More logic for deleting databases

This commit is contained in:
Dane Everitt 2018-08-25 15:07:42 -07:00
parent 9be2aa4ca9
commit 0999ec93c3
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
5 changed files with 68 additions and 35 deletions

View file

@ -1,27 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api\Client;
use Closure;
use Illuminate\Http\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
class AuthenticateClientAccess
{
/**
* Authenticate that the currently authenticated user has permission
* to access the specified server.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
if (is_null($request->user())) {
throw new AccessDeniedHttpException('This account does not have permission to access this resource.');
}
return $next($request);
}
}

View file

@ -0,0 +1,57 @@
<?php
namespace Pterodactyl\Http\Middleware\Api\Client\Server;
use Closure;
use Illuminate\Http\Request;
use Pterodactyl\Models\Server;
use Pterodactyl\Contracts\Repository\ServerRepositoryInterface;
use Symfony\Component\HttpKernel\Exception\ConflictHttpException;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
class AuthenticateServerAccess
{
/**
* @var \Pterodactyl\Contracts\Repository\ServerRepositoryInterface
*/
private $repository;
/**
* AuthenticateServerAccess constructor.
*
* @param \Pterodactyl\Contracts\Repository\ServerRepositoryInterface $repository
*/
public function __construct(ServerRepositoryInterface $repository)
{
$this->repository = $repository;
}
/**
* Authenticate that this server exists and is not suspended or marked as installing.
*
* @param \Illuminate\Http\Request $request
* @param \Closure $next
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
$server = $request->route()->parameter('server');
if (! $server instanceof Server) {
throw new NotFoundHttpException;
}
if ($server->suspended) {
throw new AccessDeniedHttpException('Cannot access a server that is marked as being suspended.');
}
if (! $server->isInstalled()) {
throw new ConflictHttpException('Server has not completed the installation process.');
}
$request->attributes->set('server', $server);
return $next($request);
}
}

View file

@ -18,15 +18,10 @@ class DeleteDatabaseRequest extends ClientApiRequest implements ClientPermission
} }
/** /**
* Determine if the provided database even belongs to this server instance.
*
* @return bool * @return bool
*/ */
public function resourceExists(): bool public function resourceExists(): bool
{ {
$server = $this->getModel(Server::class); return $this->getModel(Server::class)->id === $this->getModel(Database::class)->server_id;
$database = $this->getModel(Database::class);
return $database->server_id === $server->id;
} }
} }

View file

@ -143,6 +143,14 @@ class Server extends Model implements CleansAttributes, ValidableContract
return Schema::getColumnListing($this->getTable()); return Schema::getColumnListing($this->getTable());
} }
/**
* @return bool
*/
public function isInstalled(): bool
{
return $this->installed === 1;
}
/** /**
* Gets the user who owns the server. * Gets the user who owns the server.
* *

View file

@ -1,6 +1,6 @@
<?php <?php
use Pterodactyl\Http\Middleware\Api\Client\AuthenticateClientAccess; use Pterodactyl\Http\Middleware\Api\Client\Server\AuthenticateServerAccess;
/* /*
|-------------------------------------------------------------------------- |--------------------------------------------------------------------------
@ -27,7 +27,7 @@ Route::group(['prefix' => '/account'], function () {
| Endpoint: /api/client/servers/{server} | Endpoint: /api/client/servers/{server}
| |
*/ */
Route::group(['prefix' => '/servers/{server}', 'middleware' => [AuthenticateClientAccess::class]], function () { Route::group(['prefix' => '/servers/{server}', 'middleware' => [AuthenticateServerAccess::class]], function () {
Route::get('/', 'Servers\ServerController@index')->name('api.client.servers.view'); Route::get('/', 'Servers\ServerController@index')->name('api.client.servers.view');
Route::get('/utilization', 'Servers\ResourceUtilizationController@index') Route::get('/utilization', 'Servers\ResourceUtilizationController@index')
->name('api.client.servers.resources'); ->name('api.client.servers.resources');