Always return the primary allocation for a server, even without the allocation permissions
This commit is contained in:
parent
f99ac0ecde
commit
c20d53bb17
3 changed files with 43 additions and 7 deletions
|
@ -163,7 +163,7 @@ class Permission extends Model
|
||||||
'allocation' => [
|
'allocation' => [
|
||||||
'description' => 'Permissions that control a user\'s ability to modify the port allocations for this server.',
|
'description' => 'Permissions that control a user\'s ability to modify the port allocations for this server.',
|
||||||
'keys' => [
|
'keys' => [
|
||||||
'read' => 'Allows a user to view the allocations assigned to this server.',
|
'read' => 'Allows a user to view all allocations currently assigned to this server. Users with any level of access to this server can always view the primary allocation.',
|
||||||
'create' => 'Allows a user to assign additional allocations to the server.',
|
'create' => 'Allows a user to assign additional allocations to the server.',
|
||||||
'update' => 'Allows a user to change the primary server allocation and attach notes to each allocation.',
|
'update' => 'Allows a user to change the primary server allocation and attach notes to each allocation.',
|
||||||
'delete' => 'Allows a user to delete an allocation from the server.',
|
'delete' => 'Allows a user to delete an allocation from the server.',
|
||||||
|
|
|
@ -83,15 +83,23 @@ class ServerTransformer extends BaseClientTransformer
|
||||||
*/
|
*/
|
||||||
public function includeAllocations(Server $server)
|
public function includeAllocations(Server $server)
|
||||||
{
|
{
|
||||||
|
$transformer = $this->makeTransformer(AllocationTransformer::class);
|
||||||
|
|
||||||
|
// While we include this permission, we do need to actually handle it slightly different here
|
||||||
|
// for the purpose of keeping things functionally working. If the user doesn't have read permissions
|
||||||
|
// for the allocations we'll only return the primary server allocation, and any notes associated
|
||||||
|
// with it will be hidden.
|
||||||
|
//
|
||||||
|
// This allows us to avoid too much permission regression, without also hiding information that
|
||||||
|
// is generally needed for the frontend to make sense when browsing or searching results.
|
||||||
if (! $this->getUser()->can(Permission::ACTION_ALLOCATION_READ, $server)) {
|
if (! $this->getUser()->can(Permission::ACTION_ALLOCATION_READ, $server)) {
|
||||||
return $this->null();
|
$primary = clone $server->allocation;
|
||||||
|
$primary->notes = null;
|
||||||
|
|
||||||
|
return $this->collection([$primary], $transformer, Allocation::RESOURCE_NAME);
|
||||||
}
|
}
|
||||||
|
|
||||||
return $this->collection(
|
return $this->collection($server->allocations, $transformer, Allocation::RESOURCE_NAME);
|
||||||
$server->allocations,
|
|
||||||
$this->makeTransformer(AllocationTransformer::class),
|
|
||||||
Allocation::RESOURCE_NAME
|
|
||||||
);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -304,6 +304,34 @@ class ClientControllerTest extends ClientApiIntegrationTestCase
|
||||||
$response->assertJsonCount(0, 'data');
|
$response->assertJsonCount(0, 'data');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Test that a subuser without the allocation.read permission is only able to see the primary
|
||||||
|
* allocation for the server.
|
||||||
|
*/
|
||||||
|
public function testOnlyPrimaryAllocationIsReturnedToSubuser()
|
||||||
|
{
|
||||||
|
/** @var \Pterodactyl\Models\Server $server */
|
||||||
|
[$user, $server] = $this->generateTestAccount([Permission::ACTION_WEBSOCKET_CONNECT]);
|
||||||
|
$server->allocation->notes = 'Test notes';
|
||||||
|
$server->allocation->save();
|
||||||
|
|
||||||
|
factory(Allocation::class)->times(2)->create([
|
||||||
|
'node_id' => $server->node_id,
|
||||||
|
'server_id' => $server->id,
|
||||||
|
]);
|
||||||
|
|
||||||
|
$server->refresh();
|
||||||
|
$response = $this->actingAs($user)->getJson('/api/client');
|
||||||
|
|
||||||
|
$response->assertOk();
|
||||||
|
$response->assertJsonCount(1, 'data');
|
||||||
|
$response->assertJsonPath('data.0.attributes.server_owner', false);
|
||||||
|
$response->assertJsonPath('data.0.attributes.uuid', $server->uuid);
|
||||||
|
$response->assertJsonCount(1, 'data.0.attributes.relationships.allocations.data');
|
||||||
|
$response->assertJsonPath('data.0.attributes.relationships.allocations.data.0.attributes.id', $server->allocation->id);
|
||||||
|
$response->assertJsonPath('data.0.attributes.relationships.allocations.data.0.attributes.notes', null);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @return array
|
* @return array
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in a new issue