From 30973b2cedb39d3b7c4f46caae8bcf55e81ed738 Mon Sep 17 00:00:00 2001 From: br0kenpixel <23280129+br0kenpixel@users.noreply.github.com> Date: Mon, 3 Nov 2025 20:45:45 +0100 Subject: [PATCH] feat: update internship data retrieval permission checks --- .../Http/Controllers/InternshipController.php | 35 ++++++++++++++----- .../InternshipStatusController.php | 13 +++---- backend/routes/api.php | 2 +- 3 files changed, 33 insertions(+), 17 deletions(-) diff --git a/backend/app/Http/Controllers/InternshipController.php b/backend/app/Http/Controllers/InternshipController.php index 62b7bea..ee474f5 100644 --- a/backend/app/Http/Controllers/InternshipController.php +++ b/backend/app/Http/Controllers/InternshipController.php @@ -54,9 +54,28 @@ class InternshipController extends Controller return response()->json($internships); } - public function all_student() + public function all_my() { - $internships = Internship::where('user_id', auth()->id())->get()->makeHidden(['created_at', 'updated_at']); + $user = auth()->user(); + + if ($user->role === 'STUDENT') { + $internships = Internship::whereUserId($user->id)->get()->makeHidden(['created_at', 'updated_at']); + } elseif ($user->role === 'EMPLOYER') { + $company = Company::whereContact($user->id)->first(); + if (!$company) { + return response()->json(['message' => 'No company associated with this user.'], 404); + } + $internships = Internship::whereCompanyId($company->id)->get()->makeHidden(['created_at', 'updated_at']); + } else { + abort(403, 'Unauthorized'); + } + + if($user->role === "EMPLOYER") { + $internships->each(function ($internship) { + $internship->user = User::find($internship->user_id)->makeHidden(['created_at', 'updated_at', 'email_verified_at']); + unset($internship->user_id); + }); + } $internships->each(function ($internship) { $internship->company = Company::find($internship->company_id)->makeHidden(['created_at', 'updated_at']); @@ -97,16 +116,16 @@ class InternshipController extends Controller ], 400); } - if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) { - abort(403, 'Unauthorized'); - } - $internship->company = Company::find($internship->company_id)->makeHidden(['created_at', 'updated_at']); unset($internship->company_id); + if($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) { + abort(403, 'Unauthorized'); + } + $internship->contact = User::find($internship->company->contact)->makeHidden(['created_at', 'updated_at', 'email_verified_at']); unset($internship->company->contact); - + $internship->status = InternshipStatus::whereColumn('internship_id', '=', $internship->id)->orderByDesc('changed')->get()->first()->makeHidden(['created_at', 'updated_at', 'id']); $internship->status->modified_by = User::find($internship->status->modified_by)->makeHidden(['created_at', 'updated_at', 'email_verified_at']); @@ -191,7 +210,7 @@ class InternshipController extends Controller ], 400); } - if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) { + if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) { abort(403, 'Unauthorized'); } diff --git a/backend/app/Http/Controllers/InternshipStatusController.php b/backend/app/Http/Controllers/InternshipStatusController.php index a25e20d..2621faa 100644 --- a/backend/app/Http/Controllers/InternshipStatusController.php +++ b/backend/app/Http/Controllers/InternshipStatusController.php @@ -20,7 +20,7 @@ class InternshipStatusController extends Controller } $internship = Internship::find($id); - if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) { + if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) { abort(403, 'Unauthorized'); } @@ -41,7 +41,7 @@ class InternshipStatusController extends Controller ], 400); } - if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->contact) { + if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) { abort(403, 'Unauthorized'); } @@ -105,9 +105,7 @@ class InternshipStatusController extends Controller ], 400); } - $company_contact = User::find($internship->contact); - - if ($user->role !== 'ADMIN' && $user->id !== $company_contact->id) { + if ($user->role !== 'ADMIN' && $user->id !== $internship->company->contact) { abort(403, 'Unauthorized'); } @@ -139,11 +137,10 @@ class InternshipStatusController extends Controller } private function possibleNewStatuses(string $current_status, string $userRole) { + if($userRole === "STUDENT") return []; + switch ($current_status) { case 'SUBMITTED': - if ($userRole === 'EMPLOYER') { - return []; - } return ['CONFIRMED', 'DENIED']; case 'CONFIRMED': if ($userRole === 'EMPLOYER') { diff --git a/backend/routes/api.php b/backend/routes/api.php index 367f259..a25dc1f 100644 --- a/backend/routes/api.php +++ b/backend/routes/api.php @@ -34,7 +34,7 @@ Route::post('/password-reset', [RegisteredUserController::class, 'reset_password Route::prefix('/internships')->group(function () { Route::get("/", [InternshipController::class, 'all'])->name("api.internships"); - Route::get("/my", [InternshipController::class, 'all_student'])->name("api.internships.student"); + Route::get("/my", [InternshipController::class, 'all_my'])->name("api.internships.my"); Route::middleware("auth:sanctum")->group(function () { Route::prefix('/{id}')->group(function () {