Broke the role editing permissions out into a specific role (to avoid site-admin being given them)
This commit is contained in:
48
src/Database/Seeds/CreateRoleAdmin.php
Normal file
48
src/Database/Seeds/CreateRoleAdmin.php
Normal file
@@ -0,0 +1,48 @@
|
||||
<?php
|
||||
|
||||
/*
|
||||
* AVSDev UF Tweaks (https://avsdev.uk)
|
||||
*
|
||||
* @link https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks
|
||||
* @license https://git.avsdev.uk/avsdev/sprinkle-uf-tweaks/blob/master/LICENSE.md (LGPL-3.0 License)
|
||||
*/
|
||||
|
||||
namespace UserFrosting\Sprinkle\UFTweaks\Database\Seeds;
|
||||
|
||||
use UserFrosting\Sprinkle\Account\Database\Models\Role;
|
||||
use UserFrosting\Sprinkle\Core\Database\Seeder\BaseSeed;
|
||||
|
||||
/**
|
||||
* Seeder to create the role admin
|
||||
*/
|
||||
class CreateRoleAdmin extends BaseSeed
|
||||
{
|
||||
/**
|
||||
* {@inheritdoc}
|
||||
*/
|
||||
public function run()
|
||||
{
|
||||
$roles = $this->getRoles();
|
||||
|
||||
foreach ($roles as $role) {
|
||||
// Don't save if already exist
|
||||
if (Role::where('slug', $role->slug)->first() == null) {
|
||||
$role->save();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* @return array Roles to seed
|
||||
*/
|
||||
protected function getRoles()
|
||||
{
|
||||
return [
|
||||
new Role([
|
||||
'slug' => 'role-admin',
|
||||
'name' => 'Role Administrator',
|
||||
'description' => 'This role is meant for "role administrators", who can basically do anything related to roles and their permissions.',
|
||||
]),
|
||||
];
|
||||
}
|
||||
}
|
||||
@@ -26,6 +26,7 @@ class DefaultPermissions extends UFDefaultPermissions
|
||||
{
|
||||
// We require the default roles
|
||||
Seeder::execute('DefaultRoles');
|
||||
Seeder::execute('RoleAdminRole');
|
||||
|
||||
// Get and save permissions
|
||||
$permissions = $this->getPermissions();
|
||||
@@ -46,6 +47,7 @@ class DefaultPermissions extends UFDefaultPermissions
|
||||
'user' => Role::where('slug', 'user')->first()->id,
|
||||
'group-admin' => Role::where('slug', 'group-admin')->first()->id,
|
||||
'site-admin' => Role::where('slug', 'site-admin')->first()->id,
|
||||
'role-admin' => Role::where('slug', 'role-admin')->first()->id,
|
||||
];
|
||||
|
||||
return array_merge(
|
||||
@@ -88,36 +90,24 @@ class DefaultPermissions extends UFDefaultPermissions
|
||||
'conditions' => "in(property,['slug','name','description','permissions','users'])",
|
||||
'description' => 'View certain properties of any role.',
|
||||
]),
|
||||
'update_role_field' => new Permission([
|
||||
'slug' => 'update_role_field',
|
||||
'name' => 'Edit role',
|
||||
'conditions' => "is_master(self.id) || subset(fields,['slug','name','description'])",
|
||||
'description' => 'Edit basic properties of any role.',
|
||||
]),
|
||||
'update_role_permissions' => new Permission([
|
||||
'slug' => 'update_role_permissions',
|
||||
'name' => 'Edit role permissions',
|
||||
'conditions' => "is_master(self.id) || subset(fields,['permissions'])",
|
||||
'description' => 'Edit permissions of any role.',
|
||||
]),
|
||||
'update_role_permissions_limited' => new Permission([
|
||||
'slug' => 'update_role_permissions',
|
||||
'name' => 'Edit role permissions',
|
||||
'conditions' => "is_master(self.id) || (!has_role(self.id,role.id) && role.id != {$defaultRoleIds['site-admin']} && subset(fields,['permissions']))",
|
||||
'description' => 'Edit basic properties of any role, except the Site Administrators role (unless you are the root user).',
|
||||
]),
|
||||
'update_role_field' => new Permission([
|
||||
'slug' => 'update_role_field',
|
||||
'name' => 'Edit role',
|
||||
'conditions' => "is_master(self.id) || (!has_role(self.id,role.id) && role.id != {$defaultRoleIds['site-admin']} && subset(fields,['slug','name','description']))",
|
||||
'description' => 'Edit basic properties of any role, except the Site Administrators role (unless you are the root user).',
|
||||
]),
|
||||
'delete_role_any' => new Permission([
|
||||
'delete_role' => new Permission([
|
||||
'slug' => 'delete_role',
|
||||
'name' => 'Delete role',
|
||||
'conditions' => 'always()',
|
||||
'description' => 'Delete a role.',
|
||||
]),
|
||||
'delete_role' => new Permission([
|
||||
'slug' => 'delete_role',
|
||||
'name' => 'Delete role',
|
||||
'conditions' => "is_master(self.id) || (!has_role(self.id,role.id) && role.id != {$defaultRoleIds['site-admin']})",
|
||||
'description' => 'Delete a role, except the Site Administrators role (unless you are the root user).',
|
||||
]),
|
||||
]
|
||||
);
|
||||
}
|
||||
@@ -152,6 +142,23 @@ class DefaultPermissions extends UFDefaultPermissions
|
||||
{
|
||||
parent::syncPermissionsRole($permissions);
|
||||
|
||||
$roleRoleAdmin = Role::where('slug', 'role-admin')->first();
|
||||
if ($roleRoleAdmin) {
|
||||
$roleRoleAdmin->permissions()->syncWithoutDetaching([
|
||||
$permissions['uri_dashboard']->id,
|
||||
$permissions['uri_role']->id,
|
||||
$permissions['uri_roles']->id,
|
||||
$permissions['uri_permission']->id,
|
||||
$permissions['uri_permissions']->id,
|
||||
|
||||
$permissions['create_role']->id,
|
||||
$permissions['view_role_field']->id,
|
||||
$permissions['update_role_field']->id,
|
||||
$permissions['update_role_permissions']->id,
|
||||
$permissions['delete_role']->id,
|
||||
]);
|
||||
}
|
||||
|
||||
$roleSiteAdmin = Role::where('slug', 'site-admin')->first();
|
||||
if ($roleSiteAdmin) {
|
||||
$roleSiteAdmin->permissions()->syncWithoutDetaching([
|
||||
@@ -160,13 +167,8 @@ class DefaultPermissions extends UFDefaultPermissions
|
||||
$permissions['uri_roles']->id,
|
||||
$permissions['uri_permission']->id,
|
||||
$permissions['uri_permissions']->id,
|
||||
// Too much power: $permissions['create_role']->id,
|
||||
|
||||
$permissions['view_role_field']->id,
|
||||
$permissions['update_role_field']->id,
|
||||
// Too much power: $permissions['update_role_permissions']->id,
|
||||
// Too much power: $permissions['update_role_permissions_limited']->id,
|
||||
// Too much power: $permissions['delete_role']->id,
|
||||
// Too much power: $permissions['delete_role_any']->id,
|
||||
]);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user