2018-01-12 04:49:46 +00:00
|
|
|
<?php
|
|
|
|
|
2018-01-20 01:58:57 +00:00
|
|
|
namespace Pterodactyl\Http\Requests\Api\Application;
|
2018-01-12 04:49:46 +00:00
|
|
|
|
2018-01-14 18:06:15 +00:00
|
|
|
use Pterodactyl\Models\ApiKey;
|
2018-01-27 18:38:56 +00:00
|
|
|
use Illuminate\Database\Eloquent\Model;
|
2018-01-20 01:58:57 +00:00
|
|
|
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
2018-01-12 04:49:46 +00:00
|
|
|
use Illuminate\Foundation\Http\FormRequest;
|
|
|
|
use Pterodactyl\Exceptions\PterodactylException;
|
2018-01-27 18:38:56 +00:00
|
|
|
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
|
2018-01-12 04:49:46 +00:00
|
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
|
|
|
2018-01-20 03:47:06 +00:00
|
|
|
abstract class ApplicationApiRequest extends FormRequest
|
2018-01-12 04:49:46 +00:00
|
|
|
{
|
|
|
|
/**
|
|
|
|
* The resource that should be checked when performing the authorization
|
|
|
|
* function for this request.
|
|
|
|
*
|
|
|
|
* @var string|null
|
|
|
|
*/
|
|
|
|
protected $resource;
|
|
|
|
|
|
|
|
/**
|
|
|
|
* The permission level that a given API key should have for accessing
|
|
|
|
* the defined $resource during the request cycle.
|
|
|
|
*
|
|
|
|
* @var int
|
|
|
|
*/
|
2018-01-20 01:58:57 +00:00
|
|
|
protected $permission = AdminAcl::NONE;
|
2018-01-12 04:49:46 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* Determine if the current user is authorized to perform
|
|
|
|
* the requested action aganist the API.
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*
|
|
|
|
* @throws \Pterodactyl\Exceptions\PterodactylException
|
|
|
|
*/
|
|
|
|
public function authorize(): bool
|
|
|
|
{
|
|
|
|
if (is_null($this->resource)) {
|
|
|
|
throw new PterodactylException('An ACL resource must be defined on API requests.');
|
|
|
|
}
|
|
|
|
|
2018-01-20 01:58:57 +00:00
|
|
|
return AdminAcl::check($this->key(), $this->resource, $this->permission);
|
2018-01-12 04:49:46 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Determine if the requested resource exists on the server.
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*/
|
|
|
|
public function resourceExists(): bool
|
|
|
|
{
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Default set of rules to apply to API requests.
|
|
|
|
*
|
|
|
|
* @return array
|
|
|
|
*/
|
|
|
|
public function rules(): array
|
|
|
|
{
|
|
|
|
return [];
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Return the API key being used for the request.
|
|
|
|
*
|
2018-01-14 18:06:15 +00:00
|
|
|
* @return \Pterodactyl\Models\ApiKey
|
2018-01-12 04:49:46 +00:00
|
|
|
*/
|
2018-01-14 18:06:15 +00:00
|
|
|
public function key(): ApiKey
|
2018-01-12 04:49:46 +00:00
|
|
|
{
|
|
|
|
return $this->attributes->get('api_key');
|
|
|
|
}
|
|
|
|
|
2018-01-27 18:38:56 +00:00
|
|
|
/**
|
|
|
|
* Grab a model from the route parameters. If no model exists under
|
|
|
|
* the specified key a default response is returned.
|
|
|
|
*
|
|
|
|
* @param string $model
|
|
|
|
* @param mixed $default
|
|
|
|
* @return mixed
|
|
|
|
*/
|
|
|
|
public function getModel(string $model, $default = null)
|
|
|
|
{
|
|
|
|
$parameterKey = array_get(array_flip(ApiSubstituteBindings::getMappings()), $model);
|
|
|
|
|
|
|
|
if (! is_null($parameterKey)) {
|
|
|
|
$model = $this->route()->parameter($parameterKey);
|
|
|
|
}
|
|
|
|
|
|
|
|
return $model ?? $default;
|
|
|
|
}
|
|
|
|
|
2018-01-26 04:34:53 +00:00
|
|
|
/*
|
2018-01-12 04:49:46 +00:00
|
|
|
* Determine if the request passes the authorization check as well
|
|
|
|
* as the exists check.
|
|
|
|
*
|
|
|
|
* @return bool
|
|
|
|
*
|
|
|
|
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
|
|
|
|
*/
|
2018-01-26 04:34:53 +00:00
|
|
|
|
|
|
|
/**
|
|
|
|
* @return bool
|
|
|
|
*/
|
2018-01-12 04:49:46 +00:00
|
|
|
protected function passesAuthorization()
|
|
|
|
{
|
2018-01-26 04:34:53 +00:00
|
|
|
if (! parent::passesAuthorization()) {
|
|
|
|
return false;
|
|
|
|
}
|
2018-01-12 04:49:46 +00:00
|
|
|
|
|
|
|
// Only let the user know that a resource does not exist if they are
|
|
|
|
// authenticated to access the endpoint. This avoids exposing that
|
|
|
|
// an item exists (or does not exist) to the user until they can prove
|
|
|
|
// that they have permission to know about it.
|
2018-01-26 04:34:53 +00:00
|
|
|
if ($this->attributes->get('is_missing_model', false) || ! $this->resourceExists()) {
|
2018-02-08 03:56:11 +00:00
|
|
|
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
|
2018-01-12 04:49:46 +00:00
|
|
|
}
|
|
|
|
|
2018-01-26 04:34:53 +00:00
|
|
|
return true;
|
2018-01-12 04:49:46 +00:00
|
|
|
}
|
|
|
|
}
|