resource)) { throw new PterodactylException('An ACL resource must be defined on API requests.'); } return AdminAcl::check($this->key(), $this->resource, $this->permission); } /** * Determine if the requested resource exists on the server. * * @return bool */ public function resourceExists(): bool { return true; } /** * Default set of rules to apply to API requests. * * @return array */ public function rules(): array { return []; } /** * Return the API key being used for the request. * * @return \Pterodactyl\Models\ApiKey */ public function key(): ApiKey { return $this->attributes->get('api_key'); } /** * Grab a model from the route parameters. If no model is found in the * binding mappings an exception will be thrown. * * @param string $model * @return mixed * * @throws \Symfony\Component\Routing\Exception\InvalidParameterException */ public function getModel(string $model) { $parameterKey = array_get(array_flip(ApiSubstituteBindings::getMappings()), $model); if (is_null($parameterKey)) { throw new InvalidParameterException; } return $this->route()->parameter($parameterKey); } /* * Determine if the request passes the authorization check as well * as the exists check. * * @return bool * * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException */ /** * @return bool */ protected function passesAuthorization() { if (! parent::passesAuthorization()) { return false; } // Only let the user know that a resource does not exist if they are // authenticated to access the endpoint. This avoids exposing that // an item exists (or does not exist) to the user until they can prove // that they have permission to know about it. if ($this->attributes->get('is_missing_model', false) || ! $this->resourceExists()) { throw new NotFoundHttpException(trans('exceptions.api.resource_not_found')); } return true; } }