Added permission check to bans page to only allow it when the user has the EDIT_USERS permission.

2026-04-26 01:45:51 -05:00 · 2024-05-20 05:06:46 +02:00 · 2024-05-20 05:06:46 +02:00 · a1cd7e3798
commit a1cd7e3798
parent 4f865b4d2a
3 changed files with 12 additions and 0 deletions
--- a/dist/app/Http/Controllers/Web/Admin/Tools/UsersController.php
+++ b/dist/app/Http/Controllers/Web/Admin/Tools/UsersController.php
@ -101,6 +101,9 @@ public function reset(User $user)

    public function bans(User $user)
    {
+        if(!Auth::user()->can(Permissions::EDIT_USERS->value))
+            abort(403, 'You are not allowed to edit Bans of a User.');
+
        $bans = $user->bans;
        View::share('title', 'Bans for User: '.$user->id.'('.$user->last_known_username.')');

@ -128,6 +131,9 @@ public function banPost(User $user, Ban $ban, BanPostRequest $request) {
    }

    public function createBan(User $user) {
+        if(!Auth::user()->can(Permissions::EDIT_USERS->value))
+            abort(403, 'No Permission to create a Ban.');
+
        $newBan = new Ban();
        $newBan->ban_reason = 'Placeholder';
        $newBan->start_date = Carbon::now()->addWeek();
--- a/dist/resources/views/admin/tools/user-details.blade.php
+++ b/dist/resources/views/admin/tools/user-details.blade.php
@ -67,6 +67,8 @@
                        </x-inputs.button>
                    </a>

+                    @can(\App\Enums\Auth\Permissions::EDIT_USERS->value)
+
                    <a href="{{ route('user.bans', ['user' => $user->id]) }}">
                        <x-inputs.button class="delete" type="button">
                        <span class="flex items-center gap-2 text-xl align-middle">
@ -75,6 +77,8 @@
                        </span>
                        </x-inputs.button>
                    </a>
+
+                    @endcan
                </div>

                <div class="section">
--- a/dist/resources/views/admin/tools/user-list.blade.php
+++ b/dist/resources/views/admin/tools/user-list.blade.php
@ -55,11 +55,13 @@
                                    <x-icons.mail class="size-4"/>
                                </x-inputs.button>
                            </a>
+                            @can(\App\Enums\Auth\Permissions::EDIT_USERS->value)
                            <a href="{{ route('user.bans', ['user' => $user->id]) }}">
                                <x-inputs.button type="button" class="px-2 py-1 !text-sm delete" title="Bans">
                                    <x-icons.hammer class="size-4"/>
                                </x-inputs.button>
                            </a>
+                            @endcan
                        </td>
                    </tr>
                @endforeach