banquise/pelican-panel-mirror
8
0
Fork 1
mirror of https://github.com/pelican-dev/panel.git synced 2025-08-03 01:02:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

Server Policy: Only do owner check if checking for subuser permissions (#1521)

Browse Source
This commit is contained in:
Boy132 2025-07-19 18:52:28 +02:00 committed by GitHub
parent 9f2305f351
commit 62ca53eeaf
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 21 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/Http/Controllers/Api/Client/Servers/SubuserController.php
View File

@ -138,15 +138,7 @@ class SubuserController extends ClientApiController
*/ */
protected function getDefaultPermissions(Request $request): array protected function getDefaultPermissions(Request $request): array
{ {
$allowed = Permission::permissions() $allowed = Permission::permissionKeys()->all();
->map(function ($value, $prefix) {
return array_map(function ($value) use ($prefix) {
return "$prefix.$value";
}, array_keys($value['keys']));
})
->flatten()
->all();
$cleaned = array_intersect($request->input('permissions') ?? [], $allowed); $cleaned = array_intersect($request->input('permissions') ?? [], $allowed);
return array_unique(array_merge($cleaned, [Permission::ACTION_WEBSOCKET_CONNECT])); return array_unique(array_merge($cleaned, [Permission::ACTION_WEBSOCKET_CONNECT]));

3
app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
View File

@ -22,7 +22,8 @@ class SendPowerRequest extends ClientApiRequest
return Permission::ACTION_CONTROL_RESTART; return Permission::ACTION_CONTROL_RESTART;
} }
return '__invalid'; // Fallback for invalid signals
return Permission::ACTION_WEBSOCKET_CONNECT;
} }
/** /**

7
app/Models/Permission.php
View File

@ -211,4 +211,11 @@ class Permission extends Model implements Validatable
return collect($permissions); return collect($permissions);
} }
public static function permissionKeys(): Collection
{
return static::permissions()
->map(fn ($value, $prefix) => array_map(fn ($value) => "$prefix.$value", array_keys($value['keys'])))
->flatten();
}
} }

3
app/Policies/ServerPolicy.php
View File

@ -2,6 +2,7 @@
namespace App\Policies; namespace App\Policies;
use App\Models\Permission;
use App\Models\Server; use App\Models\Server;
use App\Models\User; use App\Models\User;
@ -21,6 +22,7 @@ class ServerPolicy
return null; return null;
} }
if (Permission::permissionKeys()->contains($ability)) {
// Owner has full server permissions // Owner has full server permissions
if ($server->owner_id === $user->id) { if ($server->owner_id === $user->id) {
return true; return true;
@ -31,6 +33,7 @@ class ServerPolicy
if ($subuser && in_array($ability, $subuser->permissions)) { if ($subuser && in_array($ability, $subuser->permissions)) {
return true; return true;
} }
}
// Make sure user can target node of the server // Make sure user can target node of the server
if (!$user->canTarget($server->node)) { if (!$user->canTarget($server->node)) {