fc643f57f9
* add spatie/permissions * add policies * add role resource * add root admin role handling * replace some "root_admin" with function * add model specific permissions * make permission selection nicer * fix user creation * fix tests * add back subuser checks in server policy * add custom model for role * assign new users to role if root_admin is set * add api for roles * fix phpstan * add permissions for settings page * remove "restore" and "forceDelete" permissions * add user count to list * prevent deletion if role has users * update user list * fix server policy * remove old `root_admin` column * small refactor * fix tests * forgot can checks here * forgot use * disable editing own roles & disable assigning root admin * don't allow to rename root admin role * remove php bombing exception handler * fix role assignment when creating a user * fix disableOptionWhen * fix missing `root_admin` attribute on react frontend * add permission check for bulk delete * rename viewAny to viewList * improve canAccessPanel check * fix admin not displaying for non-root admins * make sure non root admins can't edit root admins * fix import * fix settings page permission check * fix server permissions for non-subusers * fix settings page permission check v2 * small cleanup * cleanup config file * move consts from resouce into enum & model * Update database/migrations/2024_08_01_114538_remove_root_admin_column.php Co-authored-by: Lance Pioch <lancepioch@gmail.com> * fix config * fix phpstan * fix phpstan 2.0 --------- Co-authored-by: Lance Pioch <lancepioch@gmail.com>
72 lines
2.1 KiB
PHP
72 lines
2.1 KiB
PHP
<?php
|
|
|
|
namespace App\Services\Acl\Api;
|
|
|
|
use App\Models\ApiKey;
|
|
|
|
class AdminAcl
|
|
{
|
|
/**
|
|
* Resource permission columns in the api_keys table begin
|
|
* with this identifier.
|
|
*/
|
|
public const COLUMN_IDENTIFIER = 'r_';
|
|
|
|
/**
|
|
* The different types of permissions available for API keys. This
|
|
* implements a read/write/none permissions scheme for all endpoints.
|
|
*/
|
|
public const NONE = 0;
|
|
public const READ = 1;
|
|
public const WRITE = 2;
|
|
|
|
/**
|
|
* Resources that are available on the API and can contain a permissions
|
|
* set for each key. These are stored in the database as r_{resource}.
|
|
*/
|
|
public const RESOURCE_SERVERS = 'servers';
|
|
public const RESOURCE_NODES = 'nodes';
|
|
public const RESOURCE_ALLOCATIONS = 'allocations';
|
|
public const RESOURCE_USERS = 'users';
|
|
public const RESOURCE_EGGS = 'eggs';
|
|
public const RESOURCE_DATABASE_HOSTS = 'database_hosts';
|
|
public const RESOURCE_SERVER_DATABASES = 'server_databases';
|
|
public const RESOURCE_MOUNTS = 'mounts';
|
|
public const RESOURCE_ROLES = 'roles';
|
|
|
|
/**
|
|
* Determine if an API key has permission to perform a specific read/write operation.
|
|
*/
|
|
public static function can(int $permission, int $action = self::READ): bool
|
|
{
|
|
if ($permission & $action) {
|
|
return true;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
/**
|
|
* Determine if an API Key model has permission to access a given resource
|
|
* at a specific action level.
|
|
*/
|
|
public static function check(ApiKey $key, string $resource, int $action = self::READ): bool
|
|
{
|
|
return self::can(data_get($key, self::COLUMN_IDENTIFIER . $resource, self::NONE), $action);
|
|
}
|
|
|
|
/**
|
|
* Return a list of all resource constants defined in this ACL.
|
|
*
|
|
* @throws \ReflectionException
|
|
*/
|
|
public static function getResourceList(): array
|
|
{
|
|
$reflect = new \ReflectionClass(__CLASS__);
|
|
|
|
return collect($reflect->getConstants())->filter(function ($value, $key) {
|
|
return substr($key, 0, 9) === 'RESOURCE_';
|
|
})->values()->toArray();
|
|
}
|
|
}
|