remco/Atomcms-edit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a7bd30fd34cf7f1a601418770755ac274897aaa9
Atomcms-edit/app/Http/Controllers/User/GuestbookController.php
T
root 4094f0fb14 Fix 40+ codebase issues: security, performance, duplication, dead code, and routes 
HIGH:
- Add missing import RadioSongRequestFormRequest (fixes crash on POST)
- Add Purify XSS sanitization for article full_story
- Fix duplicate radio API routes (/api/radio vs /api/radio/v2)
- Add try-catch guards in InstallationController for missing records

MEDIUM:
- Fix N+1: eager load comments.user in ArticleController::show()
- Fix GuestbookController authorization logic
- Remove dead doSetup() method and duplicate route
- Extract shared HasRadioDefaults trait (remove code duplication)
- Use named routes in ForceStaffTwoFactorMiddleware
- Fix WebsiteHelpCenterTicket::isOpen() (no permission leak)
- Enable  on WebsiteHelpCenterTicket (matches schema)
- Replace WebsiteTeam::all()->pluck() with direct pluck()
- Replace CatalogPage::all()->pluck() with direct pluck()
- Replace WebsiteBadge::all() with direct pluck()
- Add throttle middleware to guestbook store, logo-generator, radio embed

LOW:
- Remove unused imports
- Remove dead /inertia-test route
- Consolidate cache keys in RadioController
2026-06-08 18:56:34 +02:00

66 lines
2.2 KiB
PHP
Executable File
Raw Blame History

<?php
declare(strict_types=1);
namespace App\Http\Controllers\User;
use App\Http\Controllers\Controller;
use App\Http\Requests\GuestbookFormRequest;
use App\Models\User;
use App\Models\User\WebsiteUserGuestbook;
use Illuminate\Http\RedirectResponse;
use Illuminate\Support\Facades\Auth;
class GuestbookController extends Controller
{
public function store(User $user, GuestbookFormRequest $request): RedirectResponse
{
$this->validateGuestbookPost($user, $request);
$validated = $request->validated();
$user->profileGuestbook()->create([
'user_id' => Auth::id(),
'message' => $validated['message'],
]);
return redirect()->back()->with('success', __('Your message has been posted.'));
}
public function destroy(User $user, WebsiteUserGuestbook $guestbook): RedirectResponse
{
$isOwner = $guestbook->user_id === Auth::id();
$isProfileOwner = $guestbook->profile_id === $user->id;
$isStaff = Auth::user()->rank >= (int) setting('min_staff_rank');
if (! $isOwner && ! ($isProfileOwner && $isStaff)) {
return redirect()->back()->withErrors([
'message' => __('Do do not have permission to delete this message'),
]);
}
$guestbook->delete();
return redirect()->back()->with('success', __('Your message has been deleted.'));
}
private function validateGuestbookPost(User $user, GuestbookFormRequest $request): ?RedirectResponse
{
if ($user->id === $request->user()->id) {
return $this->redirectWithError(__('You cannot post a message on your own profile.'));
}
$maxAllowedPostCount = empty(setting('max_guestbook_posts_per_profile')) ? 3 : (int) setting('max_guestbook_posts_per_profile');
if ($user->profileGuestbook()->where('user_id', $request->user()->id)->count() >= $maxAllowedPostCount) {
return $this->redirectWithError(__('You have already posted :count messages on this profile.', ['count' => $maxAllowedPostCount]));
}
return null;
}
private function redirectWithError(string $message): RedirectResponse
{
return redirect()->back()->withErrors(['message' => $message]);
}
}
Reference in New Issue View Git Blame Copy Permalink