From b1a9a597070bd4d594ed7ff13df6922933d6c30e Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Thu, 20 Oct 2016 18:35:55 -0400 Subject: [PATCH] Update middleware to handle wildcards correctly. --- app/Http/Middleware/APISecretToken.php | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/app/Http/Middleware/APISecretToken.php b/app/Http/Middleware/APISecretToken.php index ef150f1f2..fab4d177d 100755 --- a/app/Http/Middleware/APISecretToken.php +++ b/app/Http/Middleware/APISecretToken.php @@ -93,13 +93,18 @@ class APISecretToken extends Authorization } } - $permission = APIPermission::where('key_id', $key->id) - ->where('permission', $request->route()->getName()) - ->orWhere('permission', '*') - ->first(); - if (!$permission) { - APILogService::log($request, 'You do not have permission to access this resource.'); - throw new AccessDeniedHttpException('You do not have permission to access this resource.'); + $permission = APIPermission::where('key_id', $key->id)->where('permission', $request->route()->getName()); + + // Suport Wildcards + if (starts_with($request->route()->getName(), 'api.user')) { + $permission->orWhere('permission', 'api.user.*'); + } else if(starts_with($request->route()->getName(), 'api.admin')) { + $permission->orWhere('permission', 'api.admin.*'); + } + + if (!$permission->first()) { + APILogService::log($request, 'You do not have permission to access this resource. This API Key requires the ' . $request->route()->getName() . ' permission node.'); + throw new AccessDeniedHttpException('You do not have permission to access this resource. This API Key requires the ' . $request->route()->getName() . ' permission node.'); } }