Cleaned-up code for Admins.

uberbrady · Mar 2, 2022 · 539d77c · 539d77c
1 parent 2fe8356
commit 539d77c
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 26 deletions.
diff --git a/app/Models/Company.php b/app/Models/Company.php
@@ -61,7 +61,7 @@ final class Company extends SnipeModel
      */
     protected $fillable = ['name'];
 
-    public static function isFullMultipleCompanySupportEnabled()
+    private static function isFullMultipleCompanySupportEnabled()
     {
         $settings = Setting::getSettings();
 

diff --git a/app/Models/User.php b/app/Models/User.php
@@ -121,11 +121,6 @@ class User extends SnipeModel implements AuthenticatableContract, AuthorizableCo
      */
     protected function checkPermissionSection($section)
     {
-        //what is the actual **SECTION** that we're on, does it correspond to something?
-        // does it have a model?
-        // this would be the place to say 'hey' does this have a company in it? IF so, you'd better be super, or an admin here.
-        // otherwise, you're fucking b oned.
-
         $user_groups = $this->groups;
         if (($this->permissions == '') && (count($user_groups) == 0)) {
 

diff --git a/app/Policies/SnipePermissionsPolicy.php b/app/Policies/SnipePermissionsPolicy.php
@@ -36,30 +36,20 @@ abstract protected function columnName();
     public function before(User $user, $ability, $item)
     {
         // Lets move all company related checks here.
-        if ($item instanceof \App\Models\SnipeModel && ! Company::isCurrentUserHasAccess($item)) { // Question: what if $item is a _class_, not an actual object? Isn't that possible? e.g. for @can('create',Statuslabel::class)
+        if ($item instanceof \App\Models\SnipeModel && ! Company::isCurrentUserHasAccess($item)) {
             return false;
         }
-        \Log::debug("okay, we're still in the before() method, but the \$item is *not* an instance of SnipeModel. User: ".$user->username." Ability: $ability, Item's class is: ".gettype($item));
+        \Log::debug("okay, we're still in the before() method, but the \$item is *not* an instance of SnipeModel. User: ".$user->username." Ability: $ability, Item's type is: ".gettype($item));
         // If an admin, they can do all asset related tasks.
-        if ($user->hasAccess('admin')) { //*THIS* I kinda think is the thing I'm looking for?
-            \Log::info("Yes, we have Admin. Is full company support enabled? ".(Company::isFullMultipleCompanySupportEnabled() ? " yes ": " no ")." what is the item? ".print_r($item,true)." ");
-            // if(gettype($item) == "string") { //means that $item is a Class Name.
-            //     $real_item = new $item();
-            // } elseif(gettype($item) == "object") { //otherwise, we're dealing directly with an instance.
-            //     $real_item = $item;
-            // } else {
-            //     \Log::error("WEIRD TYPE BEING CHECKED FOR!!!");
-            //     dd("We're totally toast.");
-            // }
-            \Log::debug("Is multi-company enabled? ".Company::isFullMultipleCompanySupportEnabled()." does the company method exists? ". method_exists($item, 'company')." and is this a wird \$ability? :$ability");
+        if ($user->hasAccess('admin')) {
+            $settings = Setting::getSettings();
+            \Log::debug("User has 'admin'. Is multi-company enabled? ".($settings && $settings->full_multiple_companies_support == 1 ? 'yes' : 'no')." does the company method exists? ". method_exists($item, 'company')." and is this a weird \$ability? :$ability. What is the item? ".print_r($item,true));
 
-            if (Company::isFullMultipleCompanySupportEnabled() && !method_exists($item, 'company') && !in_array($ability, ['view', 'index', 'viewRequestable'] )) {
-                //I suspect that is_null($item->company_id) will *ALWAYS* be true, because we probably caught any SnipeModel things (which have $company_id) above.
-                // \Log::info("This looks like you're going to try and do a create, update, or delete on something that *doesn't* have a company_id. So I think you are boned. False for you.");
-                \Log::info("then you're boned, this is something that isn't 'companied' so you can't make 'em.");
+            if ($settings && $settings->full_multiple_companies_support == 1 && !method_exists($item, 'company') && !in_array($ability, ['view', 'index', 'viewRequestable'] )) {
+                \Log::debug("Permission denied for 'admin'");
                 return false; //Admin users *CANNOT* make any changes to cross-company things.
             }
-            \Log::info("you're good, go ahead then.");
+            \Log::debug("Permission granted for 'admin'");
             return true;
         }
     }

diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
@@ -109,8 +109,7 @@ public function boot()
         // These control general sections of the admin
         // --------------------------------
         Gate::define('admin', function ($user) {
-            // important piece here - if multicompany support is enabled and the thing you're admin-ing *doesn't* have a company_id on it, then you can't admin it.
-            if ($user->hasAccess('admin')) { //this probably needs to change? I don't want this to shortcut what's in SnipePermissionsPolicy ...
+            if ($user->hasAccess('admin')) {
                 return true;
             }
         });