Implement maven auth and permission levels (#27)

* `is_admin` -> `permission_level` in user model

* Dropdown in users management page for modifying permission levels

* Support maven editor role for new registrations

* Add tests to maven, fixes for these and general improvement

* Add tests for new maven editor permission level

Author: Harleyoc1

app/Attachments/AttachmentWriter.php

@@ -2,7 +2,6 @@
 
 namespace App\Attachments;
 
-use Illuminate\Http\UploadedFile;
 use Livewire\Wireable;
 
 interface AttachmentWriter extends Wireable

app/Auth/Registration/Registrant.php

@@ -7,7 +7,7 @@ class Registrant
 
     public function __construct(
         private string $email,
-        private bool $isAdmin
+        private int $permissionLevel
     ) {
     }
 
@@ -16,9 +16,9 @@ public function getEmail(): string
         return $this->email;
     }
 
-    public function isAdmin(): bool
+    public function getPermissionLevel(): int
     {
-        return $this->isAdmin;
+        return $this->permissionLevel;
     }
 
 }

app/Auth/Registration/RegistrationTokenRepository.php

@@ -58,7 +58,7 @@ private function createRecord(Registrant $registrant, #[\SensitiveParameter] str
     {
         return [
             'email' => $registrant->getEmail(),
-            'is_admin' => $registrant->isAdmin(),
+            'permission_level' => $registrant->getPermissionLevel(),
             'token' => Hash::make($token),
             'created_at' => new Carbon
         ];
@@ -81,7 +81,7 @@ private function tokenExpired($createdAt)
 
     private function readRecord($record): Registrant
     {
-        return new Registrant($record['email'], $record['is_admin']);
+        return new Registrant($record['email'], $record['permission_level']);
     }
 
     public function deleteExisting(string $email): bool

app/Http/Middleware/AdminAuthorization.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use const App\Models\ADMIN_LEVEL;
+
+class AdminAuthorization extends PermissionLevelAuthorization
+{
+    protected function getRequiredLevel(): int
+    {
+        return ADMIN_LEVEL;
+    }
+
+}

app/Http/Middleware/BasicAuthorization.php

@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use App\Models\User;
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Hash;
+use Symfony\Component\HttpFoundation\Response;
+
+class BasicAuthorization
+{
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (!self::hasHeader($request) || !self::getAuthenticatedUser($request)) {
+            abort(Response::HTTP_UNAUTHORIZED);
+        }
+        return $next($request);
+    }
+
+    public static function hasHeader(Request $request): bool
+    {
+        return $request->hasHeader('Authorization');
+    }
+
+    public static function getAuthenticatedUser(Request $request): User|false
+    {
+        $credentials = base64_decode(substr($request->header('Authorization'), 6));
+        list($username, $password) = explode(':', $credentials);
+        $user = User::where('email', $username)->first();
+        if (isset($user) and Hash::check($password, $user->password)) {
+            return $user;
+        }
+        return false;
+    }
+
+}

app/Http/Middleware/IsAdminMiddleware.php

@@ -0,0 +1,14 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use const App\Models\MAVEN_EDITOR_LEVEL;
+
+class MavenEditorAuthorization extends PermissionLevelAuthorization
+{
+    protected function getRequiredLevel(): int
+    {
+        return MAVEN_EDITOR_LEVEL;
+    }
+
+}

app/Http/Middleware/MavenEditorAuthorization.php

@@ -0,0 +1,31 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+abstract class PermissionLevelAuthorization
+{
+    protected abstract function getRequiredLevel(): int;
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response)  $next
+     */
+    public function handle(Request $request, Closure $next): Response
+    {
+        if (auth()->check()) {
+            $user = auth()->user();
+        } else {
+            // Fallback to basic Authorization if no standard auth
+            $user = BasicAuthorization::getAuthenticatedUser($request);
+        }
+        if (!isset($user) or !$user->hasPermission($this->getRequiredLevel())) {
+            abort(Response::HTTP_FORBIDDEN);
+        }
+        return $next($request);
+    }
+}

app/Http/Middleware/PermissionLevelAuthorization.php

@@ -12,6 +12,7 @@
 use Livewire\Attributes\Locked;
 use Livewire\Attributes\Title;
 use Livewire\Component;
+use const App\Models\USER_LEVEL;
 
 #[Title('Register')]
 #[Layout('components.layouts.auth')]
@@ -60,8 +61,8 @@ public function register(): void
         // Since the user needs a token to register, we can consider this an email verification
         $user->markEmailAsVerified();
 
-        if ($registrant->isAdmin()) {
-            $user->is_admin = true;
+        if ($registrant->getPermissionLevel() > USER_LEVEL) {
+            $user->permission_level = $registrant->getPermissionLevel();
             $user->save();
         }
         RegistrationTokenRepository::get()->deleteExisting($this->email);

app/Livewire/Auth/Register.php

@@ -17,10 +17,13 @@ public function mount(?string $path = '')
     {
         $this->isRoot = $path == '';
         $this->path = $path;
-        if (!Storage::directoryExists("maven$path")) {
-            return redirect(route('maven.download', $path));
+        if (!Storage::disk('maven')->exists($path)) {
+            abort(404);
         }
-        $fullPath = Storage::path("maven/$path");
+        if (!Storage::disk('maven')->directoryExists($path)) {
+            return redirect(route('maven.download', substr($path, 1)));
+        }
+        $fullPath = Storage::disk('maven')->path($path);
         foreach (new DirectoryIterator($fullPath) as $file) {
             if ($file->isDot()) continue;
             $path = $file->getRealPath();