Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Require specific permission for reading the actual contents of a file; ref #2288

Browse source
This commit is contained in:
Dane Everitt 2020-08-31 19:36:30 -07:00
parent d87438621f
commit 981edb0d64
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
4 changed files with 7 additions and 53 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
app/Http/Controllers/Api/Remote/FileDownloadController.php
View file

@ -1,50 +0,0 @@
<?php
namespace Pterodactyl\Http\Controllers\Api\Remote;
use Illuminate\Http\Request;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Http\Controllers\Controller;
use Illuminate\Contracts\Cache\Repository as CacheRepository;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
class FileDownloadController extends Controller
{
/**
* @var \Illuminate\Contracts\Cache\Repository
*/
private $cache;
/**
* FileDownloadController constructor.
*
* @param \Illuminate\Contracts\Cache\Repository $cache
*/
public function __construct(CacheRepository $cache)
{
$this->cache = $cache;
}
/**
* Handle a request to authenticate a download using a token and return
* the path of the file to the daemon.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\Http\JsonResponse
*
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
*/
public function index(Request $request): JsonResponse
{
$download = $this->cache->pull('Server:Downloads:' . $request->input('token', ''));
if (is_null($download)) {
throw new NotFoundHttpException('No file was found using the token provided.');
}
return response()->json([
'path' => array_get($download, 'path'),
'server' => array_get($download, 'server'),
]);
}
}

2
app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php
View file

@ -17,7 +17,7 @@ class GetFileContentsRequest extends ClientApiRequest implements ClientPermissio
*/ */
public function permission(): string public function permission(): string
{ {
return Permission::ACTION_FILE_READ; return Permission::ACTION_FILE_READ_CONTENT;
} }
/** /**

4
app/Models/Permission.php
View file

@ -49,6 +49,7 @@ class Permission extends Model
const ACTION_ALLOCATION_DELETE = 'allocation.delete'; const ACTION_ALLOCATION_DELETE = 'allocation.delete';
const ACTION_FILE_READ = 'file.read'; const ACTION_FILE_READ = 'file.read';
const ACTION_FILE_READ_CONTENT = 'file.read-content';
const ACTION_FILE_CREATE = 'file.create'; const ACTION_FILE_CREATE = 'file.create';
const ACTION_FILE_UPDATE = 'file.update'; const ACTION_FILE_UPDATE = 'file.update';
const ACTION_FILE_DELETE = 'file.delete'; const ACTION_FILE_DELETE = 'file.delete';
@ -138,7 +139,8 @@ class Permission extends Model
'description' => 'Permissions that control a user\'s ability to modify the filesystem for this server.', 'description' => 'Permissions that control a user\'s ability to modify the filesystem for this server.',
'keys' => [ 'keys' => [
'create' => 'Allows a user to create additional files and folders via the Panel or direct upload.', 'create' => 'Allows a user to create additional files and folders via the Panel or direct upload.',
'read' => 'Allows a user to view the contents of a directory and read the contents of a file. Users with this permission can also download files.', 'read' => 'Allows a user to view the contents of a directory, but not view the contents of or download files.',
'read-content' => 'Allows a user to view the contents of a given file. This will also allow the user to download files.',
'update' => 'Allows a user to update the contents of an existing file or directory.', 'update' => 'Allows a user to update the contents of an existing file or directory.',
'delete' => 'Allows a user to delete files or directories.', 'delete' => 'Allows a user to delete files or directories.',
'archive' => 'Allows a user to archive the contents of a directory as well as decompress existing archives on the system.', 'archive' => 'Allows a user to archive the contents of a directory as well as decompress existing archives on the system.',

4
resources/scripts/components/server/files/FileObjectRow.tsx
View file

@ -11,12 +11,14 @@ import tw from 'twin.macro';
import isEqual from 'react-fast-compare'; import isEqual from 'react-fast-compare';
import styled from 'styled-components/macro'; import styled from 'styled-components/macro';
import SelectFileCheckbox from '@/components/server/files/SelectFileCheckbox'; import SelectFileCheckbox from '@/components/server/files/SelectFileCheckbox';
import { usePermissions } from '@/plugins/usePermissions';
const Row = styled.div` const Row = styled.div`
${tw`flex bg-neutral-700 rounded-sm mb-px text-sm hover:text-neutral-100 cursor-pointer items-center no-underline hover:bg-neutral-600`}; ${tw`flex bg-neutral-700 rounded-sm mb-px text-sm hover:text-neutral-100 cursor-pointer items-center no-underline hover:bg-neutral-600`};
`; `;
const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => { const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => {
const [ canReadContents ] = usePermissions([ 'file.read-content' ]);
const directory = ServerContext.useStoreState(state => state.files.directory); const directory = ServerContext.useStoreState(state => state.files.directory);
const history = useHistory(); const history = useHistory();
@ -35,7 +37,7 @@ const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => {
}; };
return ( return (
file.isFile && !file.isEditable() ? (!canReadContents || (file.isFile && !file.isEditable())) ?
<div css={tw`flex flex-1 text-neutral-300 no-underline p-3 cursor-default`}> <div css={tw`flex flex-1 text-neutral-300 no-underline p-3 cursor-default`}>
{children} {children}
</div> </div>