Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix includes for client API keys on admin accounts; closes #4164

Browse source
This commit is contained in:
DaneEveritt 2022-06-26 13:23:22 -04:00
parent 82d8713b5d
commit b3a57bd0ad
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
app/Transformers/Api/Application/BaseTransformer.php
View file

@ -67,11 +67,20 @@ abstract class BaseTransformer extends TransformerAbstract
*/ */
protected function authorize(string $resource): bool protected function authorize(string $resource): bool
{ {
$allowed = [ApiKey::TYPE_ACCOUNT, ApiKey::TYPE_APPLICATION];
$token = $this->request->user()->currentAccessToken(); $token = $this->request->user()->currentAccessToken();
if (!$token instanceof ApiKey || $token->key_type !== ApiKey::TYPE_APPLICATION) { if (!$token instanceof ApiKey || !in_array($token->key_type, $allowed)) {
return false; return false;
} }
// If this is not a deprecated application token type we can only check that
// the user is a root admin at the moment. In a future release we'll be rolling
// out more specific permissions for keys.
if ($token->key_type === ApiKey::TYPE_ACCOUNT) {
return $this->request->user()->root_admin;
}
return AdminAcl::check($token, $resource, AdminAcl::READ); return AdminAcl::check($token, $resource, AdminAcl::READ);
} }