You've already forked isop-mirror
feat: update internship data retrieval permission checks
This commit is contained in:
@@ -54,9 +54,28 @@ class InternshipController extends Controller
|
|||||||
return response()->json($internships);
|
return response()->json($internships);
|
||||||
}
|
}
|
||||||
|
|
||||||
public function all_student()
|
public function all_my()
|
||||||
{
|
{
|
||||||
$internships = Internship::where('user_id', auth()->id())->get()->makeHidden(['created_at', 'updated_at']);
|
$user = auth()->user();
|
||||||
|
|
||||||
|
if ($user->role === 'STUDENT') {
|
||||||
|
$internships = Internship::whereUserId($user->id)->get()->makeHidden(['created_at', 'updated_at']);
|
||||||
|
} elseif ($user->role === 'EMPLOYER') {
|
||||||
|
$company = Company::whereContact($user->id)->first();
|
||||||
|
if (!$company) {
|
||||||
|
return response()->json(['message' => 'No company associated with this user.'], 404);
|
||||||
|
}
|
||||||
|
$internships = Internship::whereCompanyId($company->id)->get()->makeHidden(['created_at', 'updated_at']);
|
||||||
|
} else {
|
||||||
|
abort(403, 'Unauthorized');
|
||||||
|
}
|
||||||
|
|
||||||
|
if($user->role === "EMPLOYER") {
|
||||||
|
$internships->each(function ($internship) {
|
||||||
|
$internship->user = User::find($internship->user_id)->makeHidden(['created_at', 'updated_at', 'email_verified_at']);
|
||||||
|
unset($internship->user_id);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
$internships->each(function ($internship) {
|
$internships->each(function ($internship) {
|
||||||
$internship->company = Company::find($internship->company_id)->makeHidden(['created_at', 'updated_at']);
|
$internship->company = Company::find($internship->company_id)->makeHidden(['created_at', 'updated_at']);
|
||||||
@@ -97,16 +116,16 @@ class InternshipController extends Controller
|
|||||||
], 400);
|
], 400);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) {
|
|
||||||
abort(403, 'Unauthorized');
|
|
||||||
}
|
|
||||||
|
|
||||||
$internship->company = Company::find($internship->company_id)->makeHidden(['created_at', 'updated_at']);
|
$internship->company = Company::find($internship->company_id)->makeHidden(['created_at', 'updated_at']);
|
||||||
unset($internship->company_id);
|
unset($internship->company_id);
|
||||||
|
|
||||||
|
if($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) {
|
||||||
|
abort(403, 'Unauthorized');
|
||||||
|
}
|
||||||
|
|
||||||
$internship->contact = User::find($internship->company->contact)->makeHidden(['created_at', 'updated_at', 'email_verified_at']);
|
$internship->contact = User::find($internship->company->contact)->makeHidden(['created_at', 'updated_at', 'email_verified_at']);
|
||||||
unset($internship->company->contact);
|
unset($internship->company->contact);
|
||||||
|
|
||||||
$internship->status = InternshipStatus::whereColumn('internship_id', '=', $internship->id)->orderByDesc('changed')->get()->first()->makeHidden(['created_at', 'updated_at', 'id']);
|
$internship->status = InternshipStatus::whereColumn('internship_id', '=', $internship->id)->orderByDesc('changed')->get()->first()->makeHidden(['created_at', 'updated_at', 'id']);
|
||||||
$internship->status->modified_by = User::find($internship->status->modified_by)->makeHidden(['created_at', 'updated_at', 'email_verified_at']);
|
$internship->status->modified_by = User::find($internship->status->modified_by)->makeHidden(['created_at', 'updated_at', 'email_verified_at']);
|
||||||
|
|
||||||
@@ -191,7 +210,7 @@ class InternshipController extends Controller
|
|||||||
], 400);
|
], 400);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) {
|
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) {
|
||||||
abort(403, 'Unauthorized');
|
abort(403, 'Unauthorized');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -20,7 +20,7 @@ class InternshipStatusController extends Controller
|
|||||||
}
|
}
|
||||||
|
|
||||||
$internship = Internship::find($id);
|
$internship = Internship::find($id);
|
||||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id) {
|
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) {
|
||||||
abort(403, 'Unauthorized');
|
abort(403, 'Unauthorized');
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -41,7 +41,7 @@ class InternshipStatusController extends Controller
|
|||||||
], 400);
|
], 400);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->contact) {
|
if ($user->role !== 'ADMIN' && $internship->user_id !== $user->id && $user->id !== $internship->company->contact) {
|
||||||
abort(403, 'Unauthorized');
|
abort(403, 'Unauthorized');
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -105,9 +105,7 @@ class InternshipStatusController extends Controller
|
|||||||
], 400);
|
], 400);
|
||||||
}
|
}
|
||||||
|
|
||||||
$company_contact = User::find($internship->contact);
|
if ($user->role !== 'ADMIN' && $user->id !== $internship->company->contact) {
|
||||||
|
|
||||||
if ($user->role !== 'ADMIN' && $user->id !== $company_contact->id) {
|
|
||||||
abort(403, 'Unauthorized');
|
abort(403, 'Unauthorized');
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -139,11 +137,10 @@ class InternshipStatusController extends Controller
|
|||||||
}
|
}
|
||||||
|
|
||||||
private function possibleNewStatuses(string $current_status, string $userRole) {
|
private function possibleNewStatuses(string $current_status, string $userRole) {
|
||||||
|
if($userRole === "STUDENT") return [];
|
||||||
|
|
||||||
switch ($current_status) {
|
switch ($current_status) {
|
||||||
case 'SUBMITTED':
|
case 'SUBMITTED':
|
||||||
if ($userRole === 'EMPLOYER') {
|
|
||||||
return [];
|
|
||||||
}
|
|
||||||
return ['CONFIRMED', 'DENIED'];
|
return ['CONFIRMED', 'DENIED'];
|
||||||
case 'CONFIRMED':
|
case 'CONFIRMED':
|
||||||
if ($userRole === 'EMPLOYER') {
|
if ($userRole === 'EMPLOYER') {
|
||||||
|
|||||||
@@ -34,7 +34,7 @@ Route::post('/password-reset', [RegisteredUserController::class, 'reset_password
|
|||||||
|
|
||||||
Route::prefix('/internships')->group(function () {
|
Route::prefix('/internships')->group(function () {
|
||||||
Route::get("/", [InternshipController::class, 'all'])->name("api.internships");
|
Route::get("/", [InternshipController::class, 'all'])->name("api.internships");
|
||||||
Route::get("/my", [InternshipController::class, 'all_student'])->name("api.internships.student");
|
Route::get("/my", [InternshipController::class, 'all_my'])->name("api.internships.my");
|
||||||
|
|
||||||
Route::middleware("auth:sanctum")->group(function () {
|
Route::middleware("auth:sanctum")->group(function () {
|
||||||
Route::prefix('/{id}')->group(function () {
|
Route::prefix('/{id}')->group(function () {
|
||||||
|
|||||||
Reference in New Issue
Block a user