Validate resource existence before validating data sent

This commit is contained in:
Dane Everitt 2018-03-01 20:00:14 -06:00
parent 070239abcf
commit 5f6c153537
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
3 changed files with 34 additions and 14 deletions

View file

@ -10,6 +10,9 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
* Fix validation error returned when no environment variables are passed, even if there are no variables required. * Fix validation error returned when no environment variables are passed, even if there are no variables required.
* Fix improper permissions on `PATCH /api/servers/<id>/startup` endpoint which was preventing enditing any start variables. * Fix improper permissions on `PATCH /api/servers/<id>/startup` endpoint which was preventing enditing any start variables.
### Changed
* Changes order that validation of resource existence occurs in API requests to not try and use a non-existent model when validating data.
### Added ### Added
* Adds back client API for sending commands or power toggles to a server though the Panel API: `/api/client/servers/<identifier>` * Adds back client API for sending commands or power toggles to a server though the Panel API: `/api/client/servers/<identifier>`
* Added proper transformer for Packs and re-enabled missing includes on server. * Added proper transformer for Packs and re-enabled missing includes on server.

View file

@ -3,7 +3,6 @@
namespace Pterodactyl\Http\Requests\Api\Application; namespace Pterodactyl\Http\Requests\Api\Application;
use Pterodactyl\Models\ApiKey; use Pterodactyl\Models\ApiKey;
use Illuminate\Database\Eloquent\Model;
use Pterodactyl\Services\Acl\Api\AdminAcl; use Pterodactyl\Services\Acl\Api\AdminAcl;
use Illuminate\Foundation\Http\FormRequest; use Illuminate\Foundation\Http\FormRequest;
use Pterodactyl\Exceptions\PterodactylException; use Pterodactyl\Exceptions\PterodactylException;
@ -13,6 +12,14 @@ use Symfony\Component\Routing\Exception\InvalidParameterException;
abstract class ApplicationApiRequest extends FormRequest abstract class ApplicationApiRequest extends FormRequest
{ {
/**
* Tracks if the request has been validated internally or not to avoid
* making duplicate validation calls.
*
* @var bool
*/
private $hasValidated = false;
/** /**
* The resource that should be checked when performing the authorization * The resource that should be checked when performing the authorization
* function for this request. * function for this request.
@ -96,6 +103,21 @@ abstract class ApplicationApiRequest extends FormRequest
return $this->route()->parameter($parameterKey); return $this->route()->parameter($parameterKey);
} }
/**
* Validate that the resource exists and can be accessed prior to booting
* the validator and attempting to use the data.
*
* @throws \Illuminate\Auth\Access\AuthorizationException
*/
protected function prepareForValidation()
{
if (! $this->passesAuthorization()) {
$this->failedAuthorization();
}
$this->hasValidated = true;
}
/* /*
* Determine if the request passes the authorization check as well * Determine if the request passes the authorization check as well
* as the exists check. * as the exists check.
@ -110,6 +132,14 @@ abstract class ApplicationApiRequest extends FormRequest
*/ */
protected function passesAuthorization() protected function passesAuthorization()
{ {
// If we have already validated we do not need to call this function
// again. This is needed to work around Laravel's normal auth validation
// that occurs after validating the request params since we are doing auth
// validation in the prepareForValidation() function.
if ($this->hasValidated) {
return true;
}
if (! parent::passesAuthorization()) { if (! parent::passesAuthorization()) {
return false; return false;
} }

View file

@ -2,7 +2,6 @@
namespace Pterodactyl\Http\Requests\Api\Application\Servers; namespace Pterodactyl\Http\Requests\Api\Application\Servers;
use Pterodactyl\Models\Server;
use Pterodactyl\Services\Acl\Api\AdminAcl; use Pterodactyl\Services\Acl\Api\AdminAcl;
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest; use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
@ -17,16 +16,4 @@ class ServerWriteRequest extends ApplicationApiRequest
* @var int * @var int
*/ */
protected $permission = AdminAcl::WRITE; protected $permission = AdminAcl::WRITE;
/**
* Determine if the requested server exists on the Panel.
*
* @return bool
*/
public function resourceExists(): bool
{
$server = $this->route()->parameter('server');
return $server instanceof Server && $server->exists;
}
} }