protected function hasPermission($permission, Model $requester)
 {
     if ($permission == 'create') {
         return $requester->isLoggedIn();
     }
     if ($requester->id() == $this->uid) {
         return true;
     }
     return $requester->isAdmin();
 }
Пример #2
0
 public static function find(array $params = [])
 {
     $params['where'] = (array) U::array_value($params, 'where');
     $user = self::$injectedApp['user'];
     if (!$user->isAdmin()) {
         if (isset($params['where']['organization'])) {
             $org = new Organization($params['where']['organization']);
             if ($org->getRoleOfUser($user) < Volunteer::ROLE_VOLUNTEER) {
                 return ['models' => [], 'count' => 0];
             }
         } else {
             return ['models' => [], 'count' => 0];
         }
     }
     return parent::find($params);
 }
Пример #3
0
 private function authenticateApiRequest()
 {
     $resource = $this->app['oauth_resource'];
     $request = Request::createFromGlobals();
     $response = new Response();
     if ($resource->verifyResourceRequest($request, $response)) {
         $tokenData = $resource->getResourceController()->getToken();
         // replace current user with the user from the access token
         $userModel = Auth::USER_MODEL;
         $user = $this->app['user'] = new $userModel($tokenData['user_id'], true);
         // use the authenticated user as the requester for model permissions
         Model::configure(['requester' => $user]);
     } else {
         $response->send();
         exit;
     }
 }
Пример #4
0
 public static function find(array $params = [])
 {
     $params['where'] = (array) U::array_value($params, 'where');
     $user = self::$injectedApp['user'];
     if (isset($params['where']['organization']) && !$user->isAdmin()) {
         if (!isset($params['where']['approval_link'])) {
             $org = new Organization($params['where']['organization']);
             if ($org->getRoleOfUser($user) != Volunteer::ROLE_ADMIN) {
                 $params['where']['uid'] = $user->id();
             }
         }
     } else {
         // for now, leaving volunteer activity public
         // this means any one can view volunteer hours with:
         // GET /api/volunteers/volunteer_hours
     }
     return parent::find($params);
 }
Пример #5
0
 protected function hasPermission($permission, Model $requester)
 {
     return $requester->isAdmin();
 }