You've already forked isop-mirror
feat: update internship data retrieval permission checks
This commit is contained in:
@@ -54,9 +54,28 @@ class InternshipController extends Controller
|
||||
return response()->json($internships);
|
||||
}
|
||||
|
||||
public function all_student()
|
||||
public function all_my()
|
||||
{
|
||||
$internships = Internship::where('user_id', auth()->id())->get()->makeHidden(['created_at', 'updated_at']);
|
||||
$user = auth()->user();
|
||||
|
||||
if ($user->role === 'STUDENT') {
|
||||
$internships = Internship::whereUserId($user->id)->get()->makeHidden(['created_at', 'updated_at']);
|
||||
} elseif ($user->role === 'EMPLOYER') {
|
||||
$company = Company::whereContact($user->id)->first();
|
||||
if (!$company) {
|
||||
return response()->json(['message' => 'No company associated with this user.'], 404);
|
||||
}
|
||||
$internships = Internship::whereCompanyId($company->id)->get()->makeHidden(['created_at', 'updated_at']);
|
||||
} else {
|
||||
abort(403, 'Unauthorized');
|
||||
}
|
||||
|
||||
if($user->role === "EMPLOYER") {
|
||||
$internships->each(function ($internship) {
|
||||
$internship->user = User::find($internship->user_id)->makeHidden(['created_at', 'updated_at', 'email_verified_at']);
|
||||
unset($internship->user_id);
|
||||
});
|
||||
}
|
||||
|
||||
$internships->each(function ($internship) {
|
||||
$internship->company = Company::find($internship->company_id)->makeHidden(['created_at', 'updated_at']);
|
||||
@@ -97,16 +116,16 @@ class InternshipController extends Controller
|
||||
], 400);
|
||||
}
|
||||
|
||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) {
|
||||
abort(403, 'Unauthorized');
|
||||
}
|
||||
|
||||
$internship->company = Company::find($internship->company_id)->makeHidden(['created_at', 'updated_at']);
|
||||
unset($internship->company_id);
|
||||
|
||||
if($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) {
|
||||
abort(403, 'Unauthorized');
|
||||
}
|
||||
|
||||
$internship->contact = User::find($internship->company->contact)->makeHidden(['created_at', 'updated_at', 'email_verified_at']);
|
||||
unset($internship->company->contact);
|
||||
|
||||
|
||||
$internship->status = InternshipStatus::whereColumn('internship_id', '=', $internship->id)->orderByDesc('changed')->get()->first()->makeHidden(['created_at', 'updated_at', 'id']);
|
||||
$internship->status->modified_by = User::find($internship->status->modified_by)->makeHidden(['created_at', 'updated_at', 'email_verified_at']);
|
||||
|
||||
@@ -191,7 +210,7 @@ class InternshipController extends Controller
|
||||
], 400);
|
||||
}
|
||||
|
||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) {
|
||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) {
|
||||
abort(403, 'Unauthorized');
|
||||
}
|
||||
|
||||
|
||||
@@ -20,7 +20,7 @@ class InternshipStatusController extends Controller
|
||||
}
|
||||
|
||||
$internship = Internship::find($id);
|
||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) {
|
||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) {
|
||||
abort(403, 'Unauthorized');
|
||||
}
|
||||
|
||||
@@ -41,7 +41,7 @@ class InternshipStatusController extends Controller
|
||||
], 400);
|
||||
}
|
||||
|
||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->contact) {
|
||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) {
|
||||
abort(403, 'Unauthorized');
|
||||
}
|
||||
|
||||
@@ -105,9 +105,7 @@ class InternshipStatusController extends Controller
|
||||
], 400);
|
||||
}
|
||||
|
||||
$company_contact = User::find($internship->contact);
|
||||
|
||||
if ($user->role !== 'ADMIN' && $user->id !== $company_contact->id) {
|
||||
if ($user->role !== 'ADMIN' && $user->id !== $internship->company->contact) {
|
||||
abort(403, 'Unauthorized');
|
||||
}
|
||||
|
||||
@@ -139,11 +137,10 @@ class InternshipStatusController extends Controller
|
||||
}
|
||||
|
||||
private function possibleNewStatuses(string $current_status, string $userRole) {
|
||||
if($userRole === "STUDENT") return [];
|
||||
|
||||
switch ($current_status) {
|
||||
case 'SUBMITTED':
|
||||
if ($userRole === 'EMPLOYER') {
|
||||
return [];
|
||||
}
|
||||
return ['CONFIRMED', 'DENIED'];
|
||||
case 'CONFIRMED':
|
||||
if ($userRole === 'EMPLOYER') {
|
||||
|
||||
@@ -34,7 +34,7 @@ Route::post('/password-reset', [RegisteredUserController::class, 'reset_password
|
||||
|
||||
Route::prefix('/internships')->group(function () {
|
||||
Route::get("/", [InternshipController::class, 'all'])->name("api.internships");
|
||||
Route::get("/my", [InternshipController::class, 'all_student'])->name("api.internships.student");
|
||||
Route::get("/my", [InternshipController::class, 'all_my'])->name("api.internships.my");
|
||||
|
||||
Route::middleware("auth:sanctum")->group(function () {
|
||||
Route::prefix('/{id}')->group(function () {
|
||||
|
||||
Reference in New Issue
Block a user