Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Don't return things a user shouldn't be able to see via the API includes

Browse source
This commit is contained in:
Dane Everitt 2020-08-22 16:54:12 -07:00
parent 9b16f5883c
commit 1b69d82daa
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
2 changed files with 28 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
app/Transformers/Api/Client/DatabaseTransformer.php
View file

@ -4,6 +4,7 @@ namespace Pterodactyl\Transformers\Api\Client;
use Pterodactyl\Models\Database;
use League\Fractal\Resource\Item;
use Pterodactyl\Models\Permission;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Contracts\Extensions\HashidsInterface;
@ -65,12 +66,16 @@ class DatabaseTransformer extends BaseClientTransformer
/**
* Include the database password in the request.
*
* @param \Pterodactyl\Models\Database $model
* @return \League\Fractal\Resource\Item
* @param \Pterodactyl\Models\Database $database
* @return \League\Fractal\Resource\Item|\League\Fractal\Resource\NullResource
*/
public function includePassword(Database $model): Item
public function includePassword(Database $database): Item
{
return $this->item($model, function (Database $model) {
if (!$this->getUser()->can(Permission::ACTION_DATABASE_VIEW_PASSWORD, $database->server)) {
return $this->null();
}
return $this->item($database, function (Database $model) {
return [
'password' => $this->encrypter->decrypt($model->password),
];

23
app/Transformers/Api/Client/ServerTransformer.php
View file

@ -6,10 +6,10 @@ use Pterodactyl\Models\Egg;
use Pterodactyl\Models\Server;
use Pterodactyl\Models\Subuser;
use Pterodactyl\Models\Allocation;
use Pterodactyl\Models\Permission;
use Illuminate\Container\Container;
use Pterodactyl\Models\EggVariable;
use Pterodactyl\Services\Servers\StartupCommandService;
use Pterodactyl\Transformers\Api\Client\EggVariableTransformer;
class ServerTransformer extends BaseClientTransformer
{
@ -76,11 +76,16 @@ class ServerTransformer extends BaseClientTransformer
* Returns the allocations associated with this server.
*
* @param \Pterodactyl\Models\Server $server
* @return \League\Fractal\Resource\Collection
* @return \League\Fractal\Resource\Collection|\League\Fractal\Resource\NullResource
*
* @throws \Pterodactyl\Exceptions\Transformer\InvalidTransformerLevelException
*/
public function includeAllocations(Server $server)
{
if (! $this->getUser()->can(Permission::ACTION_ALLOCATION_READ, $server)) {
return $this->null();
}
return $this->collection(
$server->allocations,
$this->makeTransformer(AllocationTransformer::class),
@ -90,11 +95,16 @@ class ServerTransformer extends BaseClientTransformer
/**
* @param \Pterodactyl\Models\Server $server
* @return \League\Fractal\Resource\Collection
* @return \League\Fractal\Resource\Collection|\League\Fractal\Resource\NullResource
*
* @throws \Pterodactyl\Exceptions\Transformer\InvalidTransformerLevelException
*/
public function includeVariables(Server $server)
{
if (! $this->getUser()->can(Permission::ACTION_STARTUP_READ, $server)) {
return $this->null();
}
return $this->collection(
$server->variables->where('user_viewable', true),
$this->makeTransformer(EggVariableTransformer::class),
@ -118,11 +128,16 @@ class ServerTransformer extends BaseClientTransformer
* Returns the subusers associated with this server.
*
* @param \Pterodactyl\Models\Server $server
* @return \League\Fractal\Resource\Collection
* @return \League\Fractal\Resource\Collection|\League\Fractal\Resource\NullResource
*
* @throws \Pterodactyl\Exceptions\Transformer\InvalidTransformerLevelException
*/
public function includeSubusers(Server $server)
{
if (! $this->getUser()->can(Permission::ACTION_USER_READ, $server)) {
return $this->null();
}
return $this->collection($server->subusers, $this->makeTransformer(SubuserTransformer::class), Subuser::RESOURCE_NAME);
}
}