Check public pages for authorization #761

2020-07-10 13:11:38 -04:00 · 2020-07-10 13:11:38 -04:00 · 64e4c91e7e
commit 64e4c91e7e
parent 3e2b1fe42b
4 changed files with 55 additions and 3 deletions
--- a/app/Exceptions/Unauthorized.php
+++ b/app/Exceptions/Unauthorized.php
@ -0,0 +1,43 @@
+<?php
+
+namespace App\Exceptions;
+
+use Exception;
+
+class Unauthorized extends AbstractHttpException
+{
+    private $exception;
+
+    public function __construct(Exception $exception)
+    {
+        $this->exception = $exception;
+        parent::__construct(
+            403,
+            $exception->getMessage()
+        );
+    }
+
+    /**
+     * Return the RFC 7807 error type (without the URL root)
+     */
+    public function getErrorType(): string
+    {
+        return 'unauthorized';
+    }
+
+    /**
+     * Get the detailed error string
+     */
+    public function getErrorDetails(): string
+    {
+        return $this->getMessage();
+    }
+
+    /**
+     * Return an array with the error details, merged with the RFC7807 response
+     */
+    public function getErrorMetadata(): array
+    {
+        return [];
+    }
+}
--- a/app/Http/Controllers/Frontend/PageController.php
+++ b/app/Http/Controllers/Frontend/PageController.php
@ -4,8 +4,10 @@ namespace App\Http\Controllers\Frontend;

 use App\Contracts\Controller;
 use App\Exceptions\PageNotFound;
+use App\Exceptions\Unauthorized;
 use App\Repositories\PageRepository;
 use Exception;
+use Illuminate\Support\Facades\Auth;

 class PageController extends Controller
 {
@ -28,11 +30,16 @@ class PageController extends Controller
     */
    public function show($slug)
    {
+        /** @var \App\Models\Page $page */
        $page = $this->pageRepo->findWhere(['slug' => $slug])->first();
        if (!$page) {
            throw new PageNotFound(new Exception('Page not found'));
        }

+        if (!$page->public && !Auth::check()) {
+            throw new Unauthorized(new Exception('You must be logged in to view this page'));
+        }
+
        return view('pages.index', ['page' => $page]);
    }
 }
--- a/app/Providers/RouteServiceProvider.php
+++ b/app/Providers/RouteServiceProvider.php
@ -60,8 +60,6 @@ class RouteServiceProvider extends ServiceProvider
                Route::get('flights/search', 'FlightController@search')->name('flights.search');
                Route::resource('flights', 'FlightController');

-                Route::get('p/{slug}', 'PageController@show')->name('pages.show');
-
                Route::get('pireps/fares', 'PirepController@fares');
                Route::post('pireps/{id}/submit', 'PirepController@submit')->name('pireps.submit');

@ -95,7 +93,10 @@ class RouteServiceProvider extends ServiceProvider
                Route::get('users/{id}', 'ProfileController@show')->name('users.show.public');
                Route::get('pilots/{id}', 'ProfileController@show')->name('pilots.show.public');

-                Route::get('p/{id}', 'ProfileController@show')->name('profile.show.public');
+                Route::get('page/{slug}', 'PageController@show')->name('pages.show');
+
+                Route::get('profile/{id}', 'ProfileController@show')->name('profile.show.public');
+
                Route::get('users', 'UserController@index')->name('users.index');
                Route::get('pilots', 'UserController@index')->name('pilots.index');

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -36,6 +36,7 @@ services:
      MYSQL_ALLOW_EMPTY_PASSWORD: 'yes'
    volumes:
      - ./storage/docker/mysql:/var/lib/mysql
+      - ./resources/docker/mysql:/etc/mysql/conf.d
    ports:
      - 3306:3306