Redirect user to dashboard on unauthorized route & Restrict backend permission

Mark · Mark · commit 1205cdb6d78b · 2015-08-25T00:07:03.000+08:00
diff --git a/api/app/Http/Controllers/Api/Backend/AuthController.php b/api/app/Http/Controllers/Api/Backend/AuthController.php
@@ -10,6 +10,7 @@
 
 use App\Exceptions\EmailOrPasswordIncorrectException;
 use App\Exceptions\ResourceException;
+use App\Exceptions\UnauthorizedException;
 
 class AuthController extends ApiController
 {
@@ -43,6 +44,9 @@ public function postLogin()
 
         // Try to login
         if (UserAuth::once($credentials)) {
+            if (!UserAuth::user()->can('auth.backend')) {
+                throw new UnauthorizedException('You do not have permission to access.');
+            }
             $payload = app('tymon.jwt.payload.factory')->sub(UserAuth::user()->id)->aud('user')->make();
             $token = JWTAuth::encode($payload);
 
diff --git a/api/app/Http/Middleware/EntrustPermissionMiddleware.php b/api/app/Http/Middleware/EntrustPermissionMiddleware.php
@@ -12,12 +12,13 @@ class EntrustPermissionMiddleware
      * @param  \Illuminate\Http\Request $request
      * @param  Closure                  $next
      * @param                           $permissions
+     *
      * @return mixed
      */
     public function handle($request, \Closure $next, $permissions)
     {
 
-        if (!UserAuth::user()->can(explode('|', $permissions))) {
+        if (!UserAuth::check() || !UserAuth::user()->can(explode('|', $permissions))) {
             throw new UnauthorizedException('You do not have permission to access.');
         }
 
diff --git a/api/app/Http/routes.php b/api/app/Http/routes.php
@@ -10,10 +10,12 @@
 
         Route::post('slug', 'Api\HelperController@slug');
 
+
         //AUTH =================================
-        Route::post('auth/login', 'Api\Backend\AuthController@postLogin');
-        Route::post('auth/logout', 'Api\Backend\AuthController@postLogout');
-        Route::post('auth/refresh-token', 'Api\Backend\AuthController@postRefreshToken');
+
+        Route::post('auth/login', ['uses' => 'Api\Backend\AuthController@postLogin', 'as' => 'auth.login']);
+        Route::post('auth/logout', ['uses' => 'Api\Backend\AuthController@postLogout', 'as' => 'auth.logout']);
+        Route::post('auth/refresh-token', ['uses' => 'Api\Backend\AuthController@postRefreshToken', 'as' => 'auth.refresh']);
 
         Route::group(['middleware' => ['auth.user']], function () {
             Route::get('me', 'Api\Backend\UserController@index');
diff --git a/api/database/seeds/UserAndRoleTableSeeder.php b/api/database/seeds/UserAndRoleTableSeeder.php
@@ -14,7 +14,13 @@ public function run()
     {
         $ownerRole = Role::create(['name' => 'owner', 'display_name' => 'owner']);
 
+
+
         $allPermissions = [];
+
+        $adminRolePermission = Permission::create(['name' => 'auth.backend', 'display_name' => 'Login to backend']);
+        array_push($allPermissions, $adminRolePermission->id);
+
         $listRolePermission = Permission::create(['name' => 'roles.index', 'display_name' => 'List Roles']);
         $createRolePermission = Permission::create(['name' => 'roles.store', 'display_name' => 'Create Roles']);
         $editRolePermission = Permission::create(['name' => 'roles.update', 'display_name' => 'Edit Roles']);
@@ -54,7 +60,7 @@ public function run()
 
         $ownerRole->perms()->sync($allPermissions);
 
-        $user = User::create(['firstname' => 'Mark', 'email' => 'admin@emcoo.com', 'password' => Hash::make('adminmark'), 'last_login' => date('Y-m-d H:i:s')]);
+        $user = User::create(['firstname' => 'Mark', 'email' => 'admin@emcoo.com', 'password' => 'adminmark', 'last_login' => date('Y-m-d H:i:s')]);
         $user->attachRole($ownerRole);
 
     }
diff --git a/backend/src/app/components/media.category/_media.category.module.js b/backend/src/app/components/media.category/_media.category.module.js
@@ -12,7 +12,7 @@
     'use strict';
 
     angular.module('mediaCategoryModule', [])
-        .run(function (Restangular, languageService, $filter, $log) {
+        .run(function (Restangular) {
             //================================================
             // Restangular init
             //================================================
@@ -22,9 +22,7 @@
             Restangular.extendModel('medias', function (model) {
                 model.init = function () {
                     _.extend(model, {
-                        id: '',
-                        status: 'published',
-                        visibility: 'public'
+                        id: ''
                     });
                 };
 
diff --git a/backend/src/app/components/media/_media.module.js b/backend/src/app/components/media/_media.module.js
@@ -44,6 +44,20 @@
                     templateUrl: 'app/components/media/media.list.html',
                     controller: 'MediaListController as listCtrl',
                     resolve: {
+                        hasPermission: function (userService, $state, $q) {
+                            var deferred = $q.defer();
+                            userService.getMe().then(function (result) {
+                                if (!result.can('media.index')) {
+                                    $state.go('main.index');
+                                    deferred.resolve(false);
+                                }
+                                deferred.resolve(true);
+                            }, function () {
+                                $state.go('main.index');
+                                deferred.reject(false);
+                            });
+                            return deferred.promise;
+                        },
                         meta: function ($rootScope, $translate, $q) {
                             var deferred = $q.defer();
                             $translate('media.media').then(function (translation) {
diff --git a/backend/src/app/components/media/media.list.controller.js b/backend/src/app/components/media/media.list.controller.js
@@ -15,7 +15,6 @@
     angular.module('mediaModule').controller('MediaListController', MediaListController);
 
     function MediaListController($scope, mediaService, $location, toaster, $translate, $q, mediaCategoryService, $state) {
-
         var vm = this;
         //================================================
         // Upload
diff --git a/backend/src/app/components/post.category/_post.category.module.js b/backend/src/app/components/post.category/_post.category.module.js
@@ -48,6 +48,20 @@
                     templateUrl: 'app/components/post.category/post.category.list.html',
                     controller: 'PostCategoryListController as listCtrl',
                     resolve: {
+                        hasPermission: function (userService, $state, $q) {
+                            var deferred = $q.defer();
+                            userService.getMe().then(function (result) {
+                                if (!result.can('posts.categories.index')) {
+                                    $state.go('main.index');
+                                    deferred.resolve(false);
+                                }
+                                deferred.resolve(true);
+                            }, function () {
+                                $state.go('main.index');
+                                deferred.reject();
+                            });
+                            return deferred.promise;
+                        },
                         meta: function ($rootScope, $translate, $q) {
                             var deferred = $q.defer();
                             $translate('post.posts').then(function (translation) {
@@ -65,6 +79,20 @@
                     templateUrl: 'app/components/post.category/post.category.form.html',
                     controller: 'PostCategoryFormController as formCtrl',
                     resolve: {
+                        hasPermission: function (userService, $state, $q) {
+                            var deferred = $q.defer();
+                            userService.getMe().then(function (result) {
+                                if (!result.can('posts.categories.store')) {
+                                    $state.go('main.index');
+                                    deferred.resolve(false);
+                                }
+                                deferred.resolve(true);
+                            }, function () {
+                                $state.go('main.index');
+                                deferred.reject();
+                            });
+                            return deferred.promise;
+                        },
                         category: function () {
                             return;
                         },
@@ -85,8 +113,29 @@
                     templateUrl: 'app/components/post.category/post.category.form.html',
                     controller: 'PostCategoryFormController as formCtrl',
                     resolve: {
-                        category: function (postCategoryService, $stateParams) {
-                            return postCategoryService.find($stateParams.id, {cache: false});
+                        hasPermission: function (userService, $state, $q) {
+                            var deferred = $q.defer();
+                            userService.getMe().then(function (result) {
+                                if (!result.can(['posts.categories.index', 'posts.categories.update'], true)) {
+                                    $state.go('main.index');
+                                    deferred.resolve(false);
+                                }
+                                deferred.resolve(true);
+                            }, function () {
+                                $state.go('main.index');
+                                deferred.reject();
+                            });
+                            return deferred.promise;
+                        },
+                        category: function (postCategoryService, $stateParams, $q, $state) {
+                            var deferred = $q.defer();
+                            postCategoryService.find($stateParams.id, {cache: false}).then(function (result) {
+                                deferred.resolve(result);
+                            }, function () {
+                                $state.go('main.post-category-list');
+                                deferred.reject();
+                            });
+                            return deferred.promise;
                         },
                         meta: function ($rootScope, $translate, $q) {
                             var deferred = $q.defer();
diff --git a/backend/src/app/components/post.category/post.category.form.controller.js b/backend/src/app/components/post.category/post.category.form.controller.js
@@ -12,8 +12,7 @@
 
     angular.module('postCategoryModule').controller('PostCategoryFormController', PostCategoryFormController);
 
-    function PostCategoryFormController($http, $location, postCategoryService, messageService, moment, angularMomentConfig, toaster, $translate, category, $filter, languageService, Restangular) {
-
+    function PostCategoryFormController($location, postCategoryService, messageService, toaster, $translate, category, Restangular) {
 
         var vm = this;
         //==========================================
diff --git a/backend/src/app/components/post.category/post.category.list.controller.js b/backend/src/app/components/post.category/post.category.list.controller.js
@@ -14,7 +14,7 @@
     angular.module('postCategoryModule')
         .controller('PostCategoryListController', PostCategoryListController);
 
-    function PostCategoryListController(postCategoryService, $location, toaster, $timeout, $translate) {
+    function PostCategoryListController(postCategoryService, toaster, $timeout, $translate) {
 
         var vm = this;
         //================================================
@@ -66,7 +66,7 @@
             },
             dragStart: function (event) {
                 var oldParent = event.dest.nodesScope.$parent.$parent.$modelValue;
-                
+
                 //if old parent get only a children, remove the handle tool
                 if (!_.isUndefined(oldParent) && oldParent.children.length === 1) {
                     oldParent.rgt = oldParent.lft + 1;
diff --git a/backend/src/app/components/post/_post.module.js b/backend/src/app/components/post/_post.module.js
@@ -52,6 +52,20 @@
                     templateUrl: 'app/components/post/post.list.html',
                     controller: 'PostListController as listCtrl',
                     resolve: {
+                        hasPermission: function (userService, $state, $q) {
+                            var deferred = $q.defer();
+                            userService.getMe().then(function (result) {
+                                if (!result.can('posts.index')) {
+                                    $state.go('main.index');
+                                    deferred.resolve(false);
+                                }
+                                deferred.resolve(true);
+                            }, function () {
+                                $state.go('main.index');
+                                deferred.reject(false);
+                            });
+                            return deferred.promise;
+                        },
                         meta: function ($rootScope, $translate, $q) {
                             var deferred = $q.defer();
                             $translate('post.posts').then(function (translation) {
@@ -69,6 +83,20 @@
                     templateUrl: 'app/components/post/post.form.html',
                     controller: 'PostFormController as formCtrl',
                     resolve: {
+                        hasPermission: function (userService, $state, $q) {
+                            var deferred = $q.defer();
+                            userService.getMe().then(function (result) {
+                                if (!result.can('posts.store')) {
+                                    $state.go('main.index');
+                                    deferred.resolve(false);
+                                }
+                                deferred.resolve(true);
+                            }, function () {
+                                $state.go('main.index');
+                                deferred.reject(false);
+                            });
+                            return deferred.promise;
+                        },
                         post: function () {
                             return;
                         },
@@ -89,8 +117,29 @@
                     templateUrl: 'app/components/post/post.form.html',
                     controller: 'PostFormController as formCtrl',
                     resolve: {
-                        post: function (postService, $stateParams) {
-                            return postService.find($stateParams.id, {cache: false});
+                        hasPermission: function (userService, $state, $q) {
+                            var deferred = $q.defer();
+                            userService.getMe().then(function (result) {
+                                if (!result.can(['posts.index', 'posts.update'], true)) {
+                                    $state.go('main.index');
+                                    deferred.resolve(false);
+                                }
+                                deferred.resolve(true);
+                            }, function () {
+                                $state.go('main.index');
+                                deferred.reject();
+                            });
+                            return deferred.promise;
+                        },
+                        post: function (postService, $stateParams, $q, $state) {
+                            var deferred = $q.defer();
+                            postService.find($stateParams.id, {cache: false}).then(function (result) {
+                                deferred.resolve(result);
+                            }, function () {
+                                $state.go('main.post-list');
+                                deferred.reject();
+                            });
+                            return deferred.promise;
                         },
                         meta: function ($rootScope, $translate, $q) {
                             var deferred = $q.defer();
diff --git a/backend/src/app/components/post/post.form.controller.js b/backend/src/app/components/post/post.form.controller.js
@@ -13,11 +13,10 @@
 
     angular.module('postModule').controller('PostFormController', PostFormController);
     function PostFormController($scope, postService, postCategoryService, messageService, moment, angularMomentConfig, toaster, $translate, post, $location, Restangular, $q) {
-
         var vm = this;
 
         vm.post = (_.isEmpty(post) || _.isUndefined(post)) ? postService.init() : post;
-        console.log(vm.post);
+
         //==========================================
         // Load Data
         //==========================================
diff --git a/backend/src/app/components/post/post.list.controller.js b/backend/src/app/components/post/post.list.controller.js
@@ -14,6 +14,7 @@
     angular.module('postModule').controller('PostListController', PostListController);
 
     function PostListController(postService, $location, toaster, postCategoryService, $translate, $q, angularMomentConfig) {
+
         var vm = this;
         //==========================================
         // Date & Time picker
diff --git a/backend/src/app/components/user/_user.module.js b/backend/src/app/components/user/_user.module.js
diff --git a/backend/src/app/components/user/role.list.controller.js b/backend/src/app/components/user/role.list.controller.js
diff --git a/backend/src/app/index.js b/backend/src/app/index.js

Original file line number	Diff line number	Diff line change
`@@ -12,12 +12,13 @@ class EntrustPermissionMiddleware`
`12`	`12`	`* @param \Illuminate\Http\Request $request`
`13`	`13`	`* @param Closure $next`
`14`	`14`	`* @param $permissions`
	`15`	`+ *`
`15`	`16`	`* @return mixed`
`16`	`17`	`*/`
`17`	`18`	`public function handle($request, \Closure $next, $permissions)`
`18`	`19`	`{`
`19`	`20`
`20`		`- if (!UserAuth::user()->can(explode('\|', $permissions))) {`
	`21`	`+ if (!UserAuth::check() \|\| !UserAuth::user()->can(explode('\|', $permissions))) {`
`21`	`22`	`throw new UnauthorizedException('You do not have permission to access.');`
`22`	`23`	`}`
`23`	`24`