security fix and fix parent pages
API CI/CD / Validate (composer + pint) (push) Successful in 3m7s
API CI/CD / Test (PHPUnit) (push) Failing after 5m46s
API CI/CD / Build frontend assets (push) Successful in 1m2s
API CI/CD / Security audit (push) Failing after 49s
API CI/CD / Deploy to shared hosting (PHP) (push) Has been skipped

This commit is contained in:
root
2026-07-06 02:14:16 -04:00
parent 39228168c8
commit 90f9857b06
43 changed files with 4323 additions and 132 deletions
+35 -1
View File
@@ -5,6 +5,8 @@ namespace App\Policies;
use App\Models\ClassProgressReport;
use App\Models\TeacherClass;
use App\Models\User;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Schema;
class ClassProgressReportPolicy
{
@@ -19,7 +21,9 @@ class ClassProgressReportPolicy
return true;
}
return $this->isAuthor($user, $report) || $this->teachesSection($user, $report);
return $this->isAuthor($user, $report)
|| $this->teachesSection($user, $report)
|| $this->parentHasEnrolledSection($user, $report);
}
public function create(User $user): bool
@@ -67,4 +71,34 @@ class ClassProgressReportPolicy
return false;
}
private function parentHasEnrolledSection(User $user, ClassProgressReport $report): bool
{
if (! Schema::hasTable('enrollments')) {
return false;
}
$parentId = (int) (request()?->attributes?->get('primary_parent_id') ?? 0);
if ($parentId <= 0) {
if (! $this->isParent($user)) {
return false;
}
$parentId = (int) $user->id;
}
return DB::table('enrollments')
->where('parent_id', $parentId)
->where('class_section_id', (int) $report->class_section_id)
->where('is_withdrawn', 0)
->exists();
}
private function isParent(User $user): bool
{
return $user->roles()
->pluck('roles.name')
->map(fn ($name) => strtolower((string) $name))
->contains('parent');
}
}