Use OsuAuthorize for leaving team check

nanaya · Dec 20, 2024 · a4d8a2a · a4d8a2a
1 parent 6f6e6a8
commit a4d8a2a
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 15 deletions.
diff --git a/app/Http/Controllers/TeamsController.php b/app/Http/Controllers/TeamsController.php
@@ -28,18 +28,15 @@ public function edit(string $id): Response
         return ext_view('teams.edit', compact('team'));
     }
 
-    public function part(): Response
+    public function part(string $id): Response
     {
-        $member = TeamMember::findOrFail(\Auth::user()->getKey());
-
-        if ($member->team->leader_id === $member->user_id) {
-            return error_popup(osu_trans('teams.part.is_leader'));
-        }
+        $team = Team::findOrFail($id);
+        priv_check('TeamPart', $team)->ensureCan();
 
-        $member->delete();
+        $team->members()->findOrFail(\Auth::user()->getKey())->delete();
         \Session::flash('popup', osu_trans('teams.part.ok'));
 
-        return ujs_redirect(route('teams.show', ['team' => $member->team_id]));
+        return ujs_redirect(route('teams.show', ['team' => $team]));
     }
 
     public function show(string $id): Response

diff --git a/app/Singletons/OsuAuthorize.php b/app/Singletons/OsuAuthorize.php
@@ -48,9 +48,10 @@ public static function alwaysCheck($ability)
 
         $set ??= new Ds\Set([
             'ContestJudge',
-            'IsOwnClient',
             'IsNotOAuth',
+            'IsOwnClient',
             'IsSpecialScope',
+            'TeamPart',
             'UserUpdateEmail',
         ]);
 
@@ -1908,6 +1909,22 @@ public function checkScorePin(?User $user, ScoreBest|Solo\Score $score): string
         return 'ok';
     }
 
+    public function checkTeamPart(?User $user, Team $team): ?string
+    {
+        $this->ensureLoggedIn($user);
+
+        $prefix = 'team.part.';
+
+        if ($team->leader_id === $user->getKey()) {
+            return $prefix.'is_leader';
+        }
+        if ($team->getKey() !== $user?->team?->getKey()) {
+            return $prefix.'not_member';
+        }
+
+        return 'ok';
+    }
+
     public function checkTeamUpdate(?User $user, Team $team): ?string
     {
         $this->ensureLoggedIn($user);

diff --git a/resources/lang/en/authorization.php b/resources/lang/en/authorization.php
@@ -191,6 +191,13 @@
         ],
     ],
 
+    'team' => [
+        'part' => [
+            'is_leader' => "Team leader can't leave the team.",
+            'not_member' => 'Not a member of the team.'
+        ],
+    ],
+
     'user' => [
         'page' => [
             'edit' => [

diff --git a/resources/views/teams/show.blade.php b/resources/views/teams/show.blade.php
@@ -14,9 +14,8 @@
     $teamMembers['leader'] ??= $toJson([$team->members()->make(['user_id' => $team->leader_id])->userOrDeleted()]);
     $headerUrl = $team->header()->url();
 
-    $currentUser = Auth::user();
     $buttons = new Ds\Set();
-    if ($currentUser !== null && $currentUser->team?->getKey() === $team->getKey() && $currentUser->getKey() !== $team->leader_id) {
+    if (priv_check('TeamPart', $team)->can()) {
         $buttons->add('part');
     }
 @endphp
@@ -79,7 +78,7 @@ class="btn-circle btn-circle--page-toggle"
             <div class="profile-detail-bar profile-detail-bar--team">
                 @if ($buttons->contains('part'))
                     <form
-                        action="{{ route('teams.part') }}"
+                        action="{{ route('teams.part', ['team' => $team]) }}"
                         data-turbo-confirm="{{ osu_trans('common.confirmation') }}"
                         method="POST"
                     >

diff --git a/routes/web.php b/routes/web.php
@@ -296,10 +296,10 @@
     Route::post('user-cover-presets/batch-activate', 'UserCoverPresetsController@batchActivate')->name('user-cover-presets.batch-activate');
     Route::resource('user-cover-presets', 'UserCoverPresetsController', ['only' => ['index', 'store', 'update']]);
 
-    Route::group(['as' => 'teams.', 'prefix' => 'teams/{team}', 'namespace' => 'Teams'], function () {
-        Route::resource('members', 'MembersController', ['only' => ['destroy', 'index']]);
+    Route::group(['as' => 'teams.', 'prefix' => 'teams/{team}'], function () {
+        Route::post('part', 'TeamsController@part')->name('part');
+        Route::resource('members', 'Teams\MembersController', ['only' => ['destroy', 'index']]);
     });
-    Route::post('teams/part', 'TeamsController@part')->name('teams.part');
     Route::resource('teams', 'TeamsController', ['only' => ['edit', 'show', 'update']]);
 
     Route::post('users/check-username-availability', 'UsersController@checkUsernameAvailability')->name('users.check-username-availability');