Always return the primary allocation for a server, even without the allocation permissions

This commit is contained in:
Dane Everitt 2020-11-07 09:57:53 -08:00
parent f99ac0ecde
commit c20d53bb17
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
3 changed files with 43 additions and 7 deletions

View file

@ -163,7 +163,7 @@ class Permission extends Model
'allocation' => [ 'allocation' => [
'description' => 'Permissions that control a user\'s ability to modify the port allocations for this server.', 'description' => 'Permissions that control a user\'s ability to modify the port allocations for this server.',
'keys' => [ 'keys' => [
'read' => 'Allows a user to view the allocations assigned to this server.', 'read' => 'Allows a user to view all allocations currently assigned to this server. Users with any level of access to this server can always view the primary allocation.',
'create' => 'Allows a user to assign additional allocations to the server.', 'create' => 'Allows a user to assign additional allocations to the server.',
'update' => 'Allows a user to change the primary server allocation and attach notes to each allocation.', 'update' => 'Allows a user to change the primary server allocation and attach notes to each allocation.',
'delete' => 'Allows a user to delete an allocation from the server.', 'delete' => 'Allows a user to delete an allocation from the server.',

View file

@ -83,15 +83,23 @@ class ServerTransformer extends BaseClientTransformer
*/ */
public function includeAllocations(Server $server) public function includeAllocations(Server $server)
{ {
$transformer = $this->makeTransformer(AllocationTransformer::class);
// While we include this permission, we do need to actually handle it slightly different here
// for the purpose of keeping things functionally working. If the user doesn't have read permissions
// for the allocations we'll only return the primary server allocation, and any notes associated
// with it will be hidden.
//
// This allows us to avoid too much permission regression, without also hiding information that
// is generally needed for the frontend to make sense when browsing or searching results.
if (! $this->getUser()->can(Permission::ACTION_ALLOCATION_READ, $server)) { if (! $this->getUser()->can(Permission::ACTION_ALLOCATION_READ, $server)) {
return $this->null(); $primary = clone $server->allocation;
$primary->notes = null;
return $this->collection([$primary], $transformer, Allocation::RESOURCE_NAME);
} }
return $this->collection( return $this->collection($server->allocations, $transformer, Allocation::RESOURCE_NAME);
$server->allocations,
$this->makeTransformer(AllocationTransformer::class),
Allocation::RESOURCE_NAME
);
} }
/** /**

View file

@ -304,6 +304,34 @@ class ClientControllerTest extends ClientApiIntegrationTestCase
$response->assertJsonCount(0, 'data'); $response->assertJsonCount(0, 'data');
} }
/**
* Test that a subuser without the allocation.read permission is only able to see the primary
* allocation for the server.
*/
public function testOnlyPrimaryAllocationIsReturnedToSubuser()
{
/** @var \Pterodactyl\Models\Server $server */
[$user, $server] = $this->generateTestAccount([Permission::ACTION_WEBSOCKET_CONNECT]);
$server->allocation->notes = 'Test notes';
$server->allocation->save();
factory(Allocation::class)->times(2)->create([
'node_id' => $server->node_id,
'server_id' => $server->id,
]);
$server->refresh();
$response = $this->actingAs($user)->getJson('/api/client');
$response->assertOk();
$response->assertJsonCount(1, 'data');
$response->assertJsonPath('data.0.attributes.server_owner', false);
$response->assertJsonPath('data.0.attributes.uuid', $server->uuid);
$response->assertJsonCount(1, 'data.0.attributes.relationships.allocations.data');
$response->assertJsonPath('data.0.attributes.relationships.allocations.data.0.attributes.id', $server->allocation->id);
$response->assertJsonPath('data.0.attributes.relationships.allocations.data.0.attributes.notes', null);
}
/** /**
* @return array * @return array
*/ */