zhangyuheng/blessing-skin-server
1
0
Fork 0
forked from mirror/blessing-skin-server
Code Pull Requests Activity

Forbid operations when user lacks permission

Browse Source
This commit is contained in:
printempw 2017-07-14 08:21:29 +08:00
parent 8bb885d476
commit 397da60f4f
3 changed files with 19 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
app/Http/Controllers/AdminController.php
View File

@ -227,8 +227,13 @@ class AdminController extends Controller
$action = $request->input('action'); $action = $request->input('action');
$user = $users->get($request->input('uid')); $user = $users->get($request->input('uid'));
if (!$user) if (! $user) {
return json(trans('admin.users.operations.non-existent'), 1); return json(trans('admin.users.operations.non-existent'), 1);
}
if ($user->permission >= app('user.current')->permission) {
return json(trans('admin.users.operations.no-permission'), 1);
}
if ($action == "email") { if ($action == "email") {
$this->validate($request, [ $this->validate($request, [
@ -250,7 +255,9 @@ class AdminController extends Controller
$user->setNickName($request->input('nickname')); $user->setNickName($request->input('nickname'));
return json(trans('admin.users.operations.nickname.success', ['new' => $request->input('nickname')]), 0); return json(trans('admin.users.operations.nickname.success', [
'new' => $request->input('nickname')
]), 0);
} elseif ($action == "password") { } elseif ($action == "password") {
$this->validate($request, [ $this->validate($request, [
@ -271,13 +278,6 @@ class AdminController extends Controller
return json(trans('admin.users.operations.score.success'), 0); return json(trans('admin.users.operations.score.success'), 0);
} elseif ($action == "ban") { } elseif ($action == "ban") {
if ($user->getPermission() == User::ADMIN) {
if (app('user.current')->getPermission() != User::SUPER_ADMIN)
return json(trans('admin.users.operations.ban.cant-admin'));
} elseif ($user->getPermission() == User::SUPER_ADMIN) {
return json(trans('admin.users.operations.ban.cant-super-admin'));
}
$permission = $user->getPermission() == User::BANNED ? User::NORMAL : User::BANNED; $permission = $user->getPermission() == User::BANNED ? User::NORMAL : User::BANNED;
$user->setPermission($permission); $user->setPermission($permission);
@ -289,12 +289,6 @@ class AdminController extends Controller
]); ]);
} elseif ($action == "admin") { } elseif ($action == "admin") {
if (app('user.current')->getPermission() != User::SUPER_ADMIN)
return json(trans('admin.users.operations.admin.cant-set'));
if ($user->getPermission() == User::SUPER_ADMIN)
return json(trans('admin.users.operations.admin.cant-unset'));
$permission = $user->getPermission() == User::ADMIN ? User::NORMAL : User::ADMIN; $permission = $user->getPermission() == User::ADMIN ? User::NORMAL : User::ADMIN;
$user->setPermission($permission); $user->setPermission($permission);
@ -321,8 +315,13 @@ class AdminController extends Controller
$player = Player::find($request->input('pid')); $player = Player::find($request->input('pid'));
if (!$player) if (! $player) {
abort(404, trans('general.unexistent-player')); abort(404, trans('general.unexistent-player'));
}
if ($player->user->permission >= app('user.current')->permission) {
return json(trans('admin.players.no-permission'), 1);
}
if ($action == "preference") { if ($action == "preference") {
$this->validate($request, [ $this->validate($request, [

4
resources/lang/en/admin.yml
View File

@ -17,6 +17,7 @@ users:
operations: operations:
title: Operations title: Operations
non-existent: No such user. non-existent: No such user.
no-permission: You have no permission to operate this user.
email: email:
change: Edit Email change: Edit Email
existed: :email is existed. existed: :email is existed.
@ -36,8 +37,6 @@ users:
unset: unset:
text: Remove Admin text: Remove Admin
success: The account's admin privilege has been removed. success: The account's admin privilege has been removed.
cant-set: Only super admins can do the operation
cant-unset: Can't remove super admin privilege
ban: ban:
ban: ban:
text: Ban text: Ban
@ -54,6 +53,7 @@ users:
cant-admin: You can't delete admins. cant-admin: You can't delete admins.
players: players:
no-permission: You have no permission to operate this player.
operations: operations:
title: Operations title: Operations
preference: preference:

4
resources/lang/zh_CN/admin.yml
View File

@ -17,6 +17,7 @@ users:
operations: operations:
title: 更多操作 title: 更多操作
non-existent: 用户不存在 non-existent: 用户不存在
no-permission: 你无权操作此用户
email: email:
change: 修改邮箱 change: 修改邮箱
existed: :email 已被占用 existed: :email 已被占用
@ -36,8 +37,6 @@ users:
unset: unset:
text: 解除管理员 text: 解除管理员
success: 账号已被解除管理员 success: 账号已被解除管理员
cant-set: 非超级管理员无法进行此操作
cant-unset: 无法解除超级管理员
ban: ban:
ban: ban:
text: 封禁 text: 封禁
@ -54,6 +53,7 @@ users:
cant-admin: 你不能删除管理员账号哦 cant-admin: 你不能删除管理员账号哦
players: players:
no-permission: 你无权操作此角色
operations: operations:
title: 更多操作 title: 更多操作
preference: preference: