138 lines
4.8 KiB
PHP
138 lines
4.8 KiB
PHP
<?php
|
|
|
|
namespace Pterodactyl\Http\Requests\Api\Client\Servers\Subusers;
|
|
|
|
use Illuminate\Http\Request;
|
|
use Pterodactyl\Models\Server;
|
|
use Pterodactyl\Exceptions\Http\HttpForbiddenException;
|
|
use Pterodactyl\Repositories\Eloquent\SubuserRepository;
|
|
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
|
|
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
|
|
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
|
|
|
abstract class SubuserRequest extends ClientApiRequest
|
|
{
|
|
/**
|
|
* @var \Pterodactyl\Models\Subuser|null
|
|
*/
|
|
protected $model;
|
|
|
|
/**
|
|
* Authorize the request and ensure that a user is not trying to modify themselves.
|
|
*
|
|
* @return bool
|
|
*
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
public function authorize(): bool
|
|
{
|
|
if (! parent::authorize()) {
|
|
return false;
|
|
}
|
|
|
|
// If there is a subuser present in the URL, validate that it is not the same as the
|
|
// current request user. You're not allowed to modify yourself.
|
|
if ($this->route()->hasParameter('subuser')) {
|
|
if ($this->endpointSubuser()->user_id === $this->user()->id) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
// If this is a POST request, validate that the user can even assign the permissions they
|
|
// have selected to assign.
|
|
if ($this->method() === Request::METHOD_POST && $this->has('permissions')) {
|
|
$this->validatePermissionsCanBeAssigned(
|
|
$this->input('permissions') ?? []
|
|
);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Validates that the permissions we are trying to assign can actually be assigned
|
|
* by the user making the request.
|
|
*
|
|
* @param array $permissions
|
|
*
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
protected function validatePermissionsCanBeAssigned(array $permissions)
|
|
{
|
|
$user = $this->user();
|
|
/** @var \Pterodactyl\Models\Server $server */
|
|
$server = $this->route()->parameter('server');
|
|
|
|
// If we are a root admin or the server owner, no need to perform these checks.
|
|
if ($user->root_admin || $user->id === $server->owner_id) {
|
|
return;
|
|
}
|
|
|
|
// Otherwise, get the current subuser's permission set, and ensure that the
|
|
// permissions they are trying to assign are not _more_ than the ones they
|
|
// already have.
|
|
if (count(array_diff($permissions, $this->currentUserPermissions())) > 0) {
|
|
throw new HttpForbiddenException(
|
|
'Cannot assign permissions to a subuser that your account does not actively possess.'
|
|
);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* Returns the currently authenticated user's permissions.
|
|
*
|
|
* @return array
|
|
*
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
public function currentUserPermissions(): array
|
|
{
|
|
/** @var \Pterodactyl\Repositories\Eloquent\SubuserRepository $repository */
|
|
$repository = $this->container->make(SubuserRepository::class);
|
|
|
|
/* @var \Pterodactyl\Models\Subuser $model */
|
|
try {
|
|
$model = $repository->findFirstWhere([
|
|
['server_id', $this->route()->parameter('server')->id],
|
|
['user_id', $this->user()->id],
|
|
]);
|
|
} catch (RecordNotFoundException $exception) {
|
|
return [];
|
|
}
|
|
|
|
return $model->permissions;
|
|
}
|
|
|
|
/**
|
|
* Return the subuser model for the given request which can then be validated. If
|
|
* required request parameters are missing a 404 error will be returned, otherwise
|
|
* a model exception will be returned if the model is not found.
|
|
*
|
|
* This returns the subuser based on the endpoint being hit, not the actual subuser
|
|
* for the account making the request.
|
|
*
|
|
* @return \Pterodactyl\Models\Subuser
|
|
*
|
|
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
|
|
* @throws \Illuminate\Database\Eloquent\ModelNotFoundException
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
public function endpointSubuser()
|
|
{
|
|
/** @var \Pterodactyl\Repositories\Eloquent\SubuserRepository $repository */
|
|
$repository = $this->container->make(SubuserRepository::class);
|
|
|
|
$parameters = $this->route()->parameters();
|
|
if (
|
|
! isset($parameters['server'], $parameters['server'])
|
|
|| ! is_string($parameters['subuser'])
|
|
|| ! $parameters['server'] instanceof Server
|
|
) {
|
|
throw new NotFoundHttpException;
|
|
}
|
|
|
|
return $this->model ?: $this->model = $repository->getUserForServer(
|
|
$parameters['server']->id, $parameters['subuser']
|
|
);
|
|
}
|
|
}
|