add role checks for admin function

admin functions are not shown to member with incorrect roles, but added a bit more padding in the controller itself to check if the role is correct before running an admin action for a little extra security
2025-06-25 16:04:37 -05:00 · 2024-09-29 15:55:55 -06:00
parent 19d5324c69
commit 94e90e3c83
2 changed files with 67 additions and 32 deletions
--- a/app/Http/Controllers/MemberController.php
+++ b/app/Http/Controllers/MemberController.php
@ -72,34 +72,51 @@ class MemberController extends Controller
    //actions
    public function profileEdit(Request $request)
    {
-        $token    = csrf_token();
-        $response = $this->member->editProfile($request);
-        if ($response['status'] == true) {
-            return back()->with('message', $response['message']);
+        $token = csrf_token();
+        //check if logged in member id matches profile request id
+        $member = Auth::user();
+        if ($member->uuid == $request->id) {
+            $response = $this->member->editProfile($request);
+            if ($response['status'] == true) {
+                return back()->with('message', $response['message']);
+            } else {
+                return back()->withErrors([$response['message']]);
+            }
        } else {
-            return back()->withErrors([$response['message']]);
+            return back()->withErrors(['This is not your profile to edit.']);
        }
    }

    public function memberEdit(Request $request)
    {
-        $token    = csrf_token();
-        $response = $this->member->edit($request);
-        if ($response['status'] == true) {
-            return back()->with('message', $response['message']);
+        $token = csrf_token();
+        //role check
+        $member = Auth::user();
+        if ($member->role == 0 || $member->role == 1) {
+            $response = $this->member->edit($request);
+            if ($response['status'] == true) {
+                return back()->with('message', $response['message']);
+            } else {
+                return back()->withErrors([$response['message']]);
+            }
        } else {
-            return back()->withErrors([$response['message']]);
+            return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']);
        }
    }

    public function memberCreate(Request $request)
    {
-        $token    = csrf_token();
-        $response = $this->member->add($request);
-        if ($response['status'] == true) {
-            return redirect('/den/member')->with('message', $response['message']);
+        $token  = csrf_token();
+        $member = Auth::user();
+        if ($member->role == 0 || $member->role == 1) {
+            $response = $this->member->add($request);
+            if ($response['status'] == true) {
+                return redirect('/den/member')->with('message', $response['message']);
+            } else {
+                return back()->withErrors([$response['message']]);
+            }
        } else {
-            return back()->withErrors([$response['message']]);
+            return back()->withErrors(['Nah, you can\'t do this. Wrong permissions.']);
        }
    }
 }