fix api security issues and update pages issue
This commit is contained in:
Vendored
BIN
Binary file not shown.
Vendored
BIN
Binary file not shown.
@@ -6,6 +6,8 @@ use App\Http\Controllers\Api\Core\BaseApiController;
|
||||
use App\Http\Requests\Roles\RoleSwitchRequest;
|
||||
use App\Services\Roles\RoleSwitchService;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class RoleSwitcherController extends BaseApiController
|
||||
@@ -40,7 +42,13 @@ class RoleSwitcherController extends BaseApiController
|
||||
}
|
||||
|
||||
$role = (string) $request->validated()['role'];
|
||||
$route = $this->switchService->switchRole($role);
|
||||
try {
|
||||
$route = $this->switchService->switchRole($guard, $role);
|
||||
} catch (AccessDeniedHttpException $e) {
|
||||
return $this->error($e->getMessage(), Response::HTTP_FORBIDDEN);
|
||||
} catch (NotFoundHttpException $e) {
|
||||
return $this->error($e->getMessage(), Response::HTTP_NOT_FOUND);
|
||||
}
|
||||
|
||||
return $this->success([
|
||||
'role' => $role,
|
||||
|
||||
@@ -4,6 +4,7 @@ namespace App\Http\Controllers\Api\Grading;
|
||||
|
||||
use App\Http\Controllers\Api\Core\BaseApiController;
|
||||
use App\Http\Requests\Grading\BelowSixtyEmailRequest;
|
||||
use App\Http\Requests\Grading\AllDecisionsRequest;
|
||||
use App\Http\Requests\Grading\BelowSixtyDecisionDetailsRequest;
|
||||
use App\Http\Requests\Grading\BelowSixtyDecisionListRequest;
|
||||
use App\Http\Requests\Grading\BelowSixtyDecisionSaveRequest;
|
||||
@@ -13,6 +14,7 @@ use App\Http\Requests\Grading\BelowSixtyMeetingSaveRequest;
|
||||
use App\Http\Requests\Grading\BelowSixtySendRequest;
|
||||
use App\Http\Requests\Grading\BelowSixtyStatusRequest;
|
||||
use App\Http\Requests\Grading\BelowSixtyListRequest;
|
||||
use App\Http\Requests\Grading\GenerateAllDecisionsRequest;
|
||||
use App\Http\Requests\Grading\GradingLockAllRequest;
|
||||
use App\Http\Requests\Grading\GradingLockRequest;
|
||||
use App\Http\Requests\Grading\GradingOverviewRequest;
|
||||
@@ -316,6 +318,27 @@ class GradingController extends BaseApiController
|
||||
return response()->json(['ok' => true] + $data);
|
||||
}
|
||||
|
||||
public function allDecisions(AllDecisionsRequest $request): JsonResponse
|
||||
{
|
||||
$payload = $request->validated();
|
||||
$data = $this->belowSixtyService->listAllDecisions((string) $payload['school_year']);
|
||||
|
||||
return response()->json(['ok' => true] + $data);
|
||||
}
|
||||
|
||||
public function generateAllDecisions(GenerateAllDecisionsRequest $request): JsonResponse
|
||||
{
|
||||
$userId = $this->authenticatedUserIdOrUnauthorized();
|
||||
if ($userId instanceof JsonResponse) {
|
||||
return $userId;
|
||||
}
|
||||
|
||||
$payload = $request->validated();
|
||||
$count = $this->belowSixtyService->generateAllDecisions((string) $payload['school_year'], $userId);
|
||||
|
||||
return response()->json(['ok' => true, 'saved_count' => $count]);
|
||||
}
|
||||
|
||||
public function belowSixtyDecisions(BelowSixtyDecisionListRequest $request): JsonResponse
|
||||
{
|
||||
$payload = $request->validated();
|
||||
|
||||
@@ -47,7 +47,7 @@ class PrintRequestsController extends BaseApiController
|
||||
}
|
||||
|
||||
$validator = Validator::make($request->all(), [
|
||||
'file' => ['required', 'file', 'max:5120', 'mimes:pdf,jpg,jpeg,png,doc,docx,txt'],
|
||||
'file' => ['required', 'file', 'max:5120', 'mimes:pdf,jpg,jpeg,png,doc,docx,txt', 'mimetypes:application/pdf,image/jpeg,image/png,text/plain,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document'],
|
||||
'page_selection' => ['nullable', 'string', 'regex:/^\s*\d+(?:\s*-\s*\d+)?(?:\s*,\s*\d+(?:\s*-\s*\d+)?)*\s*$/'],
|
||||
'num_copies' => ['required', 'integer', 'min:1'],
|
||||
'required_by' => ['required', 'date'],
|
||||
@@ -97,7 +97,7 @@ class PrintRequestsController extends BaseApiController
|
||||
];
|
||||
|
||||
if ($request->hasFile('file') && $request->file('file')->isValid()) {
|
||||
$rules['file'] = ['required', 'file', 'max:5120', 'mimes:pdf,jpg,jpeg,png,doc,docx,txt'];
|
||||
$rules['file'] = ['required', 'file', 'max:5120', 'mimes:pdf,jpg,jpeg,png,doc,docx,txt', 'mimetypes:application/pdf,image/jpeg,image/png,text/plain,application/msword,application/vnd.openxmlformats-officedocument.wordprocessingml.document'];
|
||||
}
|
||||
|
||||
$validator = Validator::make($request->all(), $rules);
|
||||
|
||||
@@ -5,6 +5,8 @@ namespace App\Http\Controllers\Api;
|
||||
use App\Http\Requests\Roles\RoleSwitchRequest;
|
||||
use App\Services\Roles\RoleSwitchService;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class RoleSwitcherController extends BaseApiController
|
||||
@@ -33,8 +35,19 @@ class RoleSwitcherController extends BaseApiController
|
||||
|
||||
public function switch(RoleSwitchRequest $request): JsonResponse
|
||||
{
|
||||
$userId = (int) (auth()->id() ?? 0);
|
||||
if ($userId <= 0) {
|
||||
return $this->error('Please log in first.', Response::HTTP_UNAUTHORIZED);
|
||||
}
|
||||
|
||||
$role = (string) $request->validated()['role'];
|
||||
$route = $this->switchService->switchRole($role);
|
||||
try {
|
||||
$route = $this->switchService->switchRole($userId, $role);
|
||||
} catch (AccessDeniedHttpException $e) {
|
||||
return $this->error($e->getMessage(), Response::HTTP_FORBIDDEN);
|
||||
} catch (NotFoundHttpException $e) {
|
||||
return $this->error($e->getMessage(), Response::HTTP_NOT_FOUND);
|
||||
}
|
||||
|
||||
return $this->success([
|
||||
'role' => $role,
|
||||
|
||||
@@ -0,0 +1,28 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class SecurityHeaders
|
||||
{
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
/** @var Response $response */
|
||||
$response = $next($request);
|
||||
|
||||
$headers = $response->headers;
|
||||
$headers->set('X-Content-Type-Options', 'nosniff');
|
||||
$headers->set('X-Frame-Options', 'DENY');
|
||||
$headers->set('Referrer-Policy', 'strict-origin-when-cross-origin');
|
||||
$headers->set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
|
||||
|
||||
if ($request->isSecure()) {
|
||||
$headers->set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
||||
}
|
||||
|
||||
return $response;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Requests\Grading;
|
||||
|
||||
use App\Http\Requests\ApiFormRequest;
|
||||
|
||||
class AllDecisionsRequest extends ApiFormRequest
|
||||
{
|
||||
public function authorize(): bool
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
public function rules(): array
|
||||
{
|
||||
return [
|
||||
'school_year' => ['required', 'string', 'max:50'],
|
||||
];
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,20 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Requests\Grading;
|
||||
|
||||
use App\Http\Requests\ApiFormRequest;
|
||||
|
||||
class GenerateAllDecisionsRequest extends ApiFormRequest
|
||||
{
|
||||
public function authorize(): bool
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
public function rules(): array
|
||||
{
|
||||
return [
|
||||
'school_year' => ['required', 'string', 'max:50'],
|
||||
];
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user