From 7659cc72217959d4fb94ba01d8bc22a251e0ea0f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C4=8Carodej?= <peterpapp@makingcg.com>
Date: Tue, 31 May 2022 15:12:31 +0200
Subject: [PATCH] api refactoring

---
 .../js/components/Popups/ShareCreatePopup.vue      |  7 ++++---
 routes/api.php                                     |  2 +-
 routes/teams.php                                   |  8 +++++---
 src/App/Users/Requests/UpdateAvatarRequest.php     |  2 +-
 .../Controllers/SpotlightSearchController.php      |  5 ++++-
 .../Controllers/VisitorBrowseFolderController.php  | 14 ++++++++++----
 .../Sharing/Controllers/ShareItemController.php    |  3 +--
 src/Domain/Sharing/Requests/CreateShareRequest.php |  1 +
 .../Teams/Controllers/TeamFoldersController.php    | 14 +++++++++++---
 9 files changed, 38 insertions(+), 18 deletions(-)

diff --git a/resources/js/components/Popups/ShareCreatePopup.vue b/resources/js/components/Popups/ShareCreatePopup.vue
index 66d517de..3016b8ef 100644
--- a/resources/js/components/Popups/ShareCreatePopup.vue
+++ b/resources/js/components/Popups/ShareCreatePopup.vue
@@ -213,6 +213,7 @@ export default {
             isExpiration: false,
             isEmailSharing: false,
             shareOptions: {
+				id: undefined,
                 isPassword: undefined,
                 expiration: undefined,
                 password: undefined,
@@ -244,7 +245,7 @@ export default {
 
             // Send request to get share link
             axios
-                .post(`/api/share/${this.id}`, this.shareOptions)
+                .post('/api/share', this.shareOptions)
                 .then((response) => {
                     // End loading
                     this.isGeneratedShared = true
@@ -278,18 +279,18 @@ export default {
             this.pickedItem = args.item
 
             this.shareOptions.type = args.item.data.type
-            this.id = args.item.data.id
+            this.shareOptions.id = args.item.data.id
         })
 
         // Close popup
         events.$on('popup:close', () => {
             // Restore data
             setTimeout(() => {
-				this.id = undefined
                 this.isGeneratedShared = false
                 this.isExpiration = false
                 this.isEmailSharing = false
                 this.shareOptions = {
+					id: undefined,
                     isPassword: false,
                     expiration: undefined,
                     password: undefined,
diff --git a/routes/api.php b/routes/api.php
index 6f8c98ff..d2bdeb23 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -83,7 +83,7 @@ Route::group(['middleware' => ['auth:sanctum']], function () {
     Route::get('/share/{token}/qr', GetShareLinkViaQrCodeController::class);
     Route::post('/share/{token}/email', ShareViaEmailController::class);
     Route::apiResource('/share', ShareController::class);
-    Route::post('/share/{id}', ShareItemController::class);
+    Route::post('/share', ShareItemController::class);
 
     // Notifications
     Route::post('/notifications/read', MarkUserNotificationsAsReadController::class);
diff --git a/routes/teams.php b/routes/teams.php
index 8490eb63..e02b71a7 100644
--- a/routes/teams.php
+++ b/routes/teams.php
@@ -13,7 +13,9 @@ Route::group(['middleware' => ['auth:sanctum']], function () {
     Route::get('/shared-with-me/{id}', BrowseSharedWithMeController::class);
     Route::apiResource('/folders', TeamFoldersController::class);
 
-    Route::post('/folders/{folder}/convert', ConvertFolderIntoTeamFolderController::class);
-    Route::delete('/folders/{folder}/leave', LeaveTeamFolderController::class);
-    Route::get('/folders/{folder}/tree', NavigationTreeController::class);
+    Route::group(['prefix' => '/folders'], function() {
+        Route::post('/{folder}/convert', ConvertFolderIntoTeamFolderController::class);
+        Route::delete('/{folder}/leave', LeaveTeamFolderController::class);
+        Route::get('/{folder}/tree', NavigationTreeController::class);
+    });
 });
diff --git a/src/App/Users/Requests/UpdateAvatarRequest.php b/src/App/Users/Requests/UpdateAvatarRequest.php
index 0b6436f4..425ab80d 100644
--- a/src/App/Users/Requests/UpdateAvatarRequest.php
+++ b/src/App/Users/Requests/UpdateAvatarRequest.php
@@ -23,7 +23,7 @@ class UpdateAvatarRequest extends FormRequest
     public function rules()
     {
         return [
-            'avatar' => 'required|file',
+            'avatar' => 'required|file|mimes:jpg,jpeg,png',
         ];
     }
 }
diff --git a/src/Domain/Browsing/Controllers/SpotlightSearchController.php b/src/Domain/Browsing/Controllers/SpotlightSearchController.php
index f253b5ea..db21a7fc 100644
--- a/src/Domain/Browsing/Controllers/SpotlightSearchController.php
+++ b/src/Domain/Browsing/Controllers/SpotlightSearchController.php
@@ -38,7 +38,10 @@ class SpotlightSearchController
     ): JsonResponse {
         // Prevent to show non admin user searching
         if (Auth::user()->role !== 'admin') {
-            abort(response()->json(accessDeniedError()), 403);
+            abort(response()->json([
+                'type'    => 'error',
+                'message' => 'Access denied. You need administrator privileges to search the users.',
+            ]), 403);
         }
 
         // Get user ids
diff --git a/src/Domain/Browsing/Controllers/VisitorBrowseFolderController.php b/src/Domain/Browsing/Controllers/VisitorBrowseFolderController.php
index 0eeec488..d6b26c25 100644
--- a/src/Domain/Browsing/Controllers/VisitorBrowseFolderController.php
+++ b/src/Domain/Browsing/Controllers/VisitorBrowseFolderController.php
@@ -10,6 +10,7 @@ use Domain\Folders\Resources\FolderResource;
 use Domain\Folders\Resources\FolderCollection;
 use Domain\Sharing\Actions\ProtectShareRecordAction;
 use Domain\Sharing\Actions\VerifyAccessToItemAction;
+use Str;
 
 /**
  * Browse shared folder
@@ -26,14 +27,19 @@ class VisitorBrowseFolderController
         string $id,
         Share $shared,
     ): JsonResponse {
+
+        $folderId = Str::isUuid($id)
+            ? $id
+            : $shared->item_id;
+
         // Check ability to access protected share record
         ($this->protectShareRecord)($shared);
 
         // Check if user can get directory
-        ($this->verifyAccessToItem)($id, $shared);
+        ($this->verifyAccessToItem)($folderId, $shared);
 
         // Get requested folder
-        $requestedFolder = Folder::findOrFail($id);
+        $requestedFolder = Folder::findOrFail($folderId);
 
         $page = request()->has('page')
             ? request()->input('page')
@@ -43,13 +49,13 @@ class VisitorBrowseFolderController
         $query = [
             'folder' => [
                 'where' => [
-                    'parent_id'   => $id,
+                    'parent_id'   => $folderId,
                     'user_id'     => $shared->user_id,
                 ],
             ],
             'file' => [
                 'where' => [
-                    'parent_id'   => $id,
+                    'parent_id'   => $folderId,
                     'user_id'     => $shared->user_id,
                 ],
             ],
diff --git a/src/Domain/Sharing/Controllers/ShareItemController.php b/src/Domain/Sharing/Controllers/ShareItemController.php
index c4a65828..b91a4715 100644
--- a/src/Domain/Sharing/Controllers/ShareItemController.php
+++ b/src/Domain/Sharing/Controllers/ShareItemController.php
@@ -21,9 +21,8 @@ class ShareItemController extends Controller
      */
     public function __invoke(
         CreateShareRequest $request,
-        string $id,
     ): JsonResponse {
-        $item = get_item($request->input('type'), $id);
+        $item = get_item($request->input('type'), $request->input('id'));
 
         // Check if item is currently shared
         if ($item->shared()->exists()) {
diff --git a/src/Domain/Sharing/Requests/CreateShareRequest.php b/src/Domain/Sharing/Requests/CreateShareRequest.php
index 07f916b2..2651811c 100644
--- a/src/Domain/Sharing/Requests/CreateShareRequest.php
+++ b/src/Domain/Sharing/Requests/CreateShareRequest.php
@@ -24,6 +24,7 @@ class CreateShareRequest extends FormRequest
     public function rules()
     {
         return [
+            'id'         => 'required|uuid',
             'isPassword' => 'sometimes|boolean',
             'password'   => 'required_if:isPassword,true',
             'type'       => 'required|string',
diff --git a/src/Domain/Teams/Controllers/TeamFoldersController.php b/src/Domain/Teams/Controllers/TeamFoldersController.php
index 46dc6fd6..55438ffa 100644
--- a/src/Domain/Teams/Controllers/TeamFoldersController.php
+++ b/src/Domain/Teams/Controllers/TeamFoldersController.php
@@ -1,6 +1,7 @@
 <?php
 namespace Domain\Teams\Controllers;
 
+use Gate;
 use Illuminate\Support\Str;
 use Domain\Files\Models\File;
 use Domain\Folders\Models\Folder;
@@ -41,9 +42,16 @@ class TeamFoldersController extends Controller
 
         $entriesPerPage = config('vuefilemanager.paginate.perPage');
 
-        // TODO: check privileges
-
         if ($id) {
+            // Get team folder
+            $teamFolder = Folder::findOrFail($id)
+                ->getLatestParent();
+
+            // Check privileges
+            if (! Gate::any(['can-edit', 'can-view'], [$teamFolder, null])) {
+                return response()->json(accessDeniedError(), 403);
+            }
+
             $query = [
                 'folder' => [
                     'where' => [
@@ -111,7 +119,7 @@ class TeamFoldersController extends Controller
             'meta'       => [
                 'paginate'   => $paginate,
                 'teamFolder' => $id
-                    ? new FolderResource(Folder::findOrFail($id)->getLatestParent())
+                    ? new FolderResource($teamFolder)
                     : null,
                 'root'       => $id
                     ? new FolderResource(Folder::findOrFail($id))