From fdbef3a5e89c6c42d0ac4bc564bbb76fff35113a Mon Sep 17 00:00:00 2001 From: Daeng Deni Mardaeni Date: Sun, 22 Jun 2025 18:11:14 +0700 Subject: [PATCH] feat(usermanagement): perbaiki otorisasi, tambah fitur ekspor, dan optimalkan logika pada beberapa controller - **Perbaikan Izin Akses**: - Mengganti kunci permission pada beberapa metode agar lebih konsisten: - `usermanagement.store` menjadi `usermanagement.create` (store). - `usermanagement.edit` menjadi `usermanagement.update` (edit/update). - `usermanagement.read` tetap diatur sesuai context (index/view). - Menambahkan `abort(403)` pada metode yang belum memiliki pengecekan izin untuk memastikan keamanan. - **Peningkatan Fitur**: - Menambahkan fitur ekspor pada `PermissionsController`, `PositionsController`, `RolesController`, dan `UsersController`: - Cek validasi izin sebelum melakukan ekspor. - Mendukung pengunduhan file Excel. - **Optimalisasi Logika**: - Menggabungkan properti `user` di semua controller dengan mendefinisikannya melalui konstruktor. - Menghapus redundansi load user menggunakan `Auth::guard('web')->user()` di setiap metode. - Menyederhanakan pengaturan logging aktivitas untuk setiap operasi CRUD. - **Penyesuaian & Penambahan**: - Menambahkan slug `restore` ke daftar permission terkait untuk operasi pemulihan yang diimplementasikan. - Menghapus komentar kode yang tidak digunakan dan mendokumentasikan ulang logika penting untuk lebih jelas. Signed-off-by: Daeng Deni Mardaeni --- .../Controllers/PermissionsController.php | 17 +++-- app/Http/Controllers/PositionsController.php | 62 +++++++------------ app/Http/Controllers/RolesController.php | 4 ++ app/Http/Controllers/UsersController.php | 27 +++++--- 4 files changed, 57 insertions(+), 53 deletions(-) diff --git a/app/Http/Controllers/PermissionsController.php b/app/Http/Controllers/PermissionsController.php index 81f5f1d..1d72817 100644 --- a/app/Http/Controllers/PermissionsController.php +++ b/app/Http/Controllers/PermissionsController.php @@ -63,8 +63,8 @@ public function store(PermissionRequest $request) { // Check if the authenticated user has the required permission to store permissions - if (is_null($this->user) || !$this->user->can('usermanagement.store')) { - abort(403, 'Sorry! You are not allowed to store permissions.'); + if (is_null($this->user) || !$this->user->can('usermanagement.create')) { + abort(403, 'Sorry! You are not allowed to create permissions.'); } $validate = $request->validated(); @@ -80,7 +80,8 @@ $group_name . '.delete', $group_name . '.export', $group_name . '.authorize', - $group_name . '.report' + $group_name . '.report', + $group_name . '.restore' ]; foreach ($data as $permission) { @@ -126,7 +127,7 @@ public function edit($id) { // Check if the authenticated user has the required permission to edit permissions - if (is_null($this->user) || !$this->user->can('usermanagement.edit')) { + if (is_null($this->user) || !$this->user->can('usermanagement.update')) { abort(403, 'Sorry! You are not allowed to edit permissions.'); } @@ -173,7 +174,8 @@ $group_name . '.delete', $group_name . '.export', $group_name . '.authorize', - $group_name . '.report' + $group_name . '.report', + $group_name . '.restore' ]; $i = 0; @@ -325,6 +327,11 @@ public function export() { + // Check if the authenticated user has the required permission to export permissions + if (is_null($this->user) || !$this->user->can('usermanagement.export')) { + abort(403, 'Sorry! You are not allowed to export permissions.'); + } + return Excel::download(new PermissionExport, 'permissions.xlsx'); } } diff --git a/app/Http/Controllers/PositionsController.php b/app/Http/Controllers/PositionsController.php index 8e47f2f..bcb0dd4 100644 --- a/app/Http/Controllers/PositionsController.php +++ b/app/Http/Controllers/PositionsController.php @@ -23,7 +23,17 @@ /** * @var \Illuminate\Contracts\Auth\Authenticatable|null */ - public $user; + public $this->user; + + /** + * UsersController constructor. + * + * Initializes the user property with the authenticated user. + */ + public function __construct() + { + $this->user = Auth::guard('web')->user(); + } /** * Display a listing of the resource. @@ -32,11 +42,8 @@ */ public function index() { - // Get the authenticated user - $user = Auth::guard('web')->user(); - // Check if the authenticated user has the required permission to view positions - if (is_null($user) || !$user->can('usermanagement.read')) { + if (is_null($this->user) || !$this->user->can('usermanagement.read')) { abort(403, 'Sorry! You are not allowed to view positions.'); } @@ -56,12 +63,9 @@ */ public function store(PositionRequest $request) { - // Get the authenticated user - $user = Auth::guard('web')->user(); - // Check if the authenticated user has the required permission to store positions - if (is_null($user) || !$user->can('usermanagement.create')) { - abort(403, 'Sorry! You are not allowed to store positions.'); + if (is_null($this->user) || !$this->user->can('usermanagement.create')) { + abort(403, 'Sorry! You are not allowed to create positions.'); } // Get validated data @@ -89,11 +93,8 @@ */ public function create() { - // Get the authenticated user - $user = Auth::guard('web')->user(); - // Check if the authenticated user has the required permission to create positions - if (is_null($user) || !$user->can('usermanagement.create')) { + if (is_null($this->user) || !$this->user->can('usermanagement.create')) { abort(403, 'Sorry! You are not allowed to create positions.'); } @@ -110,11 +111,8 @@ */ public function edit($id) { - // Get the authenticated user - $user = Auth::guard('web')->user(); - // Check if the authenticated user has the required permission to edit positions - if (is_null($user) || !$user->can('usermanagement.update')) { + if (is_null($this->user) || !$this->user->can('usermanagement.update')) { abort(403, 'Sorry! You are not allowed to edit positions.'); } @@ -135,11 +133,8 @@ */ public function update(PositionRequest $request, $id) { - // Get the authenticated user - $user = Auth::guard('web')->user(); - // Check if the authenticated user has the required permission to update positions - if (is_null($user) || !$user->can('usermanagement.update')) { + if (is_null($this->user) || !$this->user->can('usermanagement.update')) { abort(403, 'Sorry! You are not allowed to update positions.'); } @@ -173,27 +168,24 @@ */ public function destroy($id) { - // Get the authenticated user - $user = Auth::guard('web')->user(); - // Check if the authenticated user has the required permission to delete positions - if (is_null($user) || !$user->can('usermanagement.delete')) { + if (is_null($this->user) || !$this->user->can('usermanagement.delete')) { abort(403, 'Sorry! You are not allowed to delete positions.'); } - + // Find the position by ID $position = Position::findOrFail($id); - + // Check if the position has associated roles if ($position->roles()->count() > 0) { return redirect()->route('users.positions.index') ->with('error', 'Cannot delete position because it has associated roles.'); } - + try { // If no errors, delete the position from the database $position->delete(); - + // Redirect to the positions index page with a success message return redirect()->route('users.positions.index') ->with('success', 'Position deleted successfully.'); @@ -213,11 +205,8 @@ */ public function dataForDatatables(Request $request) { - // Get the authenticated user - $user = Auth::guard('web')->user(); - // Check if the authenticated user has the required permission to view positions - if (is_null($user) || !$user->can('usermanagement.read')) { + if (is_null($this->user) || !$this->user->can('usermanagement.read')) { abort(403, 'Sorry! You are not allowed to view positions.'); } @@ -286,11 +275,8 @@ */ public function export(Request $request) { - // Get the authenticated user - $user = Auth::guard('web')->user(); - // Check if the authenticated user has the required permission to export positions - if (is_null($user) || !$user->can('usermanagement.export')) { + if (is_null($this->user) || !$this->user->can('usermanagement.export')) { abort(403, 'Sorry! You are not allowed to export positions.'); } diff --git a/app/Http/Controllers/RolesController.php b/app/Http/Controllers/RolesController.php index f2f0027..f06c260 100644 --- a/app/Http/Controllers/RolesController.php +++ b/app/Http/Controllers/RolesController.php @@ -344,6 +344,10 @@ public function export() { + if (is_null($this->user) || !$this->user->can('usermanagement.export')) { + abort(403, 'Sorry! You are not allowed to export roles.'); + } + return Excel::download(new RolesExport, 'roles.xlsx'); } } diff --git a/app/Http/Controllers/UsersController.php b/app/Http/Controllers/UsersController.php index 781b1c0..752efae 100644 --- a/app/Http/Controllers/UsersController.php +++ b/app/Http/Controllers/UsersController.php @@ -9,7 +9,7 @@ use Illuminate\Support\Facades\Hash; use Illuminate\Support\Facades\Validator; use Maatwebsite\Excel\Facades\Excel; - use Modules\Lpj\Models\Branch; + use Modules\Basicdata\Models\Branch; use Modules\Usermanagement\Exports\UsersExport; use Modules\Usermanagement\Http\Requests\User as UserRequest; use Modules\Usermanagement\Models\Role; @@ -49,7 +49,7 @@ public function index() { if (is_null($this->user) || !$this->user->can('usermanagement.read')) { - //abort(403, 'Sorry! You are not allowed to view users.'); + abort(403, 'Sorry! You are not allowed to view users.'); } return view('usermanagement::users.index'); @@ -66,7 +66,7 @@ public function dataForDatatables(Request $request) { if (is_null($this->user) || !$this->user->can('usermanagement.view')) { - //abort(403, 'Sorry! You are not allowed to view users.'); + abort(403, 'Sorry! You are not allowed to view users.'); } // Retrieve data from the database @@ -76,8 +76,7 @@ if ($request->has('search') && !empty($request->get('search'))) { $search = $request->get('search'); $query->where(function ($q) use ($search) { - $q - ->whereRaw('LOWER(name) LIKE ?', ['%' . strtolower($search) . '%']) + $q->whereRaw('LOWER(name) LIKE ?', ['%' . strtolower($search) . '%']) ->orWhereRaw('LOWER(email) LIKE ?', ['%' . strtolower($search) . '%']); }); } @@ -135,8 +134,8 @@ */ public function edit($id) { - if (is_null($this->user) || !$this->user->can('usermanagement.edit')) { - //abort(403, 'Sorry! You are not allowed to edit users.'); + if (is_null($this->user) || !$this->user->can('usermanagement.update')) { + abort(403, 'Sorry! You are not allowed to edit users.'); } $user = User::find($id); @@ -156,7 +155,7 @@ public function destroy($id) { if (is_null($this->user) || !$this->user->can('usermanagement.delete')) { - //abort(403, 'Sorry! You are not allowed to delete users.'); + abort(403, 'Sorry! You are not allowed to delete users.'); } $user = User::find($id); @@ -198,6 +197,10 @@ */ public function store(UserRequest $request) { + if (is_null($this->user) || !$this->user->can('usermanagement.create')) { + abort(403, 'Sorry! You are not allowed to create a user.'); + } + $validated = $request->validated(); if ($validated) { @@ -223,7 +226,7 @@ public function create() { if (is_null($this->user) || !$this->user->can('usermanagement.create')) { - //abort(403, 'Sorry! You are not allowed to create a user.'); + abort(403, 'Sorry! You are not allowed to create a user.'); } $roles = Role::all(); @@ -233,6 +236,10 @@ public function export() { + if (is_null($this->user) || !$this->user->can('usermanagement.export')) { + abort(403, 'Sorry! You are not allowed to export users.'); + } + return Excel::download(new UsersExport, 'users.xlsx'); } @@ -316,7 +323,7 @@ public function update(UserRequest $request, $id) { if (is_null($this->user) || !$this->user->can('usermanagement.update')) { - //abort(403, 'Sorry! You are not allowed to update users.'); + abort(403, 'Sorry! You are not allowed to update users.'); } $validated = $request->validated();