better validation and authorization on edit route

cranleighschool · Apr 12, 2024 · cfd0b6d · cfd0b6d
1 parent 91e4e6f
commit cfd0b6d
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 8 deletions.
diff --git a/app/Domains/SelfReflection/Http/SelfReflectionPupilController.php b/app/Domains/SelfReflection/Http/SelfReflectionPupilController.php
@@ -101,12 +101,7 @@ public function edit(int $reportCycleId, int $teachingSetId, int $teacherId): Vi
         $reportCycle = ReportCycles::find($reportCycleId);
 
         if (Gate::check('report-editable', $reportCycle) === false) {
-            session()->flash('alert-danger', 'This report cycle has ended and is no longer editable.');
-
-            return redirect()->route('selfreflection.showget', [
-                'reportCycle' => $reportCycleId,
-                'pupilId' => (new PupilData())->pupil_id,
-            ]);
+            abort(403, 'You are not able to edit this reflection');
         }
 
         if (! $this->authorizeEdit($teachingSetId, $teacherId)) {

diff --git a/app/Providers/SelfReflectionGateProvider.php b/app/Providers/SelfReflectionGateProvider.php
@@ -3,6 +3,7 @@
 namespace App\Providers;
 
 use App\Domains\SelfReflection\Actions\ReportCycles;
+use App\Models\User;
 use Illuminate\Auth\Access\Response;
 use Illuminate\Http\Client\RequestException;
 use Illuminate\Support\Facades\Gate;
@@ -34,7 +35,7 @@ public function boot(): void
             return Response::allow();
         });
 
-        Gate::define('report-editable', function ($user, int|object $reportCycle) {
+        Gate::define('report-editable', function (User $user, int|object $reportCycle) {
 
             if (is_int($reportCycle)) {
                 $reportCycle = ReportCycles::find($reportCycle);
@@ -44,7 +45,7 @@ public function boot(): void
                 return false;
             }
 
-            return true;
+            return $user->isPupil();
         });
     }
 }