Update: restrict events&tickets deletion

nozomu-y · Dec 19, 2021 · adc7072 · adc7072
1 parent d8a30e2
commit adc7072
Show file tree

Hide file tree

Showing 3 changed files with 50 additions and 33 deletions.
diff --git a/resources/views/events/detail.blade.php b/resources/views/events/detail.blade.php
@@ -1,6 +1,7 @@
 <?php
 use App\Enums\SeatType;
 use App\Enums\CollectType;
+use App\Enums\UserRole;
 ?>
 @extends('layouts.main')
 @section('title', $event->name)
@@ -109,12 +110,14 @@
                     href="{{ route('issue_tickets', ['event_id' => $event->event_id]) }}">{{ __('issue_tickets') }}</a>
                 <a class="list-group-item list-group-item-action"
                     href="{{ route('edit_event', ['event_id' => $event->event_id]) }}">{{ __('edit_event') }}</a>
-                <a class="list-group-item list-group-item-action text-danger"
-                    onclick="if (confirm('{{ __('message.events.delete.confirm') }}')) {event.preventDefault(); document.getElementById('delete-form').submit();}">{{ __('delete_event') }}</a>
-                <form id="delete-form" action="{{ route('delete_event', ['event_id' => $event->event_id]) }}"
-                    method="POST" class="d-none">
-                    @csrf
-                </form>
+                @if (Auth::user()->role === UserRole::ADMIN)
+                    <a class="list-group-item list-group-item-action text-danger"
+                        onclick="if (confirm('{{ __('message.events.delete.confirm') }}')) {event.preventDefault(); document.getElementById('delete-form').submit();}">{{ __('delete_event') }}</a>
+                    <form id="delete-form" action="{{ route('delete_event', ['event_id' => $event->event_id]) }}"
+                        method="POST" class="d-none">
+                        @csrf
+                    </form>
+                @endif
             </div>
         </div>
     </div>

diff --git a/resources/views/tickets/show.blade.php b/resources/views/tickets/show.blade.php
@@ -1,6 +1,7 @@
 <?php
 use App\Libs\Common;
 use App\Enums\CollectType;
+use App\Enums\UserRole;
 ?>
 @extends('layouts.main')
 @section('title', $event->name)
@@ -197,13 +198,13 @@
             @endif
 
             @if ($ticket->is_issued)
-            <div>
-                <p>
-                    <strong class="mr-1">{{ __('ticket_url') }}</strong>
-                    <a href="{{ config('app.url') . '/' . $event->event_id . '/' . $ticket->ticket_id . '/' . $ticket->token }}"
-                        class="text-break">{{ config('app.url') . '/' . $event->event_id . '/' . $ticket->ticket_id . '/' . $ticket->token }}</a>
-                </p>
-            </div>
+                <div>
+                    <p>
+                        <strong class="mr-1">{{ __('ticket_url') }}</strong>
+                        <a href="{{ config('app.url') . '/' . $event->event_id . '/' . $ticket->ticket_id . '/' . $ticket->token }}"
+                            class="text-break">{{ config('app.url') . '/' . $event->event_id . '/' . $ticket->ticket_id . '/' . $ticket->token }}</a>
+                    </p>
+                </div>
             @endif
         </div>
 
@@ -220,21 +221,24 @@ class="text-break">{{ config('app.url') . '/' . $event->event_id . '/' . $ticket
 
         <div class="col-lg-4 mb-3">
             @if (url()->current() === route('show_ticket', ['event_id' => $event->event_id, 'ticket_id' => $ticket->ticket_id]))
-            <div class="list-group mb-4">
-                <a class="list-group-item list-group-item-action"
-                   href="{{ route('edit_ticket', ['event_id' => $event->event_id, 'ticket_id' => $ticket->ticket_id]) }}">{{ __('edit_ticket') }}</a>
-                @if (!$ticket->is_issued)
-                <a class="list-group-item list-group-item-action text-danger"
-                    onclick="if (confirm('{{ __('message.tickets.delete.confirm') }}')) {event.preventDefault(); document.getElementById('delete-form').submit();}">{{ __('delete_ticket') }}</a>
-                <form id="delete-form" action="{{ route('delete_ticket', ['event_id' => $event->event_id, 'ticket_id' => $ticket->ticket_id]) }}"
-                    method="POST" class="d-none">
-                    @csrf
-                </form>
-                @else
-                <a class="list-group-item list-group-item-action text-danger"
-                    onclick="alert('{{ __('message.tickets.delete.disabled') }}')">{{ __('delete_ticket') }}</a>
-                @endif
-            </div>
+                <div class="list-group mb-4">
+                    <a class="list-group-item list-group-item-action"
+                        href="{{ route('edit_ticket', ['event_id' => $event->event_id, 'ticket_id' => $ticket->ticket_id]) }}">{{ __('edit_ticket') }}</a>
+                    @if (Auth::user()->role === UserRole::ADMIN)
+                        @if (!$ticket->is_issued)
+                            <a class="list-group-item list-group-item-action text-danger"
+                                onclick="if (confirm('{{ __('message.tickets.delete.confirm') }}')) {event.preventDefault(); document.getElementById('delete-form').submit();}">{{ __('delete_ticket') }}</a>
+                            <form id="delete-form"
+                                action="{{ route('delete_ticket', ['event_id' => $event->event_id, 'ticket_id' => $ticket->ticket_id]) }}"
+                                method="POST" class="d-none">
+                                @csrf
+                            </form>
+                        @else
+                            <a class="list-group-item list-group-item-action text-danger"
+                                onclick="alert('{{ __('message.tickets.delete.disabled') }}')">{{ __('delete_ticket') }}</a>
+                        @endif
+                    @endif
+                </div>
             @endif
         </div>
     </div>

diff --git a/routes/web.php b/routes/web.php
@@ -23,7 +23,9 @@
 
 Auth::routes(['register' => false, 'reset' => false]);
 
-Route::get('/home', function () { return redirect()->route('home'); });
+Route::get('/home', function () {
+    return redirect()->route('home');
+});
 Route::get('/', [HomeController::class, 'index'])->name('home');
 
 Route::get('front/qrreader', [FrontController::class, 'qrreader'])->name('qrreader');
@@ -39,11 +41,15 @@
 
 Route::get('events', [EventsController::class, 'index'])->name('events');
 Route::get('events/{event_id}', [EventsController::class, 'detail'])->where('event_id', '[0-9]+')->name('event_detail');
-Route::get('events/add', function () { return view('events.add'); })->name('add_event');
+Route::get('events/add', function () {
+    return view('events.add');
+})->name('add_event');
 Route::post('events/add', [EventsController::class, 'add'])->name('post_add_event');
 Route::get('events/{event_id}/edit', [EventsController::class, 'edit'])->where('event_id', '[0-9]+')->name('edit_event');
 Route::post('events/{event_id}/edit', [EventsController::class, 'post_edit'])->where('event_id', '[0-9]+')->name('post_edit_event');
-Route::post('events/{event_id}/delete', [EventsController::class, 'delete'])->where('event_id', '[0-9]+')->name('delete_event');
+Route::group(['middleware' => 'admin'], function () {
+    Route::post('events/{event_id}/delete', [EventsController::class, 'delete'])->where('event_id', '[0-9]+')->name('delete_event');
+});
 Route::get('events/{event_id}/tickets', [TicketsController::class, 'index'])->where('event_id', '[0-9]+')->name('tickets');
 Route::get('events/{event_id}/tickets/add', [TicketsController::class, 'add'])->where('event_id', '[0-9]+')->name('add_tickets');
 Route::post('events/{event_id}/tickets/add', [TicketsController::class, 'post_add'])->where('event_id', '[0-9]+')->name('post_add_tickets');
@@ -53,11 +59,15 @@
 Route::get('events/{event_id}/tickets/{ticket_id}', [TicketsController::class, 'show_ticket'])->where('event_id', '[0-9]+')->where('ticket_id', '[0-9]+')->name('show_ticket');
 Route::get('events/{event_id}/tickets/{ticket_id}/edit', [TicketsController::class, 'edit'])->where('event_id', '[0-9]+')->where('ticket_id', '[0-9]+')->name('edit_ticket');
 Route::post('events/{event_id}/tickets/{ticket_id}/edit', [TicketsController::class, 'post_edit'])->where('event_id', '[0-9]+')->where('ticket_id', '[0-9]+')->name('post_edit_ticket');
-Route::post('events/{event_id}/tickets/{ticket_id}/delete', [TicketsController::class, 'delete'])->where('event_id', '[0-9]+')->where('ticket_id', '[0-9]+')->name('delete_ticket');
+Route::group(['middleware' => 'admin'], function () {
+    Route::post('events/{event_id}/tickets/{ticket_id}/delete', [TicketsController::class, 'delete'])->where('event_id', '[0-9]+')->where('ticket_id', '[0-9]+')->name('delete_ticket');
+});
 
 Route::group(['middleware' => 'admin'], function () {
     Route::get('accounts', [AccountsController::class, 'index'])->name('accounts');
-    Route::get('accounts/add', function () { return view('accounts.add'); })->name('add_account');
+    Route::get('accounts/add', function () {
+        return view('accounts.add');
+    })->name('add_account');
     Route::post('accounts/add', [AccountsController::class, 'register'])->name('post_add_account');
     Route::post('accounts/{user_id}/delete', [AccountsController::class, 'delete'])->where('user_id', '[0-9]+')->name('delete_account');
 });