Check permissions before showing ical, atom and json export links

closes #729 (Rechtesystem ical&json)
2020-04-20 00:01:37 +02:00 · 2020-04-20 00:01:37 +02:00 · 8c0ac0f7a1
parent 93ae2442f6
commit 8c0ac0f7a1
4 changed files with 15 additions and 4 deletions
--- a/includes/pages/user_shifts.php
+++ b/includes/pages/user_shifts.php
@ -288,10 +288,15 @@ function view_user_shifts()

 /**
 * Returns a hint for the user how the ical feature works.
+ *
+ * @return string
 */
 function ical_hint()
 {
    $user = auth()->user();
+    if(!auth()->can('ical')) {
+        return '';
+    }

    return heading(__('iCal export and API') . ' ' . button_help('user/ical'), 2)
        . '<p>' . sprintf(
--- a/includes/view/User_view.php
+++ b/includes/view/User_view.php
@ -553,6 +553,7 @@ function User_view(
    $admin_user_worklog_privilege,
    $user_worklogs
 ) {
+    $auth = auth();
    $nightShiftsConfig = config('night_shifts');
    $user_name = htmlspecialchars(
            $user_source->personalData->first_name) . ' ' . htmlspecialchars($user_source->personalData->last_name
@ -625,15 +626,19 @@ function User_view(
                            page_link_to('user_settings'),
                            glyph('list-alt') . __('Settings')
                        ) : '',
-                        $its_me ? button(
+                        ($its_me && $auth->can('ical')) ? button(
                            page_link_to('ical', ['key' => $user_source->api_key]),
                            glyph('calendar') . __('iCal Export')
                        ) : '',
-                        $its_me ? button(
+                        ($its_me && $auth->can('shifts_json_export')) ? button(
                            page_link_to('shifts_json_export', ['key' => $user_source->api_key]),
                            glyph('export') . __('JSON Export')
                        ) : '',
-                        $its_me ? button(
+                        ($its_me && (
+                            $auth->can('shifts_json_export')
+                            || $auth->can('ical')
+                            || $auth->can('atom')
+                        )) ? button(
                            page_link_to('user_myshifts', ['reset' => 1]),
                            glyph('repeat') . __('Reset API key')
                        ) : ''
--- a/resources/views/layouts/app.twig
+++ b/resources/views/layouts/app.twig
@ -12,7 +12,7 @@
        <link rel="stylesheet" type="text/css" href="{{ asset('assets/theme' ~ theme ~ '.css') }}"/>
        <script type="text/javascript" src="{{ asset('assets/vendor.js') }}"></script>

-        {% if page() in ['news', 'meetings'] and is_user() -%}
+        {% if page() in ['news', 'meetings'] and is_user() and has_permission_to('atom') -%}
            {% set parameters = {'key': user.api_key} -%}
            {% if page() == 'meetings' -%}
                {% set parameters = parameters|merge({'meetings': 1}) -%}
--- a/src/Middleware/SessionHandlerServiceProvider.php
+++ b/src/Middleware/SessionHandlerServiceProvider.php
@ -14,6 +14,7 @@ class SessionHandlerServiceProvider extends ServiceProvider
            ->give(function () {
                return [
                    '/api',
+                    '/atom',
                    '/ical',
                    '/metrics',
                    '/shifts-json-export',