From b41e7ecf0986f879c32179180d53602da54b8758 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Fri, 8 Jan 2016 22:30:21 -0500
Subject: [PATCH] Fix more permissions checking

---
 app/Policies/ServerPolicy.php            | 9 +++++++++
 resources/views/layouts/master.blade.php | 6 +++---
 resources/views/server/index.blade.php   | 6 +++---
 3 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/app/Policies/ServerPolicy.php b/app/Policies/ServerPolicy.php
index 1922ce56e..0bb59caa5 100644
--- a/app/Policies/ServerPolicy.php
+++ b/app/Policies/ServerPolicy.php
@@ -221,4 +221,13 @@ class ServerPolicy
         return $user->permissions()->server($server)->permission('view-manage')->exists();
     }
 
+    public function viewAllocation(User $user, Server $server)
+    {
+        if ($this->isOwner($user, $server)) {
+            return true;
+        }
+
+        return $user->permissions()->server($server)->permission('view-allocation')->exists();
+    }
+
 }
diff --git a/resources/views/layouts/master.blade.php b/resources/views/layouts/master.blade.php
index b5cfa3e6f..b71bd10c0 100644
--- a/resources/views/layouts/master.blade.php
+++ b/resources/views/layouts/master.blade.php
@@ -193,9 +193,9 @@
                             <div class="list-group">
                                 <a href="#" class="list-group-item list-group-item-heading"><strong>{{ trans('pagination.sidebar.server_controls') }}</strong></a>
                                 <a href="/server/{{ $server->uuidShort }}/" class="list-group-item server-index">{{ trans('pagination.sidebar.overview') }}</a>
-                                @can('list-files', Auth::user())<a href="/server/{{ $server->uuidShort }}/files" class="list-group-item server-files">{{ trans('pagination.sidebar.files') }}</a>@endcan
-                                @can('view-subusers', Auth::user())<a href="/server/{{ $server->uuidShort }}/users" class="list-group-item server-users">{{ trans('pagination.sidebar.subusers') }}</a>@endcan
-                                @can('view-manage', Auth::user())<a href="/server/{{ $server->uuidShort }}/settings" class="list-group-item server-settings">{{ trans('pagination.sidebar.manage') }}</a>@endcan
+                                @can('list-files', $server)<a href="/server/{{ $server->uuidShort }}/files" class="list-group-item server-files">{{ trans('pagination.sidebar.files') }}</a>@endcan
+                                @can('view-subusers', $server)<a href="/server/{{ $server->uuidShort }}/users" class="list-group-item server-users">{{ trans('pagination.sidebar.subusers') }}</a>@endcan
+                                @can('view-manage', $server)<a href="/server/{{ $server->uuidShort }}/settings" class="list-group-item server-settings">{{ trans('pagination.sidebar.manage') }}</a>@endcan
                             </div>
                         @endif
                     @show
diff --git a/resources/views/server/index.blade.php b/resources/views/server/index.blade.php
index 598a4c6c2..8ba699279 100644
--- a/resources/views/server/index.blade.php
+++ b/resources/views/server/index.blade.php
@@ -14,7 +14,7 @@
     <ul class="nav nav-tabs tabs_with_panel" id="config_tabs">
         <li id="triggerConsoleView" class="active"><a href="#console" data-toggle="tab">{{ trans('server.index.control') }}</a></li>
         <li><a href="#stats" data-toggle="tab">{{ trans('server.index.usage') }}</a></li>
-        @can('allocation', $server)<li><a href="#allocation" data-toggle="tab">{{ trans('server.index.allocation') }}</a></li>@endcan
+        @can('view-allocation', $server)<li><a href="#allocation" data-toggle="tab">{{ trans('server.index.allocation') }}</a></li>@endcan
     </ul>
     <div class="tab-content">
         <div class="tab-pane active" id="console">
@@ -78,7 +78,7 @@
                 </div>
             </div>
         </div>
-        @can('allocation', $server)
+        @can('view-allocation', $server)
             <div class="tab-pane" id="allocation">
                 <div class="panel panel-default">
                     <div class="panel-heading"></div>
@@ -384,7 +384,7 @@ $(window).load(function () {
         }
     }
 
-    @can('set-connection', $server)
+    @can('view-allocation', $server)
         // Send Request
         $('[data-action="set-connection"]').click(function (event) {
             event.preventDefault();