mirror of
https://github.com/pelican-dev/panel.git
synced 2025-10-31 02:06:51 +01:00
da195fd2fe
* Not found property rule * Make these “better” * Day 1 * Day 2 * Day 3 * Dat 4 * Remove disabled check * Day 4 continued * Run pint * Final changes hopefully * Pint fixes * Fix again * Reset these * Update app/Filament/Admin/Pages/Health.php Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com> * Update app/Traits/CheckMigrationsTrait.php Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com> --------- Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com>
76 lines
2.5 KiB
PHP
76 lines
2.5 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Requests\Api\Client\Servers\Subusers;
|
|
|
|
use Illuminate\Http\Request;
|
|
use App\Models\User;
|
|
use App\Models\Subuser;
|
|
use App\Exceptions\Http\HttpForbiddenException;
|
|
use App\Http\Requests\Api\Client\ClientApiRequest;
|
|
use App\Services\Servers\GetUserPermissionsService;
|
|
|
|
abstract class SubuserRequest extends ClientApiRequest
|
|
{
|
|
protected ?Subuser $model;
|
|
|
|
/**
|
|
* Authorize the request and ensure that a user is not trying to modify themselves.
|
|
*
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
public function authorize(): bool
|
|
{
|
|
if (!parent::authorize()) {
|
|
return false;
|
|
}
|
|
|
|
$user = $this->route()->parameter('user');
|
|
// Don't allow a user to edit themselves on the server.
|
|
if ($user instanceof User) {
|
|
if ($user->uuid === $this->user()->uuid) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
// If this is a POST request, validate that the user can even assign the permissions they
|
|
// have selected to assign.
|
|
if ($this->method() === Request::METHOD_POST && $this->has('permissions')) {
|
|
$this->validatePermissionsCanBeAssigned(
|
|
$this->input('permissions') ?? []
|
|
);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Validates that the permissions we are trying to assign can actually be assigned
|
|
* by the user making the request.
|
|
*
|
|
* @param string[] $permissions
|
|
*
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
protected function validatePermissionsCanBeAssigned(array $permissions): void
|
|
{
|
|
$user = $this->user();
|
|
/** @var \App\Models\Server $server */
|
|
$server = $this->route()->parameter('server');
|
|
|
|
// If we are an admin or the server owner, no need to perform these checks.
|
|
if ($user->can('update server', $server) || $user->id === $server->owner_id) {
|
|
return;
|
|
}
|
|
|
|
// Otherwise, get the current subuser's permission set, and ensure that the
|
|
// permissions they are trying to assign are not _more_ than the ones they
|
|
// already have.
|
|
/** @var \App\Services\Servers\GetUserPermissionsService $service */
|
|
$service = $this->container->make(GetUserPermissionsService::class);
|
|
|
|
if (count(array_diff($permissions, $service->handle($server, $user))) > 0) {
|
|
throw new HttpForbiddenException('Cannot assign permissions to a subuser that your account does not actively possess.');
|
|
}
|
|
}
|
|
}
|