diff --git a/app/Database/seeds/permissions.yml b/app/Database/seeds/permissions.yml index 23a4531d..26561458 100644 --- a/app/Database/seeds/permissions.yml +++ b/app/Database/seeds/permissions.yml @@ -24,6 +24,9 @@ - name: fares display_name: Fares description: Create/edit fares +- name: files + display_name: Files + description: Manage the files available - name: finances display_name: Finances description: Create/view finance related items diff --git a/app/Http/Routes/admin.php b/app/Http/Routes/admin.php index e80d51e9..976fe799 100644 --- a/app/Http/Routes/admin.php +++ b/app/Http/Routes/admin.php @@ -13,172 +13,203 @@ Route::group( ], static function () { // CRUD for airlines - Route::resource('airlines', 'AirlinesController'); + Route::resource('airlines', 'AirlinesController')->middleware('ability:admin,airlines'); // CRUD for roles - Route::resource('roles', 'RolesController'); + Route::resource('roles', 'RolesController')->middleware('role:admin'); - Route::get('airports/export', 'AirportController@export')->name('airports.export'); - Route::match(['get', 'post', 'put'], 'airports/fuel', 'AirportController@fuel'); + Route::get('airports/export', 'AirportController@export') + ->name('airports.export') + ->middleware('ability:admin,airports'); - Route::match(['get', 'post'], 'airports/import', 'AirportController@import')->name( - 'airports.import' - ); + Route::match(['get', 'post', 'put'], 'airports/fuel', 'AirportController@fuel') + ->middleware('ability:admin,airports'); + + Route::match(['get', 'post'], 'airports/import', 'AirportController@import') + ->name('airports.import')->middleware('ability:admin,airports'); Route::match( ['get', 'post', 'put', 'delete'], 'airports/{id}/expenses', 'AirportController@expenses' - ); + )->middleware('ability:admin,airports'); - Route::resource('airports', 'AirportController'); + Route::resource('airports', 'AirportController')->middleware('ability:admin,airports'); // Awards - Route::resource('awards', 'AwardController'); + Route::resource('awards', 'AwardController')->middleware('ability:admin,awards'); // aircraft and fare associations - Route::get('aircraft/export', 'AircraftController@export')->name('aircraft.export'); + Route::get('aircraft/export', 'AircraftController@export') + ->name('aircraft.export') + ->middleware('ability:admin,aircraft'); - Route::match(['get', 'post'], 'aircraft/import', 'AircraftController@import')->name( - 'aircraft.import' - ); + Route::match(['get', 'post'], 'aircraft/import', 'AircraftController@import') + ->name('aircraft.import')->middleware('ability:admin,aircraft'); Route::match( ['get', 'post', 'put', 'delete'], 'aircraft/{id}/expenses', 'AircraftController@expenses' - ); + )->middleware('ability:admin,aircraft'); - Route::resource('aircraft', 'AircraftController'); + Route::resource('aircraft', 'AircraftController')->middleware('ability:admin,aircraft'); // expenses - Route::get('expenses/export', 'ExpenseController@export')->name('expenses.export'); + Route::get('expenses/export', 'ExpenseController@export') + ->name('expenses.export') + ->middleware('ability:admin,finances'); - Route::match(['get', 'post'], 'expenses/import', 'ExpenseController@import')->name( - 'expenses.import' - ); + Route::match(['get', 'post'], 'expenses/import', 'ExpenseController@import') + ->name('expenses.import') + ->middleware('ability:admin,finances'); - Route::resource('expenses', 'ExpenseController'); + Route::resource('expenses', 'ExpenseController')->middleware('ability:admin,finances'); // fares - Route::get('fares/export', 'FareController@export')->name('fares.export'); + Route::get('fares/export', 'FareController@export') + ->name('fares.export') + ->middleware('ability:admin,finances'); - Route::match(['get', 'post'], 'fares/import', 'FareController@import')->name( - 'fares.import' - ); + Route::match(['get', 'post'], 'fares/import', 'FareController@import') + ->name('fares.import')->middleware('ability:admin,finances'); - Route::resource('fares', 'FareController'); + Route::resource('fares', 'FareController')->middleware('ability:admin,finances'); // files - Route::post('files', 'FileController@store')->name('files.store'); - Route::delete('files/{id}', 'FileController@destroy')->name('files.delete'); + Route::post('files', 'FileController@store') + ->name('files.store') + ->middleware('ability:admin,files'); + + Route::delete('files/{id}', 'FileController@destroy') + ->name('files.delete') + ->middleware('ability:admin,files'); // finances - Route::resource('finances', 'FinanceController'); + Route::resource('finances', 'FinanceController')->middleware('ability:admin,finances'); // flights and aircraft associations - Route::get('flights/export', 'FlightController@export')->name('flights.export'); + Route::get('flights/export', 'FlightController@export') + ->name('flights.export') + ->middleware('ability:admin,flights'); - Route::match(['get', 'post'], 'flights/import', 'FlightController@import')->name( - 'flights.import' - ); + Route::match(['get', 'post'], 'flights/import', 'FlightController@import') + ->name('flights.import') + ->middleware('ability:admin,flights'); Route::match( ['get', 'post', 'put', 'delete'], 'flights/{id}/fares', 'FlightController@fares' - ); + )->middleware('ability:admin,flights'); Route::match( ['get', 'post', 'put', 'delete'], 'flights/{id}/fields', 'FlightController@field_values' - ); + )->middleware('ability:admin,flights'); Route::match( ['get', 'post', 'put', 'delete'], 'flights/{id}/subfleets', 'FlightController@subfleets' - ); + )->middleware('ability:admin,flights'); - Route::resource('flights', 'FlightController'); + Route::resource('flights', 'FlightController') + ->middleware('ability:admin,flights'); - Route::resource('flightfields', 'FlightFieldController'); + Route::resource('flightfields', 'FlightFieldController') + ->middleware('ability:admin,flights'); // pirep related routes - Route::get('pireps/fares', 'PirepController@fares'); - Route::get('pireps/pending', 'PirepController@pending'); - Route::resource('pireps', 'PirepController'); - Route::match(['get', 'post', 'delete'], 'pireps/{id}/comments', 'PirepController@comments'); - Route::match(['post', 'put'], 'pireps/{id}/status', 'PirepController@status')->name( - 'pirep.status' - ); + Route::get('pireps/fares', 'PirepController@fares')->middleware('ability:admin,pireps'); + Route::get('pireps/pending', 'PirepController@pending')->middleware('ability:admin,pireps'); + Route::resource('pireps', 'PirepController')->middleware('ability:admin,pireps'); - Route::resource('pirepfields', 'PirepFieldController'); + Route::match(['get', 'post', 'delete'], 'pireps/{id}/comments', 'PirepController@comments') + ->middleware('ability:admin,pireps'); + + Route::match(['post', 'put'], 'pireps/{id}/status', 'PirepController@status') + ->name('pirep.status') + ->middleware('ability:admin,pireps'); + + Route::resource('pirepfields', 'PirepFieldController') + ->middleware('ability:admin,pireps'); // rankings - Route::resource('ranks', 'RankController'); + Route::resource('ranks', 'RankController')->middleware('ability:admin,ranks'); Route::match( ['get', 'post', 'put', 'delete'], 'ranks/{id}/subfleets', 'RankController@subfleets' - ); + )->middleware('ability:admin,ranks'); // settings - Route::match(['get'], 'settings', 'SettingsController@index'); - Route::match(['post', 'put'], 'settings', 'SettingsController@update')->name( - 'settings.update' - ); + Route::match(['get'], 'settings', 'SettingsController@index') + ->middleware('ability:admin,settings'); + + Route::match(['post', 'put'], 'settings', 'SettingsController@update') + ->name('settings.update') + ->middleware('ability:admin,settings'); // maintenance - Route::match(['get'], 'maintenance', 'MaintenanceController@index')->name( - 'maintenance.index' - ); - Route::match(['post'], 'maintenance', 'MaintenanceController@cache')->name( - 'maintenance.cache' - ); + Route::match(['get'], 'maintenance', 'MaintenanceController@index') + ->name('maintenance.index') + ->middleware('ability:admin,maintenance'); + + Route::match(['post'], 'maintenance', 'MaintenanceController@cache') + ->name('maintenance.cache') + ->middleware('ability:admin,maintenance'); // subfleet - Route::get('subfleets/export', 'SubfleetController@export')->name('subfleets.export'); - Route::match(['get', 'post'], 'subfleets/import', 'SubfleetController@import')->name( - 'subfleets.import' - ); + Route::get('subfleets/export', 'SubfleetController@export') + ->name('subfleets.export') + ->middleware('ability:admin,fleet'); + + Route::match(['get', 'post'], 'subfleets/import', 'SubfleetController@import') + ->name('subfleets.import') + ->middleware('ability:admin,fleet'); Route::match( ['get', 'post', 'put', 'delete'], 'subfleets/{id}/expenses', 'SubfleetController@expenses' - ); + )->middleware('ability:admin,fleet'); Route::match( ['get', 'post', 'put', 'delete'], 'subfleets/{id}/fares', 'SubfleetController@fares' - ); + )->middleware('ability:admin,fleet'); Route::match( ['get', 'post', 'put', 'delete'], 'subfleets/{id}/ranks', 'SubfleetController@ranks' - ); + )->middleware('ability:admin,fleet'); - Route::resource('subfleets', 'SubfleetController'); + Route::resource('subfleets', 'SubfleetController')->middleware('ability:admin,fleet'); - Route::resource('users', 'UserController'); + Route::resource('users', 'UserController')->middleware('ability:admin,users'); Route::get( 'users/{id}/regen_apikey', 'UserController@regen_apikey' - )->name('users.regen_apikey'); + )->name('users.regen_apikey')->middleware('ability:admin,users'); // defaults - Route::get('', ['uses' => 'DashboardController@index'])->middleware('update_pending'); - Route::get('/', ['uses' => 'DashboardController@index'])->middleware('update_pending'); + Route::get('', ['uses' => 'DashboardController@index']) + ->middleware('update_pending', 'ability:admin,admin-access'); + + Route::get('/', ['uses' => 'DashboardController@index']) + ->middleware('update_pending', 'ability:admin,admin-access'); + + Route::get('dashboard', ['uses' => 'DashboardController@index', 'name' => 'dashboard']) + ->middleware('update_pending', 'ability:admin,admin-access'); - Route::get('dashboard', ['uses' => 'DashboardController@index', 'name' => 'dashboard']); Route::match( ['get', 'post', 'delete'], 'dashboard/news', ['uses' => 'DashboardController@news'] - )->name('dashboard.news'); + )->name('dashboard.news')->middleware('update_pending', 'ability:admin,admin-access'); } ); diff --git a/config/laratrust.php b/config/laratrust.php index f4410357..04d510d8 100644 --- a/config/laratrust.php +++ b/config/laratrust.php @@ -168,8 +168,33 @@ return [ 'middleware' => [ 'register' => true, 'handling' => 'redirect', - 'params' => '/login', - + /** + * Handlers for the unauthorized method in the middlewares. + * The name of the handler must be the same as the handling. + */ + 'handlers' => [ + /** + * Aborts the execution with a 403 code and allows you to provide the response text + */ + 'abort' => [ + 'code' => 403, + 'message' => 'User does not have any of the necessary access rights.', + ], + /** + * Redirects the user to the given url. + * If you want to flash a key to the session, + * you can do it by setting the key and the content of the message + * If the message content is empty it won't be added to the redirection. + */ + 'redirect' => [ + 'url' => '/', + 'message' => [ + 'key' => 'flash_notification.message', + 'content' => 'User does not have any of the necessary access rights.', + ], + ], + ], + 'params' => '/login', ], /*