fixed so moderator can't edit or delete administrators in the same group, fixed so delete button actually works

This commit is contained in:
mwalbeck 2016-10-29 23:45:00 +02:00
parent 39824efb1d
commit 0863dbb175
3 changed files with 4 additions and 6 deletions
app/Policies
resources/views

View file

@ -37,7 +37,7 @@ class UserPolicy
public function update(User $user, User $user2)
{
if ($user->isAdministrator() || ($user->isModerator() AND $user->group_id === $user2->group_id)) {
if ($user->isAdministrator() || ($user->isModerator() AND $user->group_id === $user2->group_id AND !$user2->isAdministrator())) {
return true;
}
return false;
@ -45,7 +45,7 @@ class UserPolicy
public function delete(User $user, User $user2)
{
if ($user->isAdministrator() || ($user->isModerator() AND $user->group_id === $user2->group_id) || $user === $user2) {
if ($user->isAdministrator() || ($user->isModerator() AND $user->group_id === $user2->group_id AND !$user2->isAdministrator()) || $user === $user2) {
return true;
}
return false;

View file

@ -1,9 +1,7 @@
<!DOCTYPE html>
<html>
<head>
<title>Be right back.</title>
<link href="https://fonts.googleapis.com/css?family=Lato:100" rel="stylesheet" type="text/css">
<title>Sorry.</title>
<style>
html, body {

View file

@ -9,7 +9,7 @@
<form method="POST" class="">
{{ csrf_field() }}
{{ method_field('DELETE') }}
<button type="button" id="modal-button-delete" class="btn btn-danger" formaction="/{{ Auth::user()->getAdminPath() }}/">Yes</button>
<button id="modal-button-delete" class="btn btn-danger" formaction="/{{ Auth::user()->getAdminPath() }}/">Yes</button>
<button type="button" class="btn btn-default" data-dismiss="modal">No</button>
</form>
</div>