diff --git a/app/Http/Controllers/AdminController.php b/app/Http/Controllers/AdminController.php index 71f0d8a1..f75a5df7 100644 --- a/app/Http/Controllers/AdminController.php +++ b/app/Http/Controllers/AdminController.php @@ -227,8 +227,13 @@ class AdminController extends Controller $action = $request->input('action'); $user = $users->get($request->input('uid')); - if (!$user) + if (! $user) { return json(trans('admin.users.operations.non-existent'), 1); + } + + if ($user->permission >= app('user.current')->permission) { + return json(trans('admin.users.operations.no-permission'), 1); + } if ($action == "email") { $this->validate($request, [ @@ -250,7 +255,9 @@ class AdminController extends Controller $user->setNickName($request->input('nickname')); - return json(trans('admin.users.operations.nickname.success', ['new' => $request->input('nickname')]), 0); + return json(trans('admin.users.operations.nickname.success', [ + 'new' => $request->input('nickname') + ]), 0); } elseif ($action == "password") { $this->validate($request, [ @@ -271,13 +278,6 @@ class AdminController extends Controller return json(trans('admin.users.operations.score.success'), 0); } elseif ($action == "ban") { - if ($user->getPermission() == User::ADMIN) { - if (app('user.current')->getPermission() != User::SUPER_ADMIN) - return json(trans('admin.users.operations.ban.cant-admin')); - } elseif ($user->getPermission() == User::SUPER_ADMIN) { - return json(trans('admin.users.operations.ban.cant-super-admin')); - } - $permission = $user->getPermission() == User::BANNED ? User::NORMAL : User::BANNED; $user->setPermission($permission); @@ -289,12 +289,6 @@ class AdminController extends Controller ]); } elseif ($action == "admin") { - if (app('user.current')->getPermission() != User::SUPER_ADMIN) - return json(trans('admin.users.operations.admin.cant-set')); - - if ($user->getPermission() == User::SUPER_ADMIN) - return json(trans('admin.users.operations.admin.cant-unset')); - $permission = $user->getPermission() == User::ADMIN ? User::NORMAL : User::ADMIN; $user->setPermission($permission); @@ -321,8 +315,13 @@ class AdminController extends Controller $player = Player::find($request->input('pid')); - if (!$player) + if (! $player) { abort(404, trans('general.unexistent-player')); + } + + if ($player->user->permission >= app('user.current')->permission) { + return json(trans('admin.players.no-permission'), 1); + } if ($action == "preference") { $this->validate($request, [ diff --git a/resources/lang/en/admin.yml b/resources/lang/en/admin.yml index 9ba256e7..153f9858 100644 --- a/resources/lang/en/admin.yml +++ b/resources/lang/en/admin.yml @@ -17,6 +17,7 @@ users: operations: title: Operations non-existent: No such user. + no-permission: You have no permission to operate this user. email: change: Edit Email existed: :email is existed. @@ -36,8 +37,6 @@ users: unset: text: Remove Admin success: The account's admin privilege has been removed. - cant-set: Only super admins can do the operation - cant-unset: Can't remove super admin privilege ban: ban: text: Ban @@ -54,6 +53,7 @@ users: cant-admin: You can't delete admins. players: + no-permission: You have no permission to operate this player. operations: title: Operations preference: diff --git a/resources/lang/zh_CN/admin.yml b/resources/lang/zh_CN/admin.yml index a509be62..37cf113d 100644 --- a/resources/lang/zh_CN/admin.yml +++ b/resources/lang/zh_CN/admin.yml @@ -17,6 +17,7 @@ users: operations: title: 更多操作 non-existent: 用户不存在 + no-permission: 你无权操作此用户 email: change: 修改邮箱 existed: :email 已被占用 @@ -36,8 +37,6 @@ users: unset: text: 解除管理员 success: 账号已被解除管理员 - cant-set: 非超级管理员无法进行此操作 - cant-unset: 无法解除超级管理员 ban: ban: text: 封禁 @@ -54,6 +53,7 @@ users: cant-admin: 你不能删除管理员账号哦 players: + no-permission: 你无权操作此角色 operations: title: 更多操作 preference: