {
+        $pirep = Pirep::findOrFail($this->route('id'), ['user_id']);
+        return $pirep->user_id === Auth::id();
+    }
+
    /**
     * Get the validation rules that apply to the request.
     *
--- a/public/assets/frontend/css/styles.css
+++ b/public/assets/frontend/css/styles.css
@ -6,7 +6,6 @@
 }

 .map-info-box {
-    display: none;
    position: absolute;
    bottom: 0;
    padding: 20px;
--- a/resources/views/layouts/default/pireps/show.blade.php
+++ b/resources/views/layouts/default/pireps/show.blade.php
@ -15,7 +15,7 @@
           class="btn btn-outline-info">View SimBrief</a>
      @endif

-      @if(!$pirep->read_only)
+      @if(!$pirep->read_only && $pirep->user_id === $user->id)
        <div class="float-right" style="margin-bottom: 10px;">
          <form method="get"
                action="{{ route('frontend.pireps.edit', $pirep->id) }}"
--- a/resources/views/layouts/default/widgets/live_map.blade.php
+++ b/resources/views/layouts/default/widgets/live_map.blade.php
@ -29,7 +29,7 @@
        A couple of places (like the distance) use both to output the correct bindings.
        --}}
        <div id="map-info-box" class="map-info-box"
-             rv-show="pirep"
+             rv-show="pirep.id"
             style="width: {{ $config['width'] }};">
          <div style="float: left; width: 50%;">
            <h3 style="margin: 0" id="map_flight_id">