From 3183b2d4b68baa4282ae40eb8641ba042f4cd4e4 Mon Sep 17 00:00:00 2001
From: Didier <dbarzin@gmail.com>
Date: Tue, 21 Nov 2023 11:56:04 +0100
Subject: [PATCH] work on auditee

---
 app/Http/Controllers/ControlController.php  | 54 ++++++++----
 app/Http/Controllers/DocumentController.php | 93 +++++++++++++++++----
 resources/views/controls/make.blade.php     | 65 +++++++-------
 resources/views/layout.blade.php            |  1 +
 4 files changed, 151 insertions(+), 62 deletions(-)

diff --git a/app/Http/Controllers/ControlController.php b/app/Http/Controllers/ControlController.php
index 7a245d1d..fd568e37 100644
--- a/app/Http/Controllers/ControlController.php
+++ b/app/Http/Controllers/ControlController.php
@@ -724,8 +724,11 @@ public function doPlan(Request $request)
 
     public function make(Request $request)
     {
-        // Not for aditor
-        abort_if(Auth::User()->role === 3, Response::HTTP_FORBIDDEN, '403 Forbidden');
+        // Not for auditor and API
+        abort_if(
+            (Auth::User()->role === 3)||
+            (Auth::User()->role === 4),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $id = (int) request('id');
 
@@ -734,8 +737,8 @@ public function make(Request $request)
             (
                 (Auth::User()->role === 5)&&
                 !DB::table('control_user')
-                    ->where('user_id',$id)
-                    ->where('control_id',Auth::User()->id)
+                    ->where('user_id', Auth::User()->id)
+                    ->where('control_id', $id)
                     ->exists()
             ), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
@@ -784,8 +787,7 @@ public function doMake()
     {
         // Not API and auditee
         abort_if(
-            (Auth::User()->role === 4)||
-            (Auth::User()->role === 5),
+            (Auth::User()->role === 4),
             Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $id = (int) request('id');
@@ -795,8 +797,8 @@ public function doMake()
             (
                 (Auth::User()->role === 5)&&
                 !DB::table('control_user')
-                    ->where('user_id',$id)
-                    ->where('control_id',Auth::User()->id)
+                    ->where('user_id',Auth::User()->id)
+                    ->where('control_id',$id)
                     ->exists()
             ), Response::HTTP_FORBIDDEN, '403 Forbidden');
 
@@ -822,13 +824,13 @@ public function doMake()
         $control->observations = request('observations');
         $control->note = request('note');
         $control->score = request('score');
-        // only admin and user can update the plan_date, realisation_date and action_plan
+        $control->realisation_date = request('realisation_date');
+        // only admin and user can update the plan_date and action_plan
         if (
             (Auth::User()->role === 1)||
             (Auth::User()->role === 2)
             ) {
             $control->plan_date = request('plan_date');
-            $control->realisation_date = request('realisation_date');
             $control->action_plan = request('action_plan');
         }
         else {
@@ -914,27 +916,42 @@ public function save(Request $request)
      */
     public function draft(Request $request)
     {
-        // Not API and auditee
+        // Not for API and Auditor
         abort_if(
-            (Auth::User()->role === 4)||
-            (Auth::User()->role === 5),
+            (Auth::User()->role === 3)||
+            (Auth::User()->role === 4),
             Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $id = (int) $request->get('id');
 
+        // for aditee only if he is assigned to that control
+        abort_if(
+            (
+                (Auth::User()->role === 5)&&
+                !DB::table('control_user')
+                    ->where('user_id', Auth::User()->id)
+                    ->where('control_id', $id)
+                    ->exists()
+            ), Response::HTTP_FORBIDDEN, '403 Forbidden');
+
+        // Get the control
         $control = Control::find($id);
 
+        // Control not found
+        abort_if($control === null, Response::HTTP_NOT_FOUND, '404 Not Found');
+
         $control->observations = request('observations');
         $control->note = request('note');
         $control->score = request('score');
 
-        // only admin and user can update the plan_date, realisation_date and action_plan
+        // only admin and user can update the plan_date and action_plan
         if (
             (Auth::User()->role === 1)||
             (Auth::User()->role === 2)
             ) {
             $control->plan_date = request('plan_date');
             $control->action_plan = request('action_plan');
+            // do not save the realisation date as it is in draft
         }
         $control->save();
 
@@ -952,13 +969,20 @@ public function export()
     public function template()
     {
         // For administrators and users only
-        abort_if((Auth::User()->role !== 1) && (Auth::User()->rol !== 2), Response::HTTP_FORBIDDEN, '403 Forbidden');
+        abort_if(
+                (Auth::User()->role !== 1) &&
+                (Auth::User()->rol !== 2) &&
+                (Auth::User()->role !== 5),
+                Response::HTTP_FORBIDDEN, '403 Forbidden');
 
         $id = (int) request('id');
 
         // find associate measurement
         $control = Control::find($id);
 
+        // Control not found
+        abort_if($control === null, Response::HTTP_NOT_FOUND, '404 Not Found');
+
         // Get template file
         $template_filename = storage_path('app/models/control_.docx');
         if (! file_exists($template_filename)) {
diff --git a/app/Http/Controllers/DocumentController.php b/app/Http/Controllers/DocumentController.php
index acb2a37c..d8eb2707 100644
--- a/app/Http/Controllers/DocumentController.php
+++ b/app/Http/Controllers/DocumentController.php
@@ -4,12 +4,15 @@
 
 use App\Models\Document;
 use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\DB;
 
 class DocumentController extends Controller
 {
     public function getTemplate(Request $request)
     {
-        // nothing to do
+        //  Get document teample id
         $id = (int) $request->get('id');
 
         if ($id === 1) {
@@ -35,6 +38,11 @@ public function getTemplate(Request $request)
 
     public function saveTemplate(Request $request)
     {
+        // Only for administrator
+        abort_if(
+            (Auth::User()->role !== 1),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
+
         $message = null;
 
         if ($request->has('template1')) {
@@ -60,7 +68,25 @@ public function saveTemplate(Request $request)
 
     public function get(int $id)
     {
+        // Not for API
+        abort_if(
+            (Auth::User()->role === 4),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
+
         $document = Document::Find($id);
+
+        // Document not found
+        abort_if($document === null, Response::HTTP_NOT_FOUND, '404 Not Found');
+
+        // Auditee may get documents from assigned controls only
+        abort_if(
+            (Auth::User()->role === 5) &&
+            !DB::table('control_user')
+                ->where('user_id',Auth::User()->id)
+                ->where('control_id',$document->control_id)
+                ->exists(),
+                Response::HTTP_FORBIDDEN, '403 Forbidden');
+
         $path = storage_path('docs/' . $id);
         $file_contents = file_get_contents($path);
 
@@ -75,29 +101,40 @@ public function get(int $id)
 
     public function store(Request $request)
     {
-        //Log::Alert("store called");
+        // Not for API and Auditor
+        abort_if(
+            (Auth::User()->role === 3)||
+            (Auth::User()->role === 4),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
+
+        // Get file
         $file = $request->file('file');
+
+        // Get Control
         $control_id = $request->get('control');
 
-        // Log::Alert($control_id);
+        // Auditee may save document to assigned control only
+        abort_if(
+            (Auth::User()->role === 5) &&
+            !DB::table('control_user')
+                ->where('user_id', Auth::User()->id)
+                ->where('control_id', $control_id)
+                ->exists(),
+                Response::HTTP_FORBIDDEN, '403 Forbidden');
+
+        // Save document
         $doc = new Document();
         $doc->control_id = $control_id;
         $doc->filename = $file->getClientOriginalName();
-        // Log::Alert("store filenale ".$file->getClientOriginalName());
         $doc->mimetype = $file->getClientMimeType();
-        // Log::Alert("store mimetype ".$file->getClientMimeType());
         $doc->size = $file->getSize();
-        // Log::Alert("store size ".$file->getSize());
-        // Log::Alert("store path ".$file->path());
         $doc->hash = hash_file('sha256', $file->path());
         $doc->save();
 
-        // Log::Alert("store Doc saved");
-
+        // Move file to storage folder
         $file->move(storage_path('docs'), $doc->id);
 
-        // Log::Alert("store Done.");
-
+        // response
         return response()->json(
             ['success' => $doc->filename,
                 'id' => $doc->id,
@@ -107,28 +144,47 @@ public function store(Request $request)
 
     public function delete(int $id)
     {
-        // Log::Alert("delete called");
+        // Not for API and Auditor
+        abort_if(
+            (Auth::User()->role === 3)||
+            (Auth::User()->role === 4),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
+
+        // Find the document
         $document = Document::Find($id);
+
         if ($document === null) {
-            return redirect('image/list')
+            return response()
                 ->with('errorMessage', 'File not found !');
         }
 
+        // Auditee may delete documents from assigned controls only
+        // and check if control has not been made ???
+        abort_if(
+            (Auth::User()->role === 5) &&
+            !DB::table('control_user')
+                ->where('user_id', Auth::User()->id)
+                ->where('control_id', $document->control_id)
+                ->exists(),
+                Response::HTTP_FORBIDDEN, '403 Forbidden');
+
         $path = storage_path('docs/'.$document->id);
-        // Log::Alert($path);
 
-        // Log::Alert("delete file ".$path);
         if (file_exists($path)) {
             unlink($path);
         }
         $document->delete();
 
-        // Log::Alert("delete done");
         return null;
     }
 
     public function index()
     {
+        // Only for administrator
+        abort_if(
+            (Auth::User()->role !== 1),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
+
         $count = Document::count();
         $sum = Document::sum('size');
 
@@ -139,6 +195,11 @@ public function index()
 
     public function check()
     {
+        // Only for administrator
+        abort_if(
+            (Auth::User()->role !== 1),
+            Response::HTTP_FORBIDDEN, '403 Forbidden');
+
         $documents = Document::with('control')->get();
 
         return view('/documents/check')
diff --git a/resources/views/controls/make.blade.php b/resources/views/controls/make.blade.php
index 4681b074..28e713f3 100644
--- a/resources/views/controls/make.blade.php
+++ b/resources/views/controls/make.blade.php
@@ -46,34 +46,45 @@
 					<pre>{{ $control->input }}</pre>
 				</div>
 			</div>
+
+            <div class="row">
+	    		<div class="cell-1">
+		    		<strong>{{ trans('cruds.control.fields.model') }}</strong>
+		    	</div>
+				<div class="cell-6">
+					<pre>{{ $control->model }}</pre>
+				</div>
+			</div>
+
             <div class="row">
 
 				<div class="cell-1">
 					<b>{{ trans('cruds.control.fields.plan_date') }}</b>
 				</div>
 				<div class="cell-2">
+                    @if ((Auth::User()->role === 1)||(Auth::User()->role === 2))
+    					<input type="text"
+    						data-role="calendarpicker"
+    						name="plan_date"
+    						value="{{ count($errors)>0 ?  old('plan_date') : $control->plan_date }}"
+    						data-input-format="%Y-%m-%d" />
+                    @else
+                        {{ $control->plan_date }}
+                    @endif
+				</div>
+	    		<div class="cell-1">
+		    		<strong>{{ trans('cruds.control.fields.realisation_date') }}</strong>
+		    	</div>
+				<div class="cell-2">
 					<input type="text"
 						data-role="calendarpicker"
-						name="plan_date"
-						value="{{ count($errors)>0 ?  old('plan_date') : $control->plan_date }}"
+						name="realisation_date"
+						value="{{
+							\Carbon\Carbon::now()
+							->format('Y-m-d')
+							}}"
 						data-input-format="%Y-%m-%d">
-
 				</div>
-
-    	    		<div class="cell-1">
-    		    		<strong>{{ trans('cruds.control.fields.realisation_date') }}</strong>
-    		    	</div>
-    				<div class="cell-2">
-    					<input type="text"
-    						data-role="calendarpicker"
-    						name="realisation_date"
-    						value="{{
-    							\Carbon\Carbon::now()
-    							->format('Y-m-d')
-    							}}"
-    						data-input-format="%Y-%m-%d">
-    				</div>
-                </row>
 			</div>
 
 	    	<div class="row">
@@ -96,15 +107,6 @@
 				</div>
 		    </div>
 
-	    	<div class="row">
-	    		<div class="cell-1">
-		    		<strong>{{ trans('cruds.control.fields.model') }}</strong>
-		    	</div>
-				<div class="cell-6">
-					<pre>{{ $control->model }}</pre>
-				</div>
-			</div>
-
 	    	<div class="row">
 	    		<div class="cell-1">
 		    		<strong>{{ trans('cruds.control.fields.note') }}</strong>
@@ -150,20 +152,21 @@
             @endif
 	    	<div class="row">
 	    		<div class="cell-1">
-		    		<strong>{{ trans('cruds.control.fields.periodicity') }}</strong>
+		    		<strong>{{ trans('cruds.control.fields.next') }}</strong>
 		    	</div>
 				<div class="cell-2">
                     @if ((Auth::User()->role === 1)||(Auth::User()->role === 2))
     					<input type="text"
+                            lenght="12"
     						data-role="calendarpicker"
     						name="next_date"
     						value="{{ $next_date }}"
     						data-input-format="%Y-%m-%d"/>
+                    </div>
+                    <div class="cell-2">
                     @else
-                        {{ $control->next_date }}
+                        {{ $next_date }}
                     @endif
-				</div>
-				<div class="cell-1">
 				(
 				@if ($control->periodicity==1)
 					{{ trans("common.monthly") }}
diff --git a/resources/views/layout.blade.php b/resources/views/layout.blade.php
index 47ea2c45..45fc3928 100644
--- a/resources/views/layout.blade.php
+++ b/resources/views/layout.blade.php
@@ -8,6 +8,7 @@
     <title>Deming - ISMS Controls Made Easy</title>
 
     <link rel="stylesheet" href="/css/all.css" />
+    <link rel="shortcut icon" href="/favicon.ico">
     <script src="/js/all.js"></script>
 </head>