diff --git a/app/Http/Controllers/ControlController.php b/app/Http/Controllers/ControlController.php
index d5b37964..7a63a54a 100644
--- a/app/Http/Controllers/ControlController.php
+++ b/app/Http/Controllers/ControlController.php
@@ -263,8 +263,8 @@ public function show(int $id)
(
(Auth::User()->role === 5)&&
!DB::table('control_user')
- ->where('user_id',$id)
- ->where('control_id',Auth::User()->id)
+ ->where('control_id', $id)
+ ->where('user_id', Auth::User()->id)
->exists()
), Response::HTTP_FORBIDDEN, '403 Forbidden');
diff --git a/app/Http/Controllers/GlobalSearchController.php b/app/Http/Controllers/GlobalSearchController.php
index b3b776f2..b84be55c 100644
--- a/app/Http/Controllers/GlobalSearchController.php
+++ b/app/Http/Controllers/GlobalSearchController.php
@@ -3,7 +3,9 @@
namespace App\Http\Controllers;
use Illuminate\Http\Request;
+use Illuminate\Http\Response;
use Illuminate\Support\Str;
+use Illuminate\Support\Facades\Auth;
class GlobalSearchController extends Controller
{
@@ -15,6 +17,9 @@ class GlobalSearchController extends Controller
public function search(Request $request)
{
+ // Not for API
+ abort_if(Auth::User()->role === 4, Response::HTTP_FORBIDDEN, '403 Forbidden');
+
$term = $request->input('search');
if ($term === null) {
return redirect()->back();
@@ -23,13 +28,33 @@ public function search(Request $request)
$searchableData = [];
foreach ($this->models as $model) {
+ // user does not search on domain and measures
+ if (
+ (Auth::User()->role===5)&&
+ (
+ ($model=='App\\Models\\Domain')||
+ ($model=='App\\Models\\Measure')
+ )
+ )
+ continue;
+
$query = $model::query();
$fields = $model::$searchable;
+ // user only search on assigned controls
+ if (Auth::User()->role===5)
+ $query = $query
+ ->join('control_user', 'controls.id', '=', 'control_user.control_id')
+ ->where('control_user.user_id','=',Auth::User()->id);
+
+
foreach ($fields as $field) {
$query->orWhere($field, 'LIKE', '%' . $term . '%');
}
+
+ // newest first
+ $query->orderBy('id','desc');
$results = $query->take(20)->get();
foreach ($results as $result) {
diff --git a/app/Http/Controllers/MeasureController.php b/app/Http/Controllers/MeasureController.php
index 127e270f..b49431d1 100644
--- a/app/Http/Controllers/MeasureController.php
+++ b/app/Http/Controllers/MeasureController.php
@@ -24,6 +24,12 @@ class MeasureController extends Controller
*/
public function index(Request $request)
{
+ // Not for Auditor, API and auditee
+ abort_if(
+ (Auth::User()->role === 4)||
+ (Auth::User()->role === 5),
+ Response::HTTP_FORBIDDEN, '403 Forbidden');
+
$domains = Domain::All();
$domain = $request->get('domain');
@@ -156,11 +162,19 @@ public function store(Request $request)
*/
public function show(int $id)
{
- // Not for Auditor, API and auditee
+ // Not for API
abort_if(
- (Auth::User()->role === 3)||
- (Auth::User()->role === 4)||
- (Auth::User()->role === 5),
+ (Auth::User()->role === 4),
+ Response::HTTP_FORBIDDEN, '403 Forbidden');
+
+ // user must have and assigned controls
+ abort_if(
+ (Auth::User()->role === 5) &&
+ !DB::table('controls')
+ ->where('measure_id',$id)
+ ->leftjoin('control_user', 'control_id', '=', 'controls.id')
+ ->where('user_id', Auth::User()->id)
+ ->exists(),
Response::HTTP_FORBIDDEN, '403 Forbidden');
$measure = Measure::where('id', $id)->get()->first();
diff --git a/resources/views/controls/show.blade.php b/resources/views/controls/show.blade.php
index e1c7633d..18abf296 100644
--- a/resources/views/controls/show.blade.php
+++ b/resources/views/controls/show.blade.php
@@ -76,7 +76,7 @@
{{ trans("common.previous") }}
- {{ trans("common.next") }}
+ {{ trans("common.next") }}
@if ($prev_id!=null)
@@ -160,12 +160,12 @@
⚫
@endif
-
- @if ($control->score==1)
+ @if ($control->score==1)
{{ trans("common.red") }}
- @elseif ($control->score==2)
+ @elseif ($control->score==2)
{{ trans("common.orange") }}
- @elseif ($control->score==3)
- {{ trans("common.green") }}
+ @elseif ($control->score==3)
+ {{ trans("common.green") }}
@endif
@@ -212,16 +212,18 @@
- @if ((Auth::User()->role==1)||(Auth::User()->role==2))
+ @if ((Auth::User()->role===1)||(Auth::User()->role===2)||(Auth::User()->role===5))
@if ($control->realisation_date==null)
+ @endif
+ @if ((Auth::User()->role===1)||(Auth::User()->role===2))
- @if (Auth::User()->role !== 3)
+ @if (Auth::User()->role === 1)