banquise/pelican-panel-mirror
13
0
Fork 1
mirror of https://github.com/pelican-dev/panel.git synced 2025-10-27 08:36:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
4,825 Commits 37 Branches 23 Tags
Commit Graph

78 Commits

Author SHA1 Message Date
Lance Pioch
0d2e63f590 Better route model binding 2024-03-22 21:32:12 -04:00
Lance Pioch
3d740907db This is no longer needed 2024-03-20 03:02:35 -04:00
Lance Pioch
add838d42f This has to match up with the parent 2024-03-20 02:19:20 -04:00
Lance Pioch
29b3debee2 Use Laravel’s same return types 2024-03-19 21:12:27 -04:00
Lance Pioch
d58496a355 Replace with helper 2024-03-19 05:11:41 -04:00
Lance Pioch
e9ea5b1cae Even more static analysis! 2024-03-17 13:16:39 -04:00
Lance Pioch
3cea8ca979 Better static analysis 2024-03-17 12:52:22 -04:00
Lance Pioch
50fa260a38 Remove node repository 2024-03-16 21:34:09 -04:00
Lance Pioch
4969aed383 Remove daemon command repo 2024-03-16 15:11:10 -04:00
Lance Pioch
c83dd86a41 Switch namespace back to App 2024-03-12 22:39:16 -04:00
Matthew Penner
1d38b4f0e2
Laravel 10 (#4706) 2023-02-23 12:30:16 -07:00
Boy132
032e4f2e31
Apply node maintenance mode to servers (#4421) 2022-11-06 16:02:30 -07:00
Matthew Penner
cbcf62086f
Upgrade to Laravel 9 (#4413) 
Co-authored-by: DaneEveritt <dane@daneeveritt.com>
 2022-10-14 10:59:20 -06:00
DaneEveritt
6ffe5730da
Log when an API key is blocked due to IP restrictions 2022-06-18 12:04:51 -04:00
DaneEveritt
b051718afe
Fix up API handling logic for keys and set a prefix on all keys 2022-05-22 19:03:51 -04:00
DaneEveritt
bd37978a98
Initial pass at implementing Laravel Sanctum for authorization on the API 2022-05-22 14:57:06 -04:00
DaneEveritt
e313dff674
Massively simplify API binding logic 
Changes the API internals to use normal Laravel binding which automatically supports nested-models and can determine their relationships. This removes a lot of confusingly complex internal logic and replaces it with standard Laravel code.

This also removes a deprecated "getModel" method and fully replaces it with a "parameter" method that does stricter type-checking.
 2022-05-22 14:10:01 -04:00
Dane Everitt
dfa329ddf2
[security] ensure session is only for that request when authenticating user API key 
https://github.com/pterodactyl/panel/security/advisories/GHSA-7v3x-h7r2-34jv
 2022-01-19 21:09:17 -05:00
Dane Everitt
bf9cbe2c6d
Add consistent CSRF token verification to API endpoints; address security concern with non-CSRF protected endpoints 2021-11-16 20:02:18 -08:00
Dane Everitt
60eff40a0c
Fix session management on client API requests; closes #3727 
Versions of Pterodactyl prior to 1.6.3 used a different throttle pathway for
requests. That pathway found the current request user before continuing on to
other in-app middleware, thus the user was available downstream.

Changes introduced in 1.6.3 changed the throttler logic, therefore removing this
step. As a result, the client API could not always get the currently authenticated
user when cookies were used (aka, requests from the Panel UI, and not API directly).

This change corrects the logic to get the session setup correctly before falling
through to authenticating as a user using the API key. If a cookie is present and a
user is found as a result that session will be used. If an API key is provided it is
ignored when a cookie is also present.

In order to keep the API stateless any session created for an API request stemming
from an API key will have the associated session deleted at the end of the request,
and the 'Set-Cookies' header will be stripped from the response.
 2021-11-03 20:51:39 -07:00
Alex
9656378783
Fix 401 error typo (#3393) 2021-06-03 13:35:51 -07:00
Dane Everitt
e30a765071
Simplify logic when a server is in an unsupported state 2021-01-30 13:28:31 -08:00
Dane Everitt
c449ca5155
Use more standardized phpcs 2021-01-23 12:33:34 -08:00
Dane Everitt
a043071e3c
Update to Laravel 8 
Co-authored-by: Matthew Penner <me@matthewp.io>
 2021-01-23 12:12:54 -08:00
Dane Everitt
e8dcd30e0c
[security] fix resources not properly returning an error when they don't match the server in the URL 
Prior to this fix certain resources were accessible even when their assigned server was not the same as the server in the URL. This causes the resource server relationship to not match the server variable present on the request.

Due to this failed logic it was possible for users to access resources they should not have been able to access otherwise for some areas of the panel.
 2021-01-19 21:19:17 -08:00
Dane Everitt
6c39288def
Clarify error messaging for transfers 2020-12-24 10:14:10 -08:00
Matthew Penner
37cfa151b6 Use ServerTransferringException 2020-12-17 10:37:14 -07:00
Matthew Penner
e69d9b2c26 Update comment in AuthenticateServerAccess.php 2020-12-17 10:35:54 -07:00
Matthew Penner
fd848985ee Add ServerTransferringException, use is_null 2020-12-17 10:35:54 -07:00
Matthew Penner
e6c4a68e4a Update logic for tracking a server's transfer state 2020-12-17 10:35:54 -07:00
Matt Malec
df64026449
Update AuthenticateIPAccess.php 
Fix a 500 error when processing a request with an IP filter
 2020-11-08 21:57:22 -05:00
Dane Everitt
c00e5b36a5
Return all servers for a node as a paginated response 
Avoids crashing the PHP process and avoids a bad runaway N+1 query issue that previously existed.
 2020-10-31 11:14:28 -07:00
Dane Everitt
f31a6d3967
Fix parameter bindings for client API routes; closes pterodactyl/panel#2359 2020-09-27 10:39:18 -07:00
Dane Everitt
906cfce81c
Don't return a 403 when returning resources for a suspended server; closes #2279 2020-08-30 09:54:59 -07:00
Dane Everitt
540cc82e3d
Don't resolve database hosts; closes #2237 2020-08-19 20:38:51 -07:00
Dane Everitt
61e9771333
Code cleanup for subuser API endpoints; closes #2247 2020-08-19 20:21:12 -07:00
Dane Everitt
2278927fb6
Update allocations to support ids; protect endpoints; support notes 2020-07-09 20:36:08 -07:00
DarthShmev
06ece0e624
Fix AuthenticateServerAccess middleware spelling issue. 2020-07-05 15:48:02 -04:00
Dane Everitt
fde8465f35
Show a better error when JSON data cannot be parsed in the request 2020-06-30 20:05:11 -07:00
Dane Everitt
536180ed0c
Return Http test cases to a passing state 2020-06-23 21:59:37 -07:00
Dane Everitt
16e14621c8
Better error messaging when server is suspended 2020-06-22 20:22:52 -07:00
Dane Everitt
6056b6f45d
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00
Matthew Penner
658a959e5d Fix trailing comma in DaemonAuthenticate.php, change ServerDetailsController.php to use node authentication 2020-04-10 17:54:50 -06:00
Dane Everitt
2532a73425
Don't throw errors if bad data is sent in the header 2020-04-10 15:53:19 -07:00
Dane Everitt
7557dddf49
Store node daemon tokens in an encrypted manner 2020-04-10 15:15:38 -07:00
Dane Everitt
be05d2df81
Add support for generating a signed URL for downloading a file from the daemon 2020-04-04 19:54:59 -07:00
Dane Everitt
1f92a7de33
Authenticate that the request is coming from someone that should even know about the server 2020-03-28 16:23:18 -07:00
Dane Everitt
7543ef085d
Format files 2019-09-05 21:32:57 -07:00
Dane Everitt
95d19bf09e
Update logic that handles creation of folders for a server 2019-05-01 21:45:39 -07:00
Dane Everitt
0999ec93c3
More logic for deleting databases 2018-08-25 15:07:42 -07:00