diff --git a/app/Http/Controllers/SchoolController.php b/app/Http/Controllers/SchoolController.php index 515bba2..0a823a9 100644 --- a/app/Http/Controllers/SchoolController.php +++ b/app/Http/Controllers/SchoolController.php @@ -4,16 +4,20 @@ namespace App\Http\Controllers; use App\Models\School; use App\Models\SchoolEmailDomain; +use Illuminate\Auth\Access\Gate; +use Illuminate\Http\RedirectResponse; use Illuminate\Http\Request; use Illuminate\Support\Facades\Auth; +use function abort; use function dd; use function redirect; use function request; class SchoolController extends Controller { - public function store() + public function store(Request $request): RedirectResponse { + if ($request->user()->cannot('create', School::class)) abort(403); request()->validate([ 'name' => ['required', 'min:3', 'max:30'], 'address' => ['required'], @@ -47,24 +51,28 @@ class SchoolController extends Controller return redirect('/schools/' . $school->id); } - public function show(School $school) + public function show(Request $request, School $school) { + if ($request->user()->cannot('view',$school)) abort(403); + return view('schools.show', ['school' => $school]); } - public function create() + public function create(Request $request) { + if ($request->user()->cannot('create', School::class)) abort(403); return view('schools.create'); } - public function edit(School $school) + public function edit(Request $request, School $school) { - // TODO Restrict the editing of schools to directors or admin + if ($request->user()->cannot('update',$school)) abort(403); return view('schools.edit', ['school' => $school]); } public function update(School $school) { + if ($request->user()->cannot('update',$school)) abort(403); request()->validate([ 'name' => ['required', 'min:3', 'max:30'], 'address' => ['required'], diff --git a/app/Policies/SchoolPolicy.php b/app/Policies/SchoolPolicy.php new file mode 100644 index 0000000..71619b1 --- /dev/null +++ b/app/Policies/SchoolPolicy.php @@ -0,0 +1,75 @@ +is_admin) return true; + return null; + } + /** + * Determine whether the user can view any models. + */ + public function viewAny(User $user): bool + { + return false; + } + + /** + * Determine whether the user can view the model. + */ + public function view(User $user, School $school): bool + { + return $school->id == $user->school_id; + } + + /** + * Determine whether the user can create models. + */ + public function create(User $user): bool + { + return is_null($user->school_id); + } + + /** + * Determine whether the user can update the model. + */ + public function update(User $user, School $school): bool + { + return $school->id == $user->school_id; + } + + /** + * Determine whether the user can delete the model. + */ + public function delete(User $user, School $school): bool + { + return false; + } + + /** + * Determine whether the user can restore the model. + */ + public function restore(User $user, School $school): bool + { + return false; + } + + /** + * Determine whether the user can permanently delete the model. + */ + public function forceDelete(User $user, School $school): bool + { + return false; + } +} diff --git a/database/factories/UserFactory.php b/database/factories/UserFactory.php index d4e1058..bc73ef4 100644 --- a/database/factories/UserFactory.php +++ b/database/factories/UserFactory.php @@ -30,6 +30,7 @@ class UserFactory extends Factory 'email' => fake()->unique()->safeEmail(), 'judging_preference' => fake()->randomElement($judingPrefPossibilities), 'cell_phone' => fake()->phoneNumber(), + 'profile_image_url' => 'https://picsum.photos/200', 'email_verified_at' => now(), 'password' => static::$password ??= Hash::make('password'), 'remember_token' => Str::random(10),