hide contact info for unauthorized users

mianakbarjan · Nov 20, 2023 · 5920fe2 · 5920fe2
1 parent 7ec7f9d
commit 5920fe2
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 22 deletions.
diff --git a/src/Ushahidi/Modules/V5/Actions/Post/Handlers/AbstractPostQueryHandler.php b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/AbstractPostQueryHandler.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace Ushahidi\Modules\V5\Actions\Post\Handlers;
+
+use App\Bus\Action;
+use App\Bus\Query\Query;
+use Ushahidi\Modules\V5\Actions\V5QueryHandler;
+use Illuminate\Support\Facades\Auth;
+use Ushahidi\Modules\V5\Models\RolePermission;
+
+abstract class AbstractPostQueryHandler extends V5QueryHandler
+{
+    protected function userHasManagePostPermissions()
+    {
+        $user = Auth::user();
+        if (!$user || !$user->id) {
+            return false;
+        }
+        if ($user->role === "admin") {
+            return true;
+        }
+        $permissions =
+            RolePermission::select("permission")->where('role', '=', $user->role)->get()->pluck('permission');
+        if (in_array("Manage Posts", $permissions->toArray())) {
+            return true;
+        }
+        return false;
+    }
+
+    protected function updateSelectFieldsDependsOnPermissions(array $fields)
+    {
+
+        if (!$this->userHasManagePostPermissions()) {
+            return array_diff($fields, ["author_email","author_realname"]);
+        }
+        return $fields;
+    }
+}
diff --git a/src/Ushahidi/Modules/V5/Actions/Post/Handlers/FindPostByIdQueryHandler.php b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/FindPostByIdQueryHandler.php
@@ -4,18 +4,19 @@
 
 use App\Bus\Action;
 use App\Bus\Query\Query;
-use App\Bus\Query\AbstractQueryHandler;
+use Ushahidi\Modules\V5\Actions\Post\Handlers\AbstractPostQueryHandler;
 use Ushahidi\Modules\V5\Actions\Post\Queries\FindPostByIdQuery;
 use Ushahidi\Modules\V5\Repository\Post\PostRepository;
 use Ushahidi\Modules\V5\Models\Post\Post;
+use Ushahidi\Modules\V5\Models\Contact;
 use Illuminate\Support\Collection;
 use Ushahidi\Modules\V5\Http\Resources\PostValueCollection;
 use Ushahidi\Modules\V5\Http\Resources\ContactPointerResource;
 use Ushahidi\Modules\V5\Http\Resources\MessagePointerResource;
 use Ushahidi\Modules\V5\Http\Resources\LockCollection;
 use Ushahidi\Modules\V5\Http\Resources\Survey\TaskCollection;
 
-class FindPostByIdQueryHandler extends AbstractQueryHandler
+class FindPostByIdQueryHandler extends AbstractPostQueryHandler
 {
     private $postRepository;
 
@@ -40,7 +41,9 @@ public function __invoke(Action $action)
 
         $post = $this->postRepository->findById(
             $action->getId(),
-            array_unique(array_merge($action->getFields(), $action->getFieldsForRelationship())),
+            $this->updateSelectFieldsDependsOnPermissions(
+                array_unique(array_merge($action->getFields(), $action->getFieldsForRelationship()))
+            ),
             $action->getWithRelationship()
         );
         $post = $this->addHydrateRelationships($post, $action->getHydrates());
@@ -76,15 +79,13 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                 case 'contact':
                     $post->contact = null;
                     if ($post->message) {
-                        //$post->contact = new ContactPointerResource($post->message->contact);
-                        $post->contact = $post->message->contact;
+                        if ($this->userHasManagePostPermissions()) {
+                            $post->contact = $post->message->contact;
+                        } else {
+                            $post->contact = $post->message->contact->setVisible(["id"]);
+                        }
                     }
                     break;
-                case 'message':
-                    // if ($post->message) {
-                    //     $post->message = new MessagePointerResource($post->message);
-                    // }
-                    break;
                 case 'locks':
                     $post->locks = new LockCollection($post->locks);
                     break;
@@ -104,6 +105,11 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                         $post->data_source_message_id = $message->data_source_message_id ?? null;
                     }
                     break;
+                case 'message':
+                    if ($post->message && !$this->userHasManagePostPermissions()) {
+                            $post->message->makeHidden("contact");
+                    }
+                    break;
                 case 'enabled_languages':
                     $post->enabled_languages = [
                         'default' => $post->base_language,
@@ -113,8 +119,6 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                     break;
             }
         }
-        //  dd($post);
-
         return $post;
     }
     private function hideFieldsUsedByRelationships(Post $post, array $fields = [])

diff --git a/src/Ushahidi/Modules/V5/Actions/Post/Handlers/ListPostsQueryHandler.php b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/ListPostsQueryHandler.php
@@ -2,7 +2,7 @@
 
 namespace Ushahidi\Modules\V5\Actions\Post\Handlers;
 
-use App\Bus\Query\AbstractQueryHandler;
+use Ushahidi\Modules\V5\Actions\Post\Handlers\AbstractPostQueryHandler;
 use App\Bus\Query\Query;
 use App\Bus\Action;
 use Illuminate\Contracts\Pagination\LengthAwarePaginator;
@@ -16,7 +16,7 @@
 use Ushahidi\Modules\V5\Http\Resources\LockCollection;
 use Ushahidi\Modules\V5\Http\Resources\Survey\TaskCollection;
 
-class ListPostsQueryHandler extends AbstractQueryHandler
+class ListPostsQueryHandler extends AbstractPostQueryHandler
 {
     private $postRepository;
 
@@ -43,7 +43,9 @@ public function __invoke(Action $action): LengthAwarePaginator
             ->paginate(
                 $action->getPaging(),
                 $action->getSearchFields(),
-                array_unique(array_merge($action->getFields(), $action->getFieldsForRelationship())),
+                $this->updateSelectFieldsDependsOnPermissions(
+                    array_unique(array_merge($action->getFields(), $action->getFieldsForRelationship()))
+                ),
                 $action->getWithRelationship()
             );
             $result = [];
@@ -82,15 +84,13 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                 case 'contact':
                     $post->contact = null;
                     if ($post->message) {
-                        //$post->contact = new ContactPointerResource($post->message->contact);
-                        $post->contact = $post->message->contact;
+                        if ($this->userHasManagePostPermissions()) {
+                            $post->contact = $post->message->contact;
+                        } else {
+                            $post->contact = $post->message->contact->setVisible(["id"]);
+                        }
                     }
                     break;
-                case 'message':
-                    // if ($post->message) {
-                    //     $post->message = new MessagePointerResource($post->message);
-                    // }
-                    break;
                 case 'locks':
                     $post->locks = new LockCollection($post->locks);
                     break;
@@ -110,6 +110,11 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                         $post->data_source_message_id = $message->data_source_message_id ?? null;
                     }
                     break;
+                case 'message':
+                    if ($post->message && !$this->userHasManagePostPermissions()) {
+                        $post->message->makeHidden("contact");
+                    }
+                    break;
                 case 'enabled_languages':
                     $post->enabled_languages = [
                         'default' => $post->base_language,