From 8b7ae81d66b9f7c2f85115e437c33ddb4f16d818 Mon Sep 17 00:00:00 2001
From: TimmensOne <timon.lorenzn@online.de>
Date: Fri, 31 Mar 2023 17:17:09 +0200
Subject: [PATCH] add admin gate

---
 .../app/Http/Controllers/DeviceController.php | 24 ++++++---
 .../LocationTransactionController.php         |  3 ++
 .../OwnerTransactionController.php            |  3 ++
 .../PurchasingInformationController.php       | 26 +---------
 .../app/Providers/AuthServiceProvider.php     |  9 +++-
 .../views/components/device-detail.blade.php  | 14 ++---
 .../components/location-transaction.blade.php | 14 ++---
 .../components/owner-transaction.blade.php    | 14 ++---
 .../purchasing-information.blade.php          |  4 +-
 .../resources/views/devices/index.blade.php   |  4 +-
 device-app/routes/web.php                     | 51 +++++++------------
 11 files changed, 80 insertions(+), 86 deletions(-)

diff --git a/device-app/app/Http/Controllers/DeviceController.php b/device-app/app/Http/Controllers/DeviceController.php
index 19a1a84..c99b7a0 100644
--- a/device-app/app/Http/Controllers/DeviceController.php
+++ b/device-app/app/Http/Controllers/DeviceController.php
@@ -5,10 +5,12 @@
 use App\Models\Device;
 use Illuminate\Http\Request;
 use Illuminate\Validation\Rule;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Http\RedirectResponse;
 
 class DeviceController extends Controller
 {
-    //
+    
     public function index()
     {
         return view('devices.index', [
@@ -16,11 +18,15 @@ public function index()
         ]);
     }
 
-    public function create(){
+    public function create()
+    {
+        $this->authorize('admin-only');
         return view('devices.create');
     }
 
-    public function store(Request $request){
+    public function store(Request $request)
+    {
+        $this->authorize('admin-only');
         $formFields = $request->validate([
             'title' => 'required',
             'device_type' => 'required',
@@ -36,11 +42,15 @@ public function store(Request $request){
         return redirect('/devices');
     }
 
-    public function edit(Device $device) {
+    public function edit(Device $device)
+    {
+        $this->authorize('admin-only');
         return view('devices.edit', ['device' => $device]);
     }
 
-    public function update(Device $device, Request $request){
+    public function update(Device $device, Request $request)
+    {
+        $this->authorize('admin-only');
         $formFields = $request->validate([
             'title' => 'required',
             'device_type' => 'required',
@@ -56,7 +66,9 @@ public function update(Device $device, Request $request){
         return back();
     }
 
-    public function destroy(Device $device){
+    public function destroy(Device $device): RedirectResponse
+    {
+        $this->authorize('admin-only');
         $device->delete();
         return redirect('devices');
     }
diff --git a/device-app/app/Http/Controllers/LocationTransactionController.php b/device-app/app/Http/Controllers/LocationTransactionController.php
index b40be93..25e1af0 100644
--- a/device-app/app/Http/Controllers/LocationTransactionController.php
+++ b/device-app/app/Http/Controllers/LocationTransactionController.php
@@ -28,11 +28,13 @@ public function store(Device $device, Request $request)
 
     public function edit(LocationTransaction $location)
     {
+        $this->authorize('admin-only');
         return view('locations.edit', ['location' => $location]);
     }
 
     public function update(LocationTransaction $location, Request $request)
     {
+        $this->authorize('admin-only');
         $formFields = $request->validate([
             'room_code' => 'required',
             'timestamp_located_since' => 'required'
@@ -45,6 +47,7 @@ public function update(LocationTransaction $location, Request $request)
 
     public function destroy(LocationTransaction $location)
     {
+        $this->authorize('admin-only');
         $location->delete();
         return back();
     }
diff --git a/device-app/app/Http/Controllers/OwnerTransactionController.php b/device-app/app/Http/Controllers/OwnerTransactionController.php
index 60198fa..df7e20b 100644
--- a/device-app/app/Http/Controllers/OwnerTransactionController.php
+++ b/device-app/app/Http/Controllers/OwnerTransactionController.php
@@ -28,11 +28,13 @@ public function store(Device $device, Request $request)
 
     public function edit(OwnerTransaction $owner)
     {
+        $this->authorize('admin-only');
         return view('owners.edit', ['owner' => $owner]);
     }
 
     public function update(OwnerTransaction $owner, Request $request)
     {
+        $this->authorize('admin-only');
         $formFields = $request->validate([
             'rz_username' => 'required',
             'timestamp_owner_since' => 'required'
@@ -45,6 +47,7 @@ public function update(OwnerTransaction $owner, Request $request)
 
     public function destroy(OwnerTransaction $owner)
     {
+        $this->authorize('admin-only');
         $owner->delete();
         return back();
     }
diff --git a/device-app/app/Http/Controllers/PurchasingInformationController.php b/device-app/app/Http/Controllers/PurchasingInformationController.php
index 0602f3b..7c2945f 100644
--- a/device-app/app/Http/Controllers/PurchasingInformationController.php
+++ b/device-app/app/Http/Controllers/PurchasingInformationController.php
@@ -8,32 +8,16 @@
 
 class PurchasingInformationController extends Controller
 {
-    public function create()
-    {
-        return view('purchasings.create');
-    }
-
-    public function store(Request $request)
-    {
-        $formFields = $request->validate([
-            'price' => 'required',
-            'timestamp_warranty_end' => 'required',
-            'timestamp_purchase' => 'required',
-            'cost_centre' => 'required',
-        ]);
-
-        PurchasingInformation::create($formFields);
-
-        return redirect('/');
-    }
 
     public function edit(Device $device)
     {
+        $this->authorize('admin-only');
         return view('purchasings.edit', ['purchasing' => $device->purchasing]);
     }
 
     public function update(Device $device, Request $request)
     {
+        $this->authorize('admin-only');
         $formFields = $request->validate([
             'price' => 'required',
             'timestamp_warranty_end' => 'required',
@@ -45,10 +29,4 @@ public function update(Device $device, Request $request)
 
         return redirect('/');
     }
-
-    public function destroy(PurchasingInformation $purchasing)
-    {
-        $purchasing->delete();
-        return back();
-    }
 }
diff --git a/device-app/app/Providers/AuthServiceProvider.php b/device-app/app/Providers/AuthServiceProvider.php
index dafcbee..910a928 100644
--- a/device-app/app/Providers/AuthServiceProvider.php
+++ b/device-app/app/Providers/AuthServiceProvider.php
@@ -2,7 +2,8 @@
 
 namespace App\Providers;
 
-// use Illuminate\Support\Facades\Gate;
+use App\Models\User;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
 
 class AuthServiceProvider extends ServiceProvider
@@ -21,6 +22,10 @@ class AuthServiceProvider extends ServiceProvider
      */
     public function boot(): void
     {
-        //
+        $this->registerPolicies();
+
+        Gate::define('admin-only', function (User $user) {
+            return $user->has_admin_privileges;
+        });
     }
 }
diff --git a/device-app/resources/views/components/device-detail.blade.php b/device-app/resources/views/components/device-detail.blade.php
index 7049f8f..c5e467c 100644
--- a/device-app/resources/views/components/device-detail.blade.php
+++ b/device-app/resources/views/components/device-detail.blade.php
@@ -11,12 +11,14 @@
         <li>serial_number: {{ $device['serial_number'] }}</li>
         <li>image_url: {{ $device['image_url'] }}</li>
     </ul>
-    <button><a href="{{ $device->device_id }}/edit">Edit</a></button>
-    <form method="POST" action="{{ $device->device_id }}">
-        @method('DELETE')
-        @csrf
-        <button>Delete</button>
-    </form>
+    @can('admin-only')
+        <button><a href="{{ $device->device_id }}/edit">Edit</a></button>
+        <form method="POST" action="{{ $device->device_id }}">
+            @method('DELETE')
+            @csrf
+            <button>Delete</button>
+        </form>
+    @endcan
     <x-purchasing-information :device="$device" />
     @php
         $locationTransactions = $device->locations;
diff --git a/device-app/resources/views/components/location-transaction.blade.php b/device-app/resources/views/components/location-transaction.blade.php
index 632a17e..a5db6ea 100644
--- a/device-app/resources/views/components/location-transaction.blade.php
+++ b/device-app/resources/views/components/location-transaction.blade.php
@@ -3,10 +3,12 @@
         <li>room_code: {{ $location->room_code }}</li>
         <li>timestamp_located_since: {{ $location->timestamp_located_since }}</li>
     </ul>
-    <button><a href="locations/{{ $location->location_transaction_id }}/edit">Edit</a></button>
-    <form method="POST" action="locations/{{ $location->location_transaction_id }}">
-        @method('DELETE')
-        @csrf
-        <button>Delete</button>
-    </form>
+    @can('admin-only')
+        <button><a href="locations/{{ $location->location_transaction_id }}/edit">Edit</a></button>
+        <form method="POST" action="locations/{{ $location->location_transaction_id }}">
+            @method('DELETE')
+            @csrf
+            <button>Delete</button>
+        </form>
+    @endcan
 </div>
\ No newline at end of file
diff --git a/device-app/resources/views/components/owner-transaction.blade.php b/device-app/resources/views/components/owner-transaction.blade.php
index 7105dad..1092aae 100644
--- a/device-app/resources/views/components/owner-transaction.blade.php
+++ b/device-app/resources/views/components/owner-transaction.blade.php
@@ -3,10 +3,12 @@
         <li>rz_username: {{ $owner->rz_username }}</li>
         <li>timestamp_owner_since: {{ $owner->timestamp_owner_since }}</li>
     </ul>
-    <button><a href="owners/{{ $owner->owner_transaction_id }}/edit">Edit</a></button>
-    <form method="POST" action="owners/{{ $owner->owner_transaction_id }}">
-        @method('DELETE')
-        @csrf
-        <button>Delete</button>
-    </form>
+    @can('admin-only')
+        <button><a href="owners/{{ $owner->owner_transaction_id }}/edit">Edit</a></button>
+        <form method="POST" action="owners/{{ $owner->owner_transaction_id }}">
+            @method('DELETE')
+            @csrf
+            <button>Delete</button>
+        </form>
+    @endcan
 </div>
\ No newline at end of file
diff --git a/device-app/resources/views/components/purchasing-information.blade.php b/device-app/resources/views/components/purchasing-information.blade.php
index 6d532ec..298408c 100644
--- a/device-app/resources/views/components/purchasing-information.blade.php
+++ b/device-app/resources/views/components/purchasing-information.blade.php
@@ -10,5 +10,7 @@
         <li>cost_centre: {{ $purchasing->cost_centre }}</li>
         <li>seller: {{ $purchasing->seller }}</li>
     </ul>
-    <button><a href="{{ $device->device_id }}/purchasing/edit">Edit</a></button>
+    @can('admin-only')
+        <button><a href="{{ $device->device_id }}/purchasing/edit">Edit</a></button>
+    @endcan
 </div>
\ No newline at end of file
diff --git a/device-app/resources/views/devices/index.blade.php b/device-app/resources/views/devices/index.blade.php
index dc001f8..3f8fba0 100644
--- a/device-app/resources/views/devices/index.blade.php
+++ b/device-app/resources/views/devices/index.blade.php
@@ -11,5 +11,7 @@
     @else
         <p>No devices found</p>
     @endunless
-    <button><a href="devices/create">Device</a></button>
+    @can('admin-only')
+        <button><a href="devices/create">Device</a></button>
+    @endcan
 @endsection
diff --git a/device-app/routes/web.php b/device-app/routes/web.php
index e88a952..90a3586 100644
--- a/device-app/routes/web.php
+++ b/device-app/routes/web.php
@@ -25,53 +25,36 @@
     return view('welcome');
 });
 
-// Devices routes
-// index - show all devices
-Route::get('/devices', [DeviceController::class, 'index']);
-// create - show device create form
-Route::get('/devices/create', [DeviceController::class, 'create'])->middleware('auth');
-// store - store new device
-Route::post('/devices', [DeviceController::class, 'store'])->middleware('auth');
-
 // Device purchasing routes
-//Route::get('/devices/{device}/purchasing/create', [PurchasingInformationController::class, 'create']);
-//Route::post('/devices/{device}/purchasing', [PurchasingInformationController::class, 'store']);
-Route::get('/devices/{device}/purchasing/edit', [PurchasingInformationController::class, 'edit']);
-Route::put('/devices/{device}/purchasing', [PurchasingInformationController::class, 'update']);
-//Route::delete('/devices/{device}/purchasing', [PurchasingInformationController::class, 'destroy']);
+Route::get('/devices/{device}/purchasing/edit', [PurchasingInformationController::class, 'edit'])->middleware('auth');
+Route::put('/devices/{device}/purchasing', [PurchasingInformationController::class, 'update'])->middleware('auth');
 
 // Device location routes
-Route::get('/devices/{device}/locations/create', [LocationTransactionController::class, 'create']);
-Route::post('/devices/{device}/locations', [LocationTransactionController::class, 'store']);
-Route::get('/devices/locations/{location}/edit', [LocationTransactionController::class, 'edit']);
-Route::put('/devices/locations/{location}', [LocationTransactionController::class, 'update']);
-Route::delete('/devices/locations/{location}', [LocationTransactionController::class, 'destroy']);
+Route::get('/devices/{device}/locations/create', [LocationTransactionController::class, 'create'])->middleware('auth');
+Route::post('/devices/{device}/locations', [LocationTransactionController::class, 'store'])->middleware('auth');
+Route::get('/devices/locations/{location}/edit', [LocationTransactionController::class, 'edit'])->middleware('auth');
+Route::put('/devices/locations/{location}', [LocationTransactionController::class, 'update'])->middleware('auth');
+Route::delete('/devices/locations/{location}', [LocationTransactionController::class, 'destroy'])->middleware('auth');
 
 // Device owner routes
-Route::get('/devices/{device}/owners/create', [OwnerTransactionController::class, 'create']);
-Route::post('/devices/{device}/owners', [OwnerTransactionController::class, 'store']);
-Route::get('/devices/owners/{owner}/edit', [OwnerTransactionController::class, 'edit']);
-Route::put('/devices/owners/{owner}', [OwnerTransactionController::class, 'update']);
-Route::delete('/devices/owners/{owner}', [OwnerTransactionController::class, 'destroy']);
+Route::get('/devices/{device}/owners/create', [OwnerTransactionController::class, 'create'])->middleware('auth');
+Route::post('/devices/{device}/owners', [OwnerTransactionController::class, 'store'])->middleware('auth');
+Route::get('/devices/owners/{owner}/edit', [OwnerTransactionController::class, 'edit'])->middleware('auth');
+Route::put('/devices/owners/{owner}', [OwnerTransactionController::class, 'update'])->middleware('auth');
+Route::delete('/devices/owners/{owner}', [OwnerTransactionController::class, 'destroy'])->middleware('auth');
 
-// 
-// edit - show edit form
+// Devices routes
+Route::get('/devices', [DeviceController::class, 'index'])->middleware('auth');
+Route::get('/devices/create', [DeviceController::class, 'create'])->middleware('auth');
+Route::post('/devices', [DeviceController::class, 'store'])->middleware('auth')->middleware('auth');
 Route::get('devices/{device}/edit', [DeviceController::class, 'edit'])->middleware('auth');
-// update - update device
 Route::put('devices/{device}', [DeviceController::class, 'update'])->middleware('auth');
-// destroy - delete device
 Route::delete('devices/{device}', [DeviceController::class, 'destroy'])->middleware('auth');
-// show - show sigle device
-Route::get('/devices/{device}', [DeviceController::class, 'show']);
+Route::get('/devices/{device}', [DeviceController::class, 'show'])->middleware('auth');
 
 //User routes
-// create - show register form
 Route::get('/register', [UserController::class, 'create']);
-// store - store new user
 Route::post('/users', [UserController::class, 'store']);
-// login - show user login form
 Route::get('/login', [UserController::class, 'login'])->name('login');
-// authenticate - log in user
 Route::post('/users/authenticate', [UserController::class, 'authenticate']);
-// logout - log out user
 Route::post('/logout', [UserController::class, 'logout']);
\ No newline at end of file