From 981edb0d640e79e111506c9be0f6c1e44503c81a Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Mon, 31 Aug 2020 19:36:30 -0700
Subject: [PATCH] Require specific permission for reading the actual contents
 of a file; ref #2288

---
 .../Api/Remote/FileDownloadController.php     | 50 -------------------
 .../Servers/Files/GetFileContentsRequest.php  |  2 +-
 app/Models/Permission.php                     |  4 +-
 .../components/server/files/FileObjectRow.tsx |  4 +-
 4 files changed, 7 insertions(+), 53 deletions(-)
 delete mode 100644 app/Http/Controllers/Api/Remote/FileDownloadController.php

diff --git a/app/Http/Controllers/Api/Remote/FileDownloadController.php b/app/Http/Controllers/Api/Remote/FileDownloadController.php
deleted file mode 100644
index fa4818fc9..000000000
--- a/app/Http/Controllers/Api/Remote/FileDownloadController.php
+++ /dev/null
@@ -1,50 +0,0 @@
-<?php
-
-namespace Pterodactyl\Http\Controllers\Api\Remote;
-
-use Illuminate\Http\Request;
-use Illuminate\Http\JsonResponse;
-use Pterodactyl\Http\Controllers\Controller;
-use Illuminate\Contracts\Cache\Repository as CacheRepository;
-use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-
-class FileDownloadController extends Controller
-{
-    /**
-     * @var \Illuminate\Contracts\Cache\Repository
-     */
-    private $cache;
-
-    /**
-     * FileDownloadController constructor.
-     *
-     * @param \Illuminate\Contracts\Cache\Repository $cache
-     */
-    public function __construct(CacheRepository $cache)
-    {
-        $this->cache = $cache;
-    }
-
-    /**
-     * Handle a request to authenticate a download using a token and return
-     * the path of the file to the daemon.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @return \Illuminate\Http\JsonResponse
-     *
-     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
-     */
-    public function index(Request $request): JsonResponse
-    {
-        $download = $this->cache->pull('Server:Downloads:' . $request->input('token', ''));
-
-        if (is_null($download)) {
-            throw new NotFoundHttpException('No file was found using the token provided.');
-        }
-
-        return response()->json([
-            'path' => array_get($download, 'path'),
-            'server' => array_get($download, 'server'),
-        ]);
-    }
-}
diff --git a/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php b/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php
index 25dc4f1e1..008b44436 100644
--- a/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php
+++ b/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php
@@ -17,7 +17,7 @@ class GetFileContentsRequest extends ClientApiRequest implements ClientPermissio
      */
     public function permission(): string
     {
-        return Permission::ACTION_FILE_READ;
+        return Permission::ACTION_FILE_READ_CONTENT;
     }
 
     /**
diff --git a/app/Models/Permission.php b/app/Models/Permission.php
index a7eb2709b..f870866e2 100644
--- a/app/Models/Permission.php
+++ b/app/Models/Permission.php
@@ -49,6 +49,7 @@ class Permission extends Model
     const ACTION_ALLOCATION_DELETE = 'allocation.delete';
 
     const ACTION_FILE_READ = 'file.read';
+    const ACTION_FILE_READ_CONTENT = 'file.read-content';
     const ACTION_FILE_CREATE = 'file.create';
     const ACTION_FILE_UPDATE = 'file.update';
     const ACTION_FILE_DELETE = 'file.delete';
@@ -138,7 +139,8 @@ class Permission extends Model
             'description' => 'Permissions that control a user\'s ability to modify the filesystem for this server.',
             'keys' => [
                 'create' => 'Allows a user to create additional files and folders via the Panel or direct upload.',
-                'read' => 'Allows a user to view the contents of a directory and read the contents of a file. Users with this permission can also download files.',
+                'read' => 'Allows a user to view the contents of a directory, but not view the contents of or download files.',
+                'read-content' => 'Allows a user to view the contents of a given file. This will also allow the user to download files.',
                 'update' => 'Allows a user to update the contents of an existing file or directory.',
                 'delete' => 'Allows a user to delete files or directories.',
                 'archive' => 'Allows a user to archive the contents of a directory as well as decompress existing archives on the system.',
diff --git a/resources/scripts/components/server/files/FileObjectRow.tsx b/resources/scripts/components/server/files/FileObjectRow.tsx
index bb8935744..cf717569b 100644
--- a/resources/scripts/components/server/files/FileObjectRow.tsx
+++ b/resources/scripts/components/server/files/FileObjectRow.tsx
@@ -11,12 +11,14 @@ import tw from 'twin.macro';
 import isEqual from 'react-fast-compare';
 import styled from 'styled-components/macro';
 import SelectFileCheckbox from '@/components/server/files/SelectFileCheckbox';
+import { usePermissions } from '@/plugins/usePermissions';
 
 const Row = styled.div`
     ${tw`flex bg-neutral-700 rounded-sm mb-px text-sm hover:text-neutral-100 cursor-pointer items-center no-underline hover:bg-neutral-600`};
 `;
 
 const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => {
+    const [ canReadContents ] = usePermissions([ 'file.read-content' ]);
     const directory = ServerContext.useStoreState(state => state.files.directory);
 
     const history = useHistory();
@@ -35,7 +37,7 @@ const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => {
     };
 
     return (
-        file.isFile && !file.isEditable() ?
+        (!canReadContents || (file.isFile && !file.isEditable())) ?
             <div css={tw`flex flex-1 text-neutral-300 no-underline p-3 cursor-default`}>
                 {children}
             </div>