Add some missing authorization checks

Riari · Riari · commit 4d066ab6f97a · 2024-04-06T16:07:04.000+01:00
diff --git a/src/Http/Livewire/Pages/CategoryCreate.php b/src/Http/Livewire/Pages/CategoryCreate.php
@@ -38,6 +38,10 @@ class CategoryCreate extends Component
 
     public function mount(Request $request)
     {
+        if (!CategoryAuthorization::create($request->user())) {
+            abort(404);
+        }
+
         $categories = CategoryAccess::getFilteredTreeFor($request->user())->toTree();
 
         // TODO: This is a workaround for a serialisation issue. See: https://github.com/lazychaser/laravel-nestedset/issues/487
diff --git a/src/Http/Livewire/Pages/CategoryEdit.php b/src/Http/Livewire/Pages/CategoryEdit.php
@@ -39,13 +39,18 @@ class CategoryEdit extends Component
 
     public function mount(Request $request)
     {
+        $category = $request->route('category');
+
+        if (!CategoryAuthorization::edit($request->user(), $category)) {
+            abort(404);
+        }
+
         $categories = CategoryAccess::getFilteredTreeFor($request->user())->toTree();
 
         // TODO: This is a workaround for a serialisation issue. See: https://github.com/lazychaser/laravel-nestedset/issues/487
         //       Once the issue is fixed, this can be removed.
         $this->categories = CategoryAccess::removeParentRelationships($categories);
 
-        $category = $request->route('category');
         $this->category = $category;
         $this->title = $category->title;
         $this->description = $category->description ?? "";
diff --git a/src/Http/Livewire/Pages/ThreadCreate.php b/src/Http/Livewire/Pages/ThreadCreate.php
@@ -32,6 +32,10 @@ public function mount(Request $request)
         $this->category = $request->route('category');
         $this->breadcrumbs_append = [trans('forum::threads.new_thread')];
 
+        if (!CategoryAuthorization::createThreads($request->user(), $this->category)) {
+            abort(403);
+        }
+
         UserCreatingThread::dispatch($request->user(), $this->category);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,10 @@ class CategoryCreate extends Component`
`38`	`38`
`39`	`39`	`public function mount(Request $request)`
`40`	`40`	`{`
	`41`	`+ if (!CategoryAuthorization::create($request->user())) {`
	`42`	`+ abort(404);`
	`43`	`+ }`
	`44`	`+`
`41`	`45`	`$categories = CategoryAccess::getFilteredTreeFor($request->user())->toTree();`
`42`	`46`
`43`	`47`	`// TODO: This is a workaround for a serialisation issue. See: https://github.com/lazychaser/laravel-nestedset/issues/487`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,10 @@ public function mount(Request $request)`
`32`	`32`	`$this->category = $request->route('category');`
`33`	`33`	`$this->breadcrumbs_append = [trans('forum::threads.new_thread')];`
`34`	`34`
	`35`	`+ if (!CategoryAuthorization::createThreads($request->user(), $this->category)) {`
	`36`	`+ abort(403);`
	`37`	`+ }`
	`38`	`+`
`35`	`39`	`UserCreatingThread::dispatch($request->user(), $this->category);`
`36`	`40`	`}`
`37`	`41`