$project]); $taskModel = Task::where([['project_id', $project ], ['id', $task]])->firstOrFail(); if (can('isDefiniteGuestInProject', ['project_id' => $project])){ // is guest in project (only guest) return $taskModel->assignee_id == \auth()->id() ? Comment::where([ ['business_id', $business], ['project_id', $project], ['task_id', $task], ])->get(): abort(Response::HTTP_FORBIDDEN); // not allowed } else { return Comment::where([ ['business_id', $business], ['project_id', $project], ['task_id', $task], ])->get(); } } public function store($business, $project, $task, Request $request) { permit('projectAccess', ['project_id' => $project]); $taskModel = Task::where([['project_id', $project ], ['id', $task]])->firstOrFail(); if (can('isDefiniteGuestInProject', ['project_id' => $project])){ // is guest in project (only guest) return $taskModel->assignee_id == \auth()->id() ? Comment::create($request->merge([ 'business_id' => $business, 'project_id' => $project, 'task_id' => $task, 'user_id' => \auth()->id(), ])->except('_business_info')) : abort(Response::HTTP_FORBIDDEN); // not allowed } else { return Comment::create($request->merge([ 'business_id' => $business, 'project_id' => $project, 'task_id' => $task, 'user_id' => \auth()->id(), ])->except('_business_info')); } } public function show($business, $project, $task, $comment) { permit('projectAccess', ['project_id' => $project]); $taskModel = Task::where([['project_id', $project ], ['id', $task]])->firstOrFail(); if (can('isDefiniteGuestInProject', ['project_id' => $project])){ // is guest in project (only guest) return $taskModel->assignee_id == \auth()->id() ? Comment::findOrFail($comment) : abort(Response::HTTP_FORBIDDEN); // not allowed } else { return Comment::findOrFail($comment); } } public function update($business, $project, $task, $comment, Request $request) { permit('projectAccess', ['project_id' => $project]); $comment = Comment::findOrFail($comment); if ($comment->user_id == \auth()->id()) { $comment->update($request->except('_business_info')); return $comment; } return abort(Response::HTTP_FORBIDDEN); // not allowed } public function destroy($business, $project, $task, $comment) { permit('projectAccess', ['project_id' => $project]); $comment = Comment::findOrFail($comment); if ($comment->user_id == \auth()->id()) { $comment->delete(); return \response()->json(['message' => 'comment deleted successfully.'], Response::HTTP_OK); } return abort(Response::HTTP_FORBIDDEN); // not allowed } }