From 9f474621da31d4a96531a60839b5f992021a80ed Mon Sep 17 00:00:00 2001
From: JN-Jones <jones_h1@web.de>
Date: Sun, 24 May 2015 21:20:36 +0200
Subject: [PATCH] WIP #132 Add 'canUploadAvatar' permission. Also fixed some
 minor issues I've noticed

---
 app/Http/Controllers/AccountController.php   |  8 ++++----
 app/Http/Middleware/CheckAccess.php          | 15 +++++++++++++--
 app/Http/routes.php                          | 14 ++++++++++----
 app/Presenters/User.php                      |  2 +-
 database/seeds/PermissionRoleTableSeeder.php | 12 ++++++++++++
 database/seeds/PermissionsTableSeeder.php    |  5 +++++
 resources/lang/en/account.php                |  2 ++
 resources/views/account/profile.twig         | 20 +++++++++++---------
 8 files changed, 58 insertions(+), 20 deletions(-)

diff --git a/app/Http/Controllers/AccountController.php b/app/Http/Controllers/AccountController.php
index c18db6c..efbdd2a 100644
--- a/app/Http/Controllers/AccountController.php
+++ b/app/Http/Controllers/AccountController.php
@@ -35,7 +35,7 @@ class AccountController extends AbstractController
 	/**
 	 * Create a new controller instance.
 	 *
-	 * @param Guard $guard
+	 * @param Guard             $guard
 	 * @param PermissionChecker $permissionChecker
 	 */
 	public function __construct(Guard $guard, PermissionChecker $permissionChecker)
@@ -84,7 +84,7 @@ public function postProfile(UpdateProfileRequest $request, UserProfileFieldRepos
 		// handle updates to the user model
 		$update = array();
 
-		if($this->permissionChecker->hasPermission('user', null, 'canUseCustomTitle')) {
+		if ($this->permissionChecker->hasPermission('user', null, 'canUseCustomTitle')) {
 			$update['usertitle'] = $request->get('usertitle');
 		}
 
@@ -328,7 +328,7 @@ public function postAvatar(Request $request)
 			$this->guard->user()->update(['avatar' => '']);
 		}
 
-		return redirect()->route('account.profile')->withSuccess('account.saved_avatar');
+		return redirect()->route('account.profile')->withSuccess(trans('account.saved_avatar'));
 	}
 
 	/**
@@ -339,7 +339,7 @@ public function removeAvatar()
 		// TODO: Delete the old file if an uploaded was used
 		$this->guard->user()->update(['avatar' => '']);
 
-		return redirect()->route('account.profile')->withSuccess('account.removed_avatar');
+		return redirect()->route('account.profile')->withSuccess(trans('account.removed_avatar'));
 	}
 
 	/**
diff --git a/app/Http/Middleware/CheckAccess.php b/app/Http/Middleware/CheckAccess.php
index ae0731b..b1edf2f 100644
--- a/app/Http/Middleware/CheckAccess.php
+++ b/app/Http/Middleware/CheckAccess.php
@@ -63,8 +63,19 @@ protected function checkPermissions($request)
 	{
 		$action = $request->route()->getAction();
 		// Check for additional permissions required
-		$requiredPermisions = isset($action['permissions']) ? explode('|', $action['permissions']) : false;
 
-		return $this->permissionChecker->hasPermission('user', null, $requiredPermisions);
+		$requiredPermisions = array();
+
+		if (isset($action['permissions'])) {
+			if (!is_array($action['permissions'])) {
+				$requiredPermisions = explode('|', $action['permissions']);
+			} else {
+				foreach ($action['permissions'] as $permission) {
+					$requiredPermisions = array_merge($requiredPermisions, explode('|', $permission));
+				}
+			}
+		}
+
+		return $this->permissionChecker->hasPermission('user', null, array_unique($requiredPermisions));
 	}
 }
diff --git a/app/Http/routes.php b/app/Http/routes.php
index 4c2ab9a..b4067f8 100644
--- a/app/Http/routes.php
+++ b/app/Http/routes.php
@@ -106,9 +106,15 @@
 		'/password/confirm/{token}',
 		['as' => 'account.password.confirm', 'uses' => 'AccountController@confirmPassword']
 	);
-	Route::get('/avatar', ['as' => 'account.avatar', 'uses' => 'AccountController@getAvatar']);
-	Route::post('/avatar', ['as' => 'account.avatar', 'uses' => 'AccountController@postAvatar']);
-	Route::get('/avatar/remove', ['as' => 'account.avatar.remove', 'uses' => 'AccountController@removeAvatar']);
+	Route::group([
+		'prefix' => 'avatar',
+		'middleware' => 'checkaccess',
+		'permissions' => 'canUploadAvatar'
+	], function () {
+		Route::get('/', ['as' => 'account.avatar', 'uses' => 'AccountController@getAvatar']);
+		Route::post('/', ['as' => 'account.avatar', 'uses' => 'AccountController@postAvatar']);
+		Route::get('/remove', ['as' => 'account.avatar.remove', 'uses' => 'AccountController@removeAvatar']);
+	});
 	Route::get('/notifications', ['as' => 'account.notifications', 'uses' => 'AccountController@getNotifications']);
 	Route::get('/following', ['as' => 'account.following', 'uses' => 'AccountController@getFollowing']);
 	Route::get('/buddies', ['as' => 'account.buddies', 'uses' => 'AccountController@getBuddies']);
@@ -121,7 +127,7 @@
 
 Route::group([
 	'prefix' => 'conversations',
-	'middleware' => ['checkaccess','checksetting'],
+	'middleware' => ['checkaccess', 'checksetting'],
 	'permissions' => 'canUseConversations',
 	'setting' => 'conversations.enabled'
 ], function () {
diff --git a/app/Presenters/User.php b/app/Presenters/User.php
index d18b4e8..f5c27e0 100644
--- a/app/Presenters/User.php
+++ b/app/Presenters/User.php
@@ -169,7 +169,7 @@ public function avatar()
 		$avatar = $this->wrappedObject->avatar;
 
 		// Empty? Default avatar
-		if (empty($avatar)) {
+		if (empty($avatar) || !$this->hasPermission('canUploadAvatar')) {
 			return asset('images/avatar.png');
 		} // Link? Nice!
 		elseif (filter_var($avatar, FILTER_VALIDATE_URL) !== false) {
diff --git a/database/seeds/PermissionRoleTableSeeder.php b/database/seeds/PermissionRoleTableSeeder.php
index 2bcdc86..f2a3bd0 100644
--- a/database/seeds/PermissionRoleTableSeeder.php
+++ b/database/seeds/PermissionRoleTableSeeder.php
@@ -137,6 +137,18 @@ public function run()
 				'value'         => PermissionChecker::NO,
 				'content_id'    => null
 			],
+			[
+				'permission_id' => $this->perm('canUploadAvatar'),
+				'role_id'       => $this->role('guest'),
+				'value'         => PermissionChecker::NO,
+				'content_id'    => null
+			],
+			[
+				'permission_id' => $this->perm('canUploadAvatar'),
+				'role_id'       => $this->role('banned'),
+				'value'         => PermissionChecker::NO,
+				'content_id'    => null
+			],
 		];
 
 		DB::table('permission_role')->insert($permissions_role);
diff --git a/database/seeds/PermissionsTableSeeder.php b/database/seeds/PermissionsTableSeeder.php
index 045115e..81f167d 100644
--- a/database/seeds/PermissionsTableSeeder.php
+++ b/database/seeds/PermissionsTableSeeder.php
@@ -92,6 +92,11 @@ public function run()
 				'content_name'    => null,
 				'default_value'   => PermissionChecker::YES
 			],
+			[
+				'permission_name' => 'canUploadAvatar',
+				'content_name'    => null,
+				'default_value'   => PermissionChecker::YES
+			],
 		];
 
 		DB::table('permissions')->insert($permissions);
diff --git a/resources/lang/en/account.php b/resources/lang/en/account.php
index 8510eab..5f9d4aa 100644
--- a/resources/lang/en/account.php
+++ b/resources/lang/en/account.php
@@ -28,6 +28,8 @@
 	'avatar_desc' => 'This photo is your identity on the forum and appears with all your posts.',
 	'avatar_change' => 'Change Avatar',
 	'avatar_remove' => 'Remove Avatar',
+	'saved_avatar' => 'Your avatar was successfully updated',
+	'removed_avatar' => 'Your avatar was successfully removed',
 	'details' => 'Account Details',
 	'change_username' => 'Change Username',
 	'change_email' => 'Change Email Address',
diff --git a/resources/views/account/profile.twig b/resources/views/account/profile.twig
index ed73b4c..84a2120 100644
--- a/resources/views/account/profile.twig
+++ b/resources/views/account/profile.twig
@@ -9,17 +9,19 @@
 
 	{{ form_open({'url_route': 'account.profile', 'method': 'post'}) }}
 	<section class="form">
-		<div class="form__section">
-			<h2>{{ trans('account.avatar') }}</h2>
-			<div class="form__section__container change-avatar">
-				<a href="{{ url_route('account.avatar') }}" class="avatar-profile-link" title="{{ trans('account.your_avatar') }}"><img src="{{ auth_user.avatar }}" alt="{{ trans('account.your_avatar') }}" class="avatar" /></a>
-				<p>{{ trans('account.avatar_desc') }}</p>
-				<div class="buttons">
-					<a {{ modal_attributes('account.avatar') }} class="button button--secondary"><i class="fa fa-picture-o"></i><span class="text">{{ trans('account.avatar_change') }}</span></a>
-					<a href="{{ url_route('account.avatar.remove') }}" class="button button--secondary"><i class="fa fa-times"></i><span class="text">{{ trans('account.avatar_remove') }}</span></a>
+		{% if auth_user.hasPermission('canUploadAvatar') %}
+			<div class="form__section">
+				<h2>{{ trans('account.avatar') }}</h2>
+				<div class="form__section__container change-avatar">
+					<a href="{{ url_route('account.avatar') }}" class="avatar-profile-link" title="{{ trans('account.your_avatar') }}"><img src="{{ auth_user.avatar }}" alt="{{ trans('account.your_avatar') }}" class="avatar" /></a>
+					<p>{{ trans('account.avatar_desc') }}</p>
+					<div class="buttons">
+						<a {{ modal_attributes('account.avatar') }} class="button button--secondary"><i class="fa fa-picture-o"></i><span class="text">{{ trans('account.avatar_change') }}</span></a>
+						<a href="{{ url_route('account.avatar.remove') }}" class="button button--secondary"><i class="fa fa-times"></i><span class="text">{{ trans('account.avatar_remove') }}</span></a>
+					</div>
 				</div>
 			</div>
-		</div>
+		{% endif %}
 		<div class="form__section">
 			<h2>{{ trans('account.details') }}</h2>
 			<div class="form__section__container">