From aeede6606ee558614df611529f8330a83d5634a7 Mon Sep 17 00:00:00 2001
From: Mh-Asmi <mnaasmi@gmail.com>
Date: Tue, 14 Nov 2023 00:25:38 +0400
Subject: [PATCH] hide contact info for unauthorized users

---
 .../Handlers/AbstractPostQueryHandler.php     | 38 +++++++++++++++++++
 .../Handlers/FindPostByIdQueryHandler.php     | 28 ++++++++------
 .../Post/Handlers/ListPostsQueryHandler.php   | 25 +++++++-----
 3 files changed, 69 insertions(+), 22 deletions(-)
 create mode 100644 src/Ushahidi/Modules/V5/Actions/Post/Handlers/AbstractPostQueryHandler.php

diff --git a/src/Ushahidi/Modules/V5/Actions/Post/Handlers/AbstractPostQueryHandler.php b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/AbstractPostQueryHandler.php
new file mode 100644
index 0000000000..1c5deb2314
--- /dev/null
+++ b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/AbstractPostQueryHandler.php
@@ -0,0 +1,38 @@
+<?php
+
+namespace Ushahidi\Modules\V5\Actions\Post\Handlers;
+
+use App\Bus\Action;
+use App\Bus\Query\Query;
+use Ushahidi\Modules\V5\Actions\V5QueryHandler;
+use Illuminate\Support\Facades\Auth;
+use Ushahidi\Modules\V5\Models\RolePermission;
+
+abstract class AbstractPostQueryHandler extends V5QueryHandler
+{
+    protected function userHasManagePostPermissions()
+    {
+        $user = Auth::user();
+        if (!$user || !$user->id) {
+            return false;
+        }
+        if ($user->role === "admin") {
+            return true;
+        }
+        $permissions =
+            RolePermission::select("permission")->where('role', '=', $user->role)->get()->pluck('permission');
+        if (in_array("Manage Posts", $permissions->toArray())) {
+            return true;
+        }
+        return false;
+    }
+
+    protected function updateSelectFieldsDependsOnPermissions(array $fields)
+    {
+
+        if (!$this->userHasManagePostPermissions()) {
+            return array_diff($fields, ["author_email","author_realname"]);
+        }
+        return $fields;
+    }
+}
diff --git a/src/Ushahidi/Modules/V5/Actions/Post/Handlers/FindPostByIdQueryHandler.php b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/FindPostByIdQueryHandler.php
index ed5842354e..8eab6e380d 100644
--- a/src/Ushahidi/Modules/V5/Actions/Post/Handlers/FindPostByIdQueryHandler.php
+++ b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/FindPostByIdQueryHandler.php
@@ -4,10 +4,11 @@
 
 use App\Bus\Action;
 use App\Bus\Query\Query;
-use App\Bus\Query\AbstractQueryHandler;
+use Ushahidi\Modules\V5\Actions\Post\Handlers\AbstractPostQueryHandler;
 use Ushahidi\Modules\V5\Actions\Post\Queries\FindPostByIdQuery;
 use Ushahidi\Modules\V5\Repository\Post\PostRepository;
 use Ushahidi\Modules\V5\Models\Post\Post;
+use Ushahidi\Modules\V5\Models\Contact;
 use Illuminate\Support\Collection;
 use Ushahidi\Modules\V5\Http\Resources\PostValueCollection;
 use Ushahidi\Modules\V5\Http\Resources\ContactPointerResource;
@@ -15,7 +16,7 @@
 use Ushahidi\Modules\V5\Http\Resources\LockCollection;
 use Ushahidi\Modules\V5\Http\Resources\Survey\TaskCollection;
 
-class FindPostByIdQueryHandler extends AbstractQueryHandler
+class FindPostByIdQueryHandler extends AbstractPostQueryHandler
 {
     private $postRepository;
 
@@ -40,7 +41,9 @@ public function __invoke(Action $action)
 
         $post = $this->postRepository->findById(
             $action->getId(),
-            array_unique(array_merge($action->getFields(), $action->getFieldsForRelationship())),
+            $this->updateSelectFieldsDependsOnPermissions(
+                array_unique(array_merge($action->getFields(), $action->getFieldsForRelationship()))
+            ),
             $action->getWithRelationship()
         );
         $post = $this->addHydrateRelationships($post, $action->getHydrates());
@@ -76,15 +79,13 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                 case 'contact':
                     $post->contact = null;
                     if ($post->message) {
-                        //$post->contact = new ContactPointerResource($post->message->contact);
-                        $post->contact = $post->message->contact;
+                        if ($this->userHasManagePostPermissions()) {
+                            $post->contact = $post->message->contact;
+                        } else {
+                            $post->contact = $post->message->contact->setVisible(["id"]);
+                        }
                     }
                     break;
-                case 'message':
-                    // if ($post->message) {
-                    //     $post->message = new MessagePointerResource($post->message);
-                    // }
-                    break;
                 case 'locks':
                     $post->locks = new LockCollection($post->locks);
                     break;
@@ -104,6 +105,11 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                         $post->data_source_message_id = $message->data_source_message_id ?? null;
                     }
                     break;
+                case 'message':
+                    if ($post->message && !$this->userHasManagePostPermissions()) {
+                            $post->message->makeHidden("contact");
+                    }
+                    break;
                 case 'enabled_languages':
                     $post->enabled_languages = [
                         'default' => $post->base_language,
@@ -113,8 +119,6 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                     break;
             }
         }
-        //  dd($post);
-
         return $post;
     }
     private function hideFieldsUsedByRelationships(Post $post, array $fields = [])
diff --git a/src/Ushahidi/Modules/V5/Actions/Post/Handlers/ListPostsQueryHandler.php b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/ListPostsQueryHandler.php
index 2b9cd0f9f6..42d715f15e 100644
--- a/src/Ushahidi/Modules/V5/Actions/Post/Handlers/ListPostsQueryHandler.php
+++ b/src/Ushahidi/Modules/V5/Actions/Post/Handlers/ListPostsQueryHandler.php
@@ -2,7 +2,7 @@
 
 namespace Ushahidi\Modules\V5\Actions\Post\Handlers;
 
-use App\Bus\Query\AbstractQueryHandler;
+use Ushahidi\Modules\V5\Actions\Post\Handlers\AbstractPostQueryHandler;
 use App\Bus\Query\Query;
 use App\Bus\Action;
 use Illuminate\Contracts\Pagination\LengthAwarePaginator;
@@ -16,7 +16,7 @@
 use Ushahidi\Modules\V5\Http\Resources\LockCollection;
 use Ushahidi\Modules\V5\Http\Resources\Survey\TaskCollection;
 
-class ListPostsQueryHandler extends AbstractQueryHandler
+class ListPostsQueryHandler extends AbstractPostQueryHandler
 {
     private $postRepository;
 
@@ -43,7 +43,9 @@ public function __invoke(Action $action): LengthAwarePaginator
             ->paginate(
                 $action->getPaging(),
                 $action->getSearchFields(),
-                array_unique(array_merge($action->getFields(), $action->getFieldsForRelationship())),
+                $this->updateSelectFieldsDependsOnPermissions(
+                    array_unique(array_merge($action->getFields(), $action->getFieldsForRelationship()))
+                ),
                 $action->getWithRelationship()
             );
             $result = [];
@@ -82,15 +84,13 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                 case 'contact':
                     $post->contact = null;
                     if ($post->message) {
-                        //$post->contact = new ContactPointerResource($post->message->contact);
-                        $post->contact = $post->message->contact;
+                        if ($this->userHasManagePostPermissions()) {
+                            $post->contact = $post->message->contact;
+                        } else {
+                            $post->contact = $post->message->contact->setVisible(["id"]);
+                        }
                     }
                     break;
-                case 'message':
-                    // if ($post->message) {
-                    //     $post->message = new MessagePointerResource($post->message);
-                    // }
-                    break;
                 case 'locks':
                     $post->locks = new LockCollection($post->locks);
                     break;
@@ -110,6 +110,11 @@ private function addHydrateRelationships(Post $post, array $hydrates)
                         $post->data_source_message_id = $message->data_source_message_id ?? null;
                     }
                     break;
+                case 'message':
+                    if ($post->message && !$this->userHasManagePostPermissions()) {
+                        $post->message->makeHidden("contact");
+                    }
+                    break;
                 case 'enabled_languages':
                     $post->enabled_languages = [
                         'default' => $post->base_language,