Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Authenticate that the request is coming from someone that should even know about the server

Browse source
This commit is contained in:
Dane Everitt 2020-03-28 16:23:18 -07:00
parent 5717a705a8
commit 1f92a7de33
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php
View file

@ -42,6 +42,16 @@ class AuthenticateServerAccess
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
}
// At the very least, ensure that the user trying to make this request is the
// server owner, a subuser, or a root admin. We'll leave it up to the controllers
// to authenticate more detailed permissions if needed.
if ($request->user()->id !== $server->owner_id && ! $request->user()->root_admin) {
// Check for subuser status.
if (! $server->subusers->contains('user_id', $request->user()->id)) {
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
}
}
if ($server->suspended) {
throw new AccessDeniedHttpException('Cannot access a server that is marked as being suspended.');
}