Fix authorization checking for subusers

app/Models/User.php

@@ -37,9 +37,7 @@ use Pterodactyl\Notifications\SendPasswordReset as ResetPasswordNotification;
  *
  * @property string $name
  * @property \Pterodactyl\Models\ApiKey[]|\Illuminate\Database\Eloquent\Collection $apiKeys
- * @property \Pterodactyl\Models\Permission[]|\Illuminate\Database\Eloquent\Collection $permissions
  * @property \Pterodactyl\Models\Server[]|\Illuminate\Database\Eloquent\Collection $servers
- * @property \Pterodactyl\Models\Subuser[]|\Illuminate\Database\Eloquent\Collection $subuserOf
  * @property \Pterodactyl\Models\DaemonKey[]|\Illuminate\Database\Eloquent\Collection $keys
  */
 class User extends Validable implements
@@ -220,16 +218,6 @@ class User extends Validable implements
         return trim($this->name_first . ' ' . $this->name_last);
     }
 
-    /**
-     * Returns all permissions that a user has.
-     *
-     * @return \Illuminate\Database\Eloquent\Relations\HasManyThrough
-     */
-    public function permissions()
-    {
-        return $this->hasManyThrough(Permission::class, Subuser::class);
-    }
-
     /**
      * Returns all servers that a user owns.
      *
@@ -240,16 +228,6 @@ class User extends Validable implements
         return $this->hasMany(Server::class, 'owner_id');
     }
 
-    /**
-     * Return all servers that user is listed as a subuser of directly.
-     *
-     * @return \Illuminate\Database\Eloquent\Relations\HasMany
-     */
-    public function subuserOf()
-    {
-        return $this->hasMany(Subuser::class);
-    }
-
     /**
      * Return all of the daemon keys that a user belongs to.
      *

app/Policies/ServerPolicy.php

@@ -1,21 +1,29 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Policies;
 
-use Cache;
+use Carbon\Carbon;
-use Carbon;
 use Pterodactyl\Models\User;
 use Pterodactyl\Models\Server;
+use Illuminate\Contracts\Cache\Repository as CacheRepository;
 
 class ServerPolicy
 {
+    /**
+     * @var \Illuminate\Contracts\Cache\Repository
+     */
+    private $cache;
+
+    /**
+     * ServerPolicy constructor.
+     *
+     * @param \Illuminate\Contracts\Cache\Repository $cache
+     */
+    public function __construct(CacheRepository $cache)
+    {
+        $this->cache = $cache;
+    }
+
     /**
      * Checks if the user has the given permission on/for the server.
      *
@@ -26,13 +34,16 @@ class ServerPolicy
      */
     protected function checkPermission(User $user, Server $server, $permission)
     {
-        $permissions = Cache::remember('ServerPolicy.' . $user->uuid . $server->uuid, Carbon::now()->addSeconds(5), function () use ($user, $server) {
+        $key = sprintf('ServerPolicy.%s.%s', $user->uuid, $server->uuid);
-            return $user->permissions()->server($server)->get()->transform(function ($item) {
+
-                return $item->permission;
+        $permissions = $this->cache->remember($key, Carbon::now()->addSeconds(5), function () use ($user, $server) {
-            })->values();
+            /** @var \Pterodactyl\Models\Subuser|null $subuser */
+            $subuser = $server->subusers()->where('user_id', $user->id)->first();
+
+            return $subuser ? $subuser->permissions : [];
         });
 
-        return $permissions->search($permission, true) !== false;
+        return in_array($permission, $permissions);
     }
 
     /**