From 18fce3756554b216d414d0b81d4bcc3b90b873c4 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sun, 11 Oct 2020 15:13:17 -0700 Subject: [PATCH] Fix subuser permissions not migrating correctly from 0.7; closes #2309 --- app/Models/Permission.php | 76 ------------------ ..._merge_permissions_table_into_subusers.php | 77 +++++++++++++++++-- 2 files changed, 71 insertions(+), 82 deletions(-) diff --git a/app/Models/Permission.php b/app/Models/Permission.php index f870866e2..96429f31c 100644 --- a/app/Models/Permission.php +++ b/app/Models/Permission.php @@ -219,80 +219,4 @@ class Permission extends Model { return Collection::make(self::$permissions); } - - /** - * A list of all permissions available for a user. - * - * @var array - * @deprecated - */ - protected static $deprecatedPermissions = [ - 'power' => [ - 'power-start' => 's:power:start', - 'power-stop' => 's:power:stop', - 'power-restart' => 's:power:restart', - 'power-kill' => 's:power:kill', - 'send-command' => 's:command', - ], - 'subuser' => [ - 'list-subusers' => null, - 'view-subuser' => null, - 'edit-subuser' => null, - 'create-subuser' => null, - 'delete-subuser' => null, - ], - 'server' => [ - 'view-allocations' => null, - 'edit-allocation' => null, - 'view-startup' => null, - 'edit-startup' => null, - ], - 'database' => [ - 'view-databases' => null, - 'reset-db-password' => null, - 'delete-database' => null, - 'create-database' => null, - ], - 'file' => [ - 'access-sftp' => null, - 'list-files' => 's:files:get', - 'edit-files' => 's:files:read', - 'save-files' => 's:files:post', - 'move-files' => 's:files:move', - 'copy-files' => 's:files:copy', - 'compress-files' => 's:files:compress', - 'decompress-files' => 's:files:decompress', - 'create-files' => 's:files:create', - 'upload-files' => 's:files:upload', - 'delete-files' => 's:files:delete', - 'download-files' => 's:files:download', - ], - 'task' => [ - 'list-schedules' => null, - 'view-schedule' => null, - 'toggle-schedule' => null, - 'queue-schedule' => null, - 'edit-schedule' => null, - 'create-schedule' => null, - 'delete-schedule' => null, - ], - ]; - - /** - * Return a collection of permissions available. - * - * @param bool $array - * @return array|\Illuminate\Database\Eloquent\Collection - * @deprecated - */ - public static function getPermissions($array = false) - { - if ($array) { - return collect(self::$deprecatedPermissions)->mapWithKeys(function ($item) { - return $item; - })->all(); - } - - return collect(self::$deprecatedPermissions); - } } diff --git a/database/migrations/2020_03_22_163911_merge_permissions_table_into_subusers.php b/database/migrations/2020_03_22_163911_merge_permissions_table_into_subusers.php index 621c9526b..67461ecc8 100644 --- a/database/migrations/2020_03_22_163911_merge_permissions_table_into_subusers.php +++ b/database/migrations/2020_03_22_163911_merge_permissions_table_into_subusers.php @@ -1,12 +1,64 @@ P::ACTION_CONTROL_START, + 'power-stop' => P::ACTION_CONTROL_STOP, + 'power-restart' => P::ACTION_CONTROL_RESTART, + 'power-kill' => P::ACTION_CONTROL_STOP, + 'send-command' => P::ACTION_CONTROL_CONSOLE, + 'list-subusers' => P::ACTION_USER_READ, + 'view-subuser' => P::ACTION_USER_READ, + 'edit-subuser' => P::ACTION_USER_UPDATE, + 'create-subuser' => P::ACTION_USER_CREATE, + 'delete-subuser' => P::ACTION_USER_DELETE, + 'view-allocations' => P::ACTION_ALLOCATION_READ, + 'edit-allocation' => P::ACTION_ALLOCATION_UPDATE, + 'view-startup' => P::ACTION_STARTUP_READ, + 'edit-startup' => P::ACTION_STARTUP_UPDATE, + 'view-databases' => P::ACTION_DATABASE_READ, + // Better to just break this flow a bit than accidentally grant a dangerous permission. + 'reset-db-password' => P::ACTION_DATABASE_UPDATE, + 'delete-database' => P::ACTION_DATABASE_DELETE, + 'create-database' => P::ACTION_DATABASE_CREATE, + 'access-sftp' => P::ACTION_FILE_SFTP, + 'list-files' => P::ACTION_FILE_READ, + 'edit-files' => P::ACTION_FILE_READ_CONTENT, + 'save-files' => P::ACTION_FILE_UPDATE, + 'create-files' => P::ACTION_FILE_CREATE, + 'delete-files' => P::ACTION_FILE_DELETE, + 'compress-files' => P::ACTION_FILE_ARCHIVE, + 'list-schedules' => P::ACTION_SCHEDULE_READ, + 'view-schedule' => P::ACTION_SCHEDULE_READ, + 'edit-schedule' => P::ACTION_SCHEDULE_UPDATE, + 'create-schedule' => P::ACTION_SCHEDULE_CREATE, + 'delete-schedule' => P::ACTION_SCHEDULE_DELETE, + // Skipping these permissions as they are granted if you have more specific read/write permissions. + 'move-files' => null, + 'copy-files' => null, + 'decompress-files' => null, + 'upload-files' => null, + 'download-files' => null, + // These permissions do not exist in 1.0 + 'toggle-schedule' => null, + 'queue-schedule' => null, + ]; + /** * Run the migrations. * @@ -27,10 +79,19 @@ class MergePermissionsTableIntoSubusers extends Migration DB::transaction(function () use (&$cursor) { $cursor->each(function ($datum) { - DB::update('UPDATE subusers SET permissions = ? WHERE id = ?', [ - json_encode(explode(',', $datum->permissions)), - $datum->subuser_id, - ]); + $updated = Collection::make(explode(',', $datum->permissions)) + ->map(function ($value) { + return self::$permissionsMap[$value] ?? null; + })->filter(function ($value) { + return !is_null($value) && $value !== Permission::ACTION_WEBSOCKET_CONNECT; + }) + // All subusers get this permission, so make sure it gets pushed into the array. + ->merge([ Permission::ACTION_WEBSOCKET_CONNECT ]) + ->unique() + ->values() + ->toJson(); + + DB::update('UPDATE subusers SET permissions = ? WHERE id = ?', [$updated, $datum->subuser_id]); }); }); } @@ -42,11 +103,15 @@ class MergePermissionsTableIntoSubusers extends Migration */ public function down() { + $flipped = array_flip(self::$permissionsMap); + foreach (DB::select('SELECT id, permissions FROM subusers') as $datum) { $values = []; foreach (json_decode($datum->permissions, true) as $permission) { - $values[] = $datum->id; - $values[] = $permission; + if (!empty($v = $flipped[$permission])) { + $values[] = $datum->id; + $values[] = $v; + } } if (! empty($values)) {