From 1f92a7de336e7508f337e9af874c83cb422f13d5 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sat, 28 Mar 2020 16:23:18 -0700
Subject: [PATCH] Authenticate that the request is coming from someone that
 should even know about the server

---
 .../Api/Client/Server/AuthenticateServerAccess.php     | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php b/app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php
index 800add18c..fe0ca5610 100644
--- a/app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php
+++ b/app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php
@@ -42,6 +42,16 @@ class AuthenticateServerAccess
             throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
         }
 
+        // At the very least, ensure that the user trying to make this request is the
+        // server owner, a subuser, or a root admin. We'll leave it up to the controllers
+        // to authenticate more detailed permissions if needed.
+        if ($request->user()->id !== $server->owner_id && ! $request->user()->root_admin) {
+            // Check for subuser status.
+            if (! $server->subusers->contains('user_id', $request->user()->id)) {
+                throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
+            }
+        }
+
         if ($server->suspended) {
             throw new AccessDeniedHttpException('Cannot access a server that is marked as being suspended.');
         }