banquise/pelican-panel-mirror
13
0
Fork 1
mirror of https://github.com/pelican-dev/panel.git synced 2025-11-04 14:46:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
pelican-panel-mirror/app/Http/Requests/Api/Client/Servers/Subusers/SubuserRequest.php
Lance Pioch c7a307af6e Enforce return and parameter types
2024-10-19 21:02:49 -04:00

74 lines
2.5 KiB
PHP
Raw Blame History

<?php
namespace App\Http\Requests\Api\Client\Servers\Subusers;
use Illuminate\Http\Request;
use App\Models\User;
use App\Models\Subuser;
use App\Exceptions\Http\HttpForbiddenException;
use App\Http\Requests\Api\Client\ClientApiRequest;
use App\Services\Servers\GetUserPermissionsService;
abstract class SubuserRequest extends ClientApiRequest
{
protected ?Subuser $model;
/**
* Authorize the request and ensure that a user is not trying to modify themselves.
*
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
public function authorize(): bool
{
if (!parent::authorize()) {
return false;
}
$user = $this->route()->parameter('user');
// Don't allow a user to edit themselves on the server.
if ($user instanceof User) {
if ($user->uuid === $this->user()->uuid) {
return false;
}
}
// If this is a POST request, validate that the user can even assign the permissions they
// have selected to assign.
if ($this->method() === Request::METHOD_POST && $this->has('permissions')) {
$this->validatePermissionsCanBeAssigned(
$this->input('permissions') ?? []
);
}
return true;
}
/**
* Validates that the permissions we are trying to assign can actually be assigned
* by the user making the request.
*
* @throws \Illuminate\Contracts\Container\BindingResolutionException
*/
protected function validatePermissionsCanBeAssigned(array $permissions): void
{
$user = $this->user();
/** @var \App\Models\Server $server */
$server = $this->route()->parameter('server');
// If we are a root admin or the server owner, no need to perform these checks.
if ($user->isRootAdmin() || $user->id === $server->owner_id) {
return;
}
// Otherwise, get the current subuser's permission set, and ensure that the
// permissions they are trying to assign are not _more_ than the ones they
// already have.
/** @var \App\Services\Servers\GetUserPermissionsService $service */
$service = $this->container->make(GetUserPermissionsService::class);
if (count(array_diff($permissions, $service->handle($server, $user))) > 0) {
throw new HttpForbiddenException('Cannot assign permissions to a subuser that your account does not actively possess.');
}
}
}
Reference in New Issue View Git Blame Copy Permalink