From 8c0ac0f7a1709de5bd06484df12b92bc179ea891 Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Mon, 20 Apr 2020 00:01:37 +0200 Subject: [PATCH] Check permissions before showing ical, atom and json export links closes #729 (Rechtesystem ical&json) --- includes/pages/user_shifts.php | 5 +++++ includes/view/User_view.php | 11 ++++++++--- resources/views/layouts/app.twig | 2 +- src/Middleware/SessionHandlerServiceProvider.php | 1 + 4 files changed, 15 insertions(+), 4 deletions(-) diff --git a/includes/pages/user_shifts.php b/includes/pages/user_shifts.php index 10e57194..d8990c58 100644 --- a/includes/pages/user_shifts.php +++ b/includes/pages/user_shifts.php @@ -288,10 +288,15 @@ function view_user_shifts() /** * Returns a hint for the user how the ical feature works. + * + * @return string */ function ical_hint() { $user = auth()->user(); + if(!auth()->can('ical')) { + return ''; + } return heading(__('iCal export and API') . ' ' . button_help('user/ical'), 2) . '

' . sprintf( diff --git a/includes/view/User_view.php b/includes/view/User_view.php index 3a12c178..4cf28e29 100644 --- a/includes/view/User_view.php +++ b/includes/view/User_view.php @@ -553,6 +553,7 @@ function User_view( $admin_user_worklog_privilege, $user_worklogs ) { + $auth = auth(); $nightShiftsConfig = config('night_shifts'); $user_name = htmlspecialchars( $user_source->personalData->first_name) . ' ' . htmlspecialchars($user_source->personalData->last_name @@ -625,15 +626,19 @@ function User_view( page_link_to('user_settings'), glyph('list-alt') . __('Settings') ) : '', - $its_me ? button( + ($its_me && $auth->can('ical')) ? button( page_link_to('ical', ['key' => $user_source->api_key]), glyph('calendar') . __('iCal Export') ) : '', - $its_me ? button( + ($its_me && $auth->can('shifts_json_export')) ? button( page_link_to('shifts_json_export', ['key' => $user_source->api_key]), glyph('export') . __('JSON Export') ) : '', - $its_me ? button( + ($its_me && ( + $auth->can('shifts_json_export') + || $auth->can('ical') + || $auth->can('atom') + )) ? button( page_link_to('user_myshifts', ['reset' => 1]), glyph('repeat') . __('Reset API key') ) : '' diff --git a/resources/views/layouts/app.twig b/resources/views/layouts/app.twig index 17d9f34b..e0ccb246 100644 --- a/resources/views/layouts/app.twig +++ b/resources/views/layouts/app.twig @@ -12,7 +12,7 @@ - {% if page() in ['news', 'meetings'] and is_user() -%} + {% if page() in ['news', 'meetings'] and is_user() and has_permission_to('atom') -%} {% set parameters = {'key': user.api_key} -%} {% if page() == 'meetings' -%} {% set parameters = parameters|merge({'meetings': 1}) -%} diff --git a/src/Middleware/SessionHandlerServiceProvider.php b/src/Middleware/SessionHandlerServiceProvider.php index aefcb674..7bffb059 100644 --- a/src/Middleware/SessionHandlerServiceProvider.php +++ b/src/Middleware/SessionHandlerServiceProvider.php @@ -14,6 +14,7 @@ class SessionHandlerServiceProvider extends ServiceProvider ->give(function () { return [ '/api', + '/atom', '/ical', '/metrics', '/shifts-json-export',