Merge pull request #4801 from RoboJackets/kristaps/shared-device-role

Add shared-device role to allow accounts to bypass authentication checks
RoboJackets · Sep 10, 2024 · e1eb88d · e1eb88d
2 parents 34990ff + 4ef8308
commit e1eb88d
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 2 deletions.
diff --git a/app/Nova/User.php b/app/Nova/User.php
@@ -114,7 +114,7 @@ public function fields(NovaRequest $request): array
         return [
             Hidden::make('Has Ever Logged In')
                 ->showOnCreating()
-                ->default(static fn (Request $r): bool => false),
+                ->default(static fn (Request $r): int => 0),
 
             Text::make('Username', 'uid')
                 ->sortable()
@@ -413,7 +413,8 @@ public function fields(NovaRequest $request): array
                 ->hideFromDetail(static fn (NovaRequest $r, AppModelsUser $u): bool => $u->is_service_account),
 
             HasMany::make('Access Cards')
-                ->canSee(static fn (Request $request): bool => $request->user()->hasRole('admin')),
+                ->canSee(static fn (Request $request): bool => $request->user()->hasRole('admin'))
+                ->hideFromDetail(static fn (NovaRequest $r, AppModelsUser $u): bool => $u->is_service_account),
 
             HasMany::make('Attendance')
                 ->canSee(static function (Request $request): bool {

diff --git a/app/Util/CasUser.php b/app/Util/CasUser.php
@@ -39,6 +39,12 @@ public static function createOrUpdate(): User
             Cas::setAttributes($masq_attrs);
         }
 
+        $existing_user = User::where('uid', Cas::user())->first();
+
+        if ($existing_user !== null && $existing_user->hasRole('shared-device')) {
+            return $existing_user;
+        }
+
         if (config('features.sandbox-mode') !== true) {
             foreach ($attrs as $attr) {
                 if (

diff --git a/database/migrations/2024_09_08_203808_add_shared_device_role.php b/database/migrations/2024_09_08_203808_add_shared_device_role.php
@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Spatie\Permission\Models\Permission;
+use Spatie\Permission\Models\Role;
+
+return new class extends Migration
+{
+    /**
+     * Run the migrations.
+     */
+    public function up(): void
+    {
+        app()['cache']->forget('spatie.permission.cache');
+
+        $create_attendance = Permission::firstOrCreate(['name' => 'create-attendance']);
+        $read_events = Permission::firstOrCreate(['name' => 'read-events']);
+        $read_teams = Permission::firstOrCreate(['name' => 'read-teams']);
+        $read_teams_hidden = Permission::firstOrCreate(['name' => 'read-teams-hidden']);
+        $read_users = Permission::firstOrCreate(['name' => 'read-users']);
+
+        $shared_device = Role::firstOrCreate(['name' => 'shared-device']);
+
+        $shared_device->givePermissionTo($create_attendance);
+        $shared_device->givePermissionTo($read_events);
+        $shared_device->givePermissionTo($read_teams);
+        $shared_device->givePermissionTo($read_teams_hidden);
+        $shared_device->givePermissionTo($read_users);
+    }
+
+    /**
+     * Reverse the migrations.
+     */
+    public function down(): void
+    {
+        app()['cache']->forget('spatie.permission.cache');
+
+        Role::where('name', 'shared-device')->delete();
+    }
+};