Server Policy: Only do owner check if checking for subuser permissions (#1521)

2025-08-02 15:22:24 +02:00 · 2025-07-19 18:52:28 +02:00 · 2025-07-19 18:52:28 +02:00 · 62ca53eeaf
commit 62ca53eeaf
parent 9f2305f351
4 changed files with 21 additions and 18 deletions
--- a/app/Http/Controllers/Api/Client/Servers/SubuserController.php
+++ b/app/Http/Controllers/Api/Client/Servers/SubuserController.php
@ -138,15 +138,7 @@ class SubuserController extends ClientApiController
     */
    protected function getDefaultPermissions(Request $request): array
    {
-        $allowed = Permission::permissions()
-            ->map(function ($value, $prefix) {
-                return array_map(function ($value) use ($prefix) {
-                    return "$prefix.$value";
-                }, array_keys($value['keys']));
-            })
-            ->flatten()
-            ->all();
-
+        $allowed = Permission::permissionKeys()->all();
        $cleaned = array_intersect($request->input('permissions') ?? [], $allowed);

        return array_unique(array_merge($cleaned, [Permission::ACTION_WEBSOCKET_CONNECT]));
--- a/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
+++ b/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
@ -22,7 +22,8 @@ class SendPowerRequest extends ClientApiRequest
                return Permission::ACTION_CONTROL_RESTART;
        }

-        return '__invalid';
+        // Fallback for invalid signals
+        return Permission::ACTION_WEBSOCKET_CONNECT;
    }

    /**
--- a/app/Models/Permission.php
+++ b/app/Models/Permission.php
@ -211,4 +211,11 @@ class Permission extends Model implements Validatable

        return collect($permissions);
    }
+
+    public static function permissionKeys(): Collection
+    {
+        return static::permissions()
+            ->map(fn ($value, $prefix) => array_map(fn ($value) => "$prefix.$value", array_keys($value['keys'])))
+            ->flatten();
+    }
 }
--- a/app/Policies/ServerPolicy.php
+++ b/app/Policies/ServerPolicy.php
@ -2,6 +2,7 @@

 namespace App\Policies;

+use App\Models\Permission;
 use App\Models\Server;
 use App\Models\User;

@ -21,15 +22,17 @@ class ServerPolicy
            return null;
        }

-        // Owner has full server permissions
-        if ($server->owner_id === $user->id) {
-            return true;
-        }
+        if (Permission::permissionKeys()->contains($ability)) {
+            // Owner has full server permissions
+            if ($server->owner_id === $user->id) {
+                return true;
+            }

-        $subuser = $server->subusers->where('user_id', $user->id)->first();
-        // If the user is a subuser check their permissions
-        if ($subuser && in_array($ability, $subuser->permissions)) {
-            return true;
+            $subuser = $server->subusers->where('user_id', $user->id)->first();
+            // If the user is a subuser check their permissions
+            if ($subuser && in_array($ability, $subuser->permissions)) {
+                return true;
+            }
        }

        // Make sure user can target node of the server