From 27fd564e9f3ef0a90ccaf81b8888a83f883eb10f Mon Sep 17 00:00:00 2001
From: frederikpyt <frederikpyt@gmail.com>
Date: Mon, 3 Aug 2020 08:33:11 +0200
Subject: [PATCH 1/2] Fixed permissions, seeders and security

---
 skolehjem/app/Http/Controllers/UserController.php | 10 ++++++----
 skolehjem/database/seeds/PermissionSeeder.php     |  1 +
 skolehjem/database/seeds/RoleSeeder.php           |  1 +
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/skolehjem/app/Http/Controllers/UserController.php b/skolehjem/app/Http/Controllers/UserController.php
index d068c33..163dd8b 100644
--- a/skolehjem/app/Http/Controllers/UserController.php
+++ b/skolehjem/app/Http/Controllers/UserController.php
@@ -18,7 +18,7 @@ class UserController extends Controller
 {
     public function __construct()
     {
-        $this->middleware([ "auth" ])->only(["logout", "accountedit", "accounteditpass"]);
+        $this->middleware([ "auth" ])->only(["logout"]);
         $this->middleware([ "guest" ])->only("login");
 
         $this->middleware([ "check.auth:user.list" ])->only("index");
@@ -26,6 +26,8 @@ class UserController extends Controller
         $this->middleware([ "check.auth:user.create" ])->only("create");
         $this->middleware([ "check.auth:user.edit" ])->only("edit", "update");
         $this->middleware([ "check.auth:user.delete" ])->only("delete");
+
+        $this->middleware([ "check.auth:ownuser.edit" ])->only("update", "accountedit", "accounteditpass");
     }
 
     /**
@@ -124,7 +126,7 @@ class UserController extends Controller
         $user = User::find($id);
 
         if($id === Auth::id() || auth()->user()->hasPermissionTo("user.edit")) {
-            if ($request->roles != null) { //You can only edit roles on the admin site, so if there is an input roles, then update user info and edit roles
+            if ($request->roles != null && auth()->user()->hasPermissionTo("user.edit")) { //You can only edit roles on the admin site, so if there is an input roles, then update user info and edit roles
                 if ($request->password != "") { // If you have edited the password, then run this
                     if ($request->password == $request->password2) { // If the password is the same as confirm password, then update everything from user
                         $data = $request->all();
@@ -148,8 +150,8 @@ class UserController extends Controller
 
                 //$user->save();
             } else { // Else if you're not on the admin site (user site)
-                $data = $request->all();
                 if ($request->input('password') != null) { // If you're editing the password
+                    $data = $request->only(['name_first', 'name_last', 'email', 'phone', 'password']);
                     if ($request->input('password') != $request->input('confirmpassword')) { // If new password and new password confirm is not the same, go back with fail message.
                         return redirect()->route("users.accounteditpass")->with('error#notsamepass', '<p class="text-center">Der stod ikke det samme i `Nyt Password` & `Bekræft Nyt Password`!</p>');
                     } elseif (!Hash::check($request->input('oldpassword'), $user->password)) { // If the written current password and current password in DB is not the same, go back with fail message.
@@ -162,7 +164,7 @@ class UserController extends Controller
                         return redirect()->route("users.login")->with('success#passwordchange', '<p class="text-center text-white">Dit password er hermed ændret!</p>');
                     }
                 } else { // Else if you're not editing the password but anything else (Email, Phone Number). Then update user.
-                    $data = $request->all();
+                    $data = $request->only(['name_first', 'name_last', 'email', 'phone']);
                     $user->update($data);
 
                     return redirect()->route("users.account")->with('success#credentialschanged', '<p class="text-center">Dine oplysninger er hermed ændret!</p>');
diff --git a/skolehjem/database/seeds/PermissionSeeder.php b/skolehjem/database/seeds/PermissionSeeder.php
index 4c6c995..fb01e2a 100644
--- a/skolehjem/database/seeds/PermissionSeeder.php
+++ b/skolehjem/database/seeds/PermissionSeeder.php
@@ -22,6 +22,7 @@ class PermissionSeeder extends Seeder
             "user.show" => "Shows another user profile.",
             "user.edit" => "Allows editing of other users.",
             "user.delete" => "Allows deleting of other users.",
+            "ownuser.edit" => "Allows editing of your own user",
 
             /**
              * The CALENDAR specific permissions
diff --git a/skolehjem/database/seeds/RoleSeeder.php b/skolehjem/database/seeds/RoleSeeder.php
index 4d90468..f369303 100644
--- a/skolehjem/database/seeds/RoleSeeder.php
+++ b/skolehjem/database/seeds/RoleSeeder.php
@@ -48,6 +48,7 @@ class RoleSeeder extends Seeder
         $brugerPermissions->add(\Spatie\Permission\Models\Permission::query()->where("name", "=", "washing.machine.reservation.create")->first());
         $brugerPermissions->add(\Spatie\Permission\Models\Permission::query()->where("name", "=", "washing.machine.reservation.delete")->first());
         $brugerPermissions->add(\Spatie\Permission\Models\Permission::query()->where("name", "=", "washing.machine.reservation.list")->first());
+        $brugerPermissions->add(\Spatie\Permission\Models\Permission::query()->where("name", "=", "ownuser.edit")->first());
 
         //Give permissions to Bruger (id: 2)
         foreach ($brugerPermissions as $permission) {

From f14dc22d9208e37e2e586990b9c05831db1eabac Mon Sep 17 00:00:00 2001
From: frederikpyt <frederikpyt@gmail.com>
Date: Mon, 3 Aug 2020 08:35:20 +0200
Subject: [PATCH 2/2] Fixed permissions, seeders and security

---
 skolehjem/app/Http/Controllers/UserController.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/skolehjem/app/Http/Controllers/UserController.php b/skolehjem/app/Http/Controllers/UserController.php
index 163dd8b..83c285b 100644
--- a/skolehjem/app/Http/Controllers/UserController.php
+++ b/skolehjem/app/Http/Controllers/UserController.php
@@ -27,7 +27,7 @@ class UserController extends Controller
         $this->middleware([ "check.auth:user.edit" ])->only("edit", "update");
         $this->middleware([ "check.auth:user.delete" ])->only("delete");
 
-        $this->middleware([ "check.auth:ownuser.edit" ])->only("update", "accountedit", "accounteditpass");
+        $this->middleware([ "check.auth:ownuser.edit" ])->only("update", "accountedit", "accounteditpass", "account");
     }
 
     /**