mirror of
https://github.com/pelican-dev/panel.git
synced 2025-05-20 01:44:45 +02:00
fea1c51337
* Add new panel * Add some basic resource pages * Wip * Wip terminal * Wip * Add new panel * Add some basic resource pages * Wip * [Sub-Users] Add Invite TODO: The logic with permissions * [Sub-Users] Fix Creation * [Cron] Add basics * Add basic auth and messages * Add basic buttons * WIP on issue/353 * WIP on issue/353 * Add Database page * Update Database Page * Start of Backup Page * Composer Update * Changes * Send input * Remove this includes * Better offline handling * Consolidate top nav config * Update Backups Page * Update Backups * Change name * Add Assign All, Layout Fixes. * conflict * update schedule pages * fix phpstan * update pint.json * add cron presets to schedule * fix tests * fix task creation * schedules: disable task creation if limit is reached & disable backup action if backup limit is 0 * update activity pages * update resources * Update Edit User TODO: actually save permissions when they're changed. TODO: Figure out why Control does not update it's state... but the rest do... * .... Sure it works. TODO: Update permissions when you save editing a sub user. * user: update canAccessPanel & canAccessTenant * add helper to convert bytes into readable format * very basic file explorer * files: fix some stuff & remove dummy data * files: better error handling * files: basic file editor * files: add some actions * File manager updates * files: fix paths * Revery Composer Upgrade, Fixes SQLite * fix: Pint (#517) feat: MenuItems to and from admin * Update File Editing Updated File Editing to its own page, Added Permission checks for file manager. Co-authored-by: Boy132 <Boy132@users.noreply.github.com> * add enum for editor langs * files: add upload & pull actions * fix build * files: handle images * Update to Filament v3.2.98 * files: add remaining actions * use `authorize` instead of `hidden` * fix canAccessTenant * update date columns * files: testing & fixes * Fix File Names Co-authored-by: lancepioch <git@lance.sh> * Combine Pull/Upload * Fix BulkDelete * Uncontained tabs * Hide Lang Selection, Move Actions * Update Monaco, more custom * Add livewire config livewire limits uploads to 12MB... who knows why... Fixed uploading a single files failing * files: fix record url * basic setup for settings & startup page * make abstract class for simple app pages * Basic Startup Page * Update nav sort * small cleanup * startup: fix shouldHideComponent & getSelectOptionsFromRules * startup: fix non editable fields & set default value * startup: add todo for save button * Save Variables after update & off click Variables update when the user clicks off the input. * Notifications are cool * Add rule validation * Sort variables by sortid * pint * Settings Page + Startup Changes * settings: cleanup * refactor: use server model for ServerFormPage (formerly known as SimplePage) * Use Repeater for variables * Add Network, Remove breadcrumbs * Add paginated to file explorer * Fix updating variables * Add link to go to new client area * fix after merge * Add graphs to console page Graphs still need to get the data from the web socket. * fix pint & phpstan * fix authorizeAccess for EditFiles and Startup page * Fix rules on startup page * Update console size * Fix node name * add "global search" to files list requires https://github.com/pelican-dev/wings/pull/44 * remove debug dummy data * update view action on ListServers * enable SPA mode for app panel * remove colors from app panel they are defined globally in AppServiceProvider * update global search ui a bit (to be replaced with a custom page that is similar to the list files table) * add own page for global search untested - and route needs cleanup (if possible) * fix File getRows * remove "path" from SearchFiles (for now) * fix caching for searched files * add title and breadcrumbs to global search page * make cpu & memory charts on console page working * fix phpstan * add missing import * cleanup console views & widgets * add overview stats to console * don't be so lazy, console! * make history working * decode data to get array * add missing On * fix json_decode * change polling to 1 sec * hide "0" cpu/ memory * add data to network chart * Remove data labels * fix data on network chart * fix data on network chart (2nd try) * WIP Network Stats * Remove test * Change MaxWidth * run pint * fix phpstan * Fix storeStats cast * make $data a string this time for real * update visible check for "admin" menu item * remove account widget * rebrand "Dashboard" to "Server List" WIP - doesn't look good but is somewhat working * fix canAccessPanel * separate server list into own panel * change path to avoid conflicts with old client area (and remove sidebar width) * display correct icon and color on server list entries * show total memory if server is offline * replace custom server list page with ListRecords page * fix tests * fix namespace * remove "open" button and make whole column clickable * Update EditProfile * run pint * fix access to server list * add new login page to panels * fix next_run_at for new schedules * use new DateTimeColumn * add own column for file bytes * return to server list when clicking title * fix console loading * handle server with "conflict state" * add banner if server is in "conflict state" * fix phpstan * update docker image select * fix permission checks on Settings & Startup pages * fix query for activity log page * fix activity log not being logged * adjust ListActivities * fix phpstan * fix pint * fix profile menu item link on server panel * add ip tooltip to activity logs (and role permission) * change backup icon * update navigation sort * general code cleanup * more cleanup * Disable Restart/Stop if server is offline * Change rename notification * Remove negation on abort_unless * Add notification on save * Single disabled closure & comment unused import * Add required to Server Name & Nullable to description * mutateFormDataBeforeSave doesn't work since we use forceFill * Fix web socket connection not existing. * Fix some subuser permissions * add permission checks to resources * do not allow self-deletion * Update editing file permissions * Fix of the previous fix * add service for subuser updating * Only allow save if they have file_update * Remove unused import * Update backup delete button * Add Delete, remove bulks * Update Database page * Use Allocation Permissions * add canAccess check to startup * Add Permission checks to Settings page * add service for subuser deletion * Remove Kill permission * Updates * fix move files * add redirects * fix phpstan * activity: remove properties from tans for now * If alias, use that, else ip --------- Co-authored-by: notCharles <charles@pelican.dev> Co-authored-by: Boy132 <mail@boy132.de> Co-authored-by: Senna <62171904+Poseidon281@users.noreply.github.com> Co-authored-by: Boy132 <Boy132@users.noreply.github.com> Co-authored-by: RMartinOscar <40749467+RMartinOscar@users.noreply.github.com>
434 lines
14 KiB
PHP
434 lines
14 KiB
PHP
<?php
|
|
|
|
namespace App\Models;
|
|
|
|
use App\Exceptions\DisplayException;
|
|
use App\Rules\Username;
|
|
use App\Facades\Activity;
|
|
use DateTimeZone;
|
|
use Filament\Models\Contracts\FilamentUser;
|
|
use Filament\Models\Contracts\HasAvatar;
|
|
use Filament\Models\Contracts\HasName;
|
|
use Filament\Models\Contracts\HasTenants;
|
|
use Filament\Panel;
|
|
use Illuminate\Database\Eloquent\Relations\BelongsToMany;
|
|
use Illuminate\Support\Collection;
|
|
use Illuminate\Support\Str;
|
|
use Illuminate\Validation\Rules\In;
|
|
use Illuminate\Auth\Authenticatable;
|
|
use Illuminate\Notifications\Notifiable;
|
|
use Illuminate\Database\Eloquent\Builder;
|
|
use App\Models\Traits\HasAccessTokens;
|
|
use Illuminate\Auth\Passwords\CanResetPassword;
|
|
use App\Traits\Helpers\AvailableLanguages;
|
|
use Illuminate\Database\Eloquent\Relations\HasMany;
|
|
use Illuminate\Foundation\Auth\Access\Authorizable;
|
|
use Illuminate\Database\Eloquent\Relations\MorphToMany;
|
|
use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
|
|
use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract;
|
|
use Illuminate\Contracts\Auth\CanResetPassword as CanResetPasswordContract;
|
|
use App\Notifications\SendPasswordReset as ResetPasswordNotification;
|
|
use Filament\Facades\Filament;
|
|
use Illuminate\Database\Eloquent\Model as IlluminateModel;
|
|
use Spatie\Permission\Traits\HasRoles;
|
|
|
|
/**
|
|
* App\Models\User.
|
|
*
|
|
* @property int $id
|
|
* @property string|null $external_id
|
|
* @property string $uuid
|
|
* @property string $username
|
|
* @property string $email
|
|
* @property string|null $name_first
|
|
* @property string|null $name_last
|
|
* @property string $password
|
|
* @property string|null $remember_token
|
|
* @property string $language
|
|
* @property string $timezone
|
|
* @property bool $use_totp
|
|
* @property string|null $totp_secret
|
|
* @property \Illuminate\Support\Carbon|null $totp_authenticated_at
|
|
* @property array|null $oauth
|
|
* @property bool $gravatar
|
|
* @property \Illuminate\Support\Carbon|null $created_at
|
|
* @property \Illuminate\Support\Carbon|null $updated_at
|
|
* @property \Illuminate\Database\Eloquent\Collection|\App\Models\ApiKey[] $apiKeys
|
|
* @property int|null $api_keys_count
|
|
* @property string $name
|
|
* @property \Illuminate\Notifications\DatabaseNotificationCollection|\Illuminate\Notifications\DatabaseNotification[] $notifications
|
|
* @property int|null $notifications_count
|
|
* @property \Illuminate\Database\Eloquent\Collection|\App\Models\RecoveryToken[] $recoveryTokens
|
|
* @property int|null $recovery_tokens_count
|
|
* @property \Illuminate\Database\Eloquent\Collection|\App\Models\Server[] $servers
|
|
* @property int|null $servers_count
|
|
* @property \Illuminate\Database\Eloquent\Collection|\App\Models\UserSSHKey[] $sshKeys
|
|
* @property int|null $ssh_keys_count
|
|
* @property \Illuminate\Database\Eloquent\Collection|\App\Models\ApiKey[] $tokens
|
|
* @property int|null $tokens_count
|
|
*
|
|
* @method static \Database\Factories\UserFactory factory(...$parameters)
|
|
* @method static Builder|User newModelQuery()
|
|
* @method static Builder|User newQuery()
|
|
* @method static Builder|User query()
|
|
* @method static Builder|User whereCreatedAt($value)
|
|
* @method static Builder|User whereEmail($value)
|
|
* @method static Builder|User whereExternalId($value)
|
|
* @method static Builder|User whereGravatar($value)
|
|
* @method static Builder|User whereId($value)
|
|
* @method static Builder|User whereLanguage($value)
|
|
* @method static Builder|User whereTimezone($value)
|
|
* @method static Builder|User whereNameFirst($value)
|
|
* @method static Builder|User whereNameLast($value)
|
|
* @method static Builder|User wherePassword($value)
|
|
* @method static Builder|User whereRememberToken($value)
|
|
* @method static Builder|User whereTotpAuthenticatedAt($value)
|
|
* @method static Builder|User whereTotpSecret($value)
|
|
* @method static Builder|User whereUpdatedAt($value)
|
|
* @method static Builder|User whereUseTotp($value)
|
|
* @method static Builder|User whereUsername($value)
|
|
* @method static Builder|User whereUuid($value)
|
|
*/
|
|
class User extends Model implements AuthenticatableContract, AuthorizableContract, CanResetPasswordContract, FilamentUser, HasAvatar, HasName, HasTenants
|
|
{
|
|
use Authenticatable;
|
|
use Authorizable {can as protected canned; }
|
|
use AvailableLanguages;
|
|
use CanResetPassword;
|
|
use HasAccessTokens;
|
|
use HasRoles;
|
|
use Notifiable;
|
|
|
|
public const USER_LEVEL_USER = 0;
|
|
|
|
public const USER_LEVEL_ADMIN = 1;
|
|
|
|
/**
|
|
* The resource name for this model when it is transformed into an
|
|
* API representation using fractal. Also used as name for api key permissions.
|
|
*/
|
|
public const RESOURCE_NAME = 'user';
|
|
|
|
/**
|
|
* Level of servers to display when using access() on a user.
|
|
*/
|
|
protected string $accessLevel = 'all';
|
|
|
|
/**
|
|
* The table associated with the model.
|
|
*/
|
|
protected $table = 'users';
|
|
|
|
/**
|
|
* A list of mass-assignable variables.
|
|
*/
|
|
protected $fillable = [
|
|
'external_id',
|
|
'username',
|
|
'email',
|
|
'name_first',
|
|
'name_last',
|
|
'password',
|
|
'language',
|
|
'timezone',
|
|
'use_totp',
|
|
'totp_secret',
|
|
'totp_authenticated_at',
|
|
'gravatar',
|
|
'oauth',
|
|
];
|
|
|
|
/**
|
|
* The attributes excluded from the model's JSON form.
|
|
*/
|
|
protected $hidden = ['password', 'remember_token', 'totp_secret', 'totp_authenticated_at', 'oauth'];
|
|
|
|
/**
|
|
* Default values for specific fields in the database.
|
|
*/
|
|
protected $attributes = [
|
|
'external_id' => null,
|
|
'language' => 'en',
|
|
'timezone' => 'UTC',
|
|
'use_totp' => false,
|
|
'totp_secret' => null,
|
|
'name_first' => '',
|
|
'name_last' => '',
|
|
'oauth' => '[]',
|
|
];
|
|
|
|
/**
|
|
* Rules verifying that the data being stored matches the expectations of the database.
|
|
*/
|
|
public static array $validationRules = [
|
|
'uuid' => 'nullable|string|size:36|unique:users,uuid',
|
|
'email' => 'required|email|between:1,255|unique:users,email',
|
|
'external_id' => 'sometimes|nullable|string|max:255|unique:users,external_id',
|
|
'username' => 'required|between:1,255|unique:users,username',
|
|
'name_first' => 'nullable|string|between:0,255',
|
|
'name_last' => 'nullable|string|between:0,255',
|
|
'password' => 'sometimes|nullable|string',
|
|
'language' => 'string',
|
|
'timezone' => 'string',
|
|
'use_totp' => 'boolean',
|
|
'totp_secret' => 'nullable|string',
|
|
'oauth' => 'array|nullable',
|
|
];
|
|
|
|
protected function casts(): array
|
|
{
|
|
return [
|
|
'use_totp' => 'boolean',
|
|
'gravatar' => 'boolean',
|
|
'totp_authenticated_at' => 'datetime',
|
|
'totp_secret' => 'encrypted',
|
|
'oauth' => 'array',
|
|
];
|
|
}
|
|
|
|
protected static function booted(): void
|
|
{
|
|
static::creating(function (self $user) {
|
|
$user->uuid = Str::uuid()->toString();
|
|
|
|
$user->timezone = env('APP_TIMEZONE', 'UTC');
|
|
|
|
return true;
|
|
});
|
|
|
|
static::deleting(function (self $user) {
|
|
throw_if($user->servers()->count() > 0, new DisplayException(__('admin/user.exceptions.user_has_servers')));
|
|
|
|
throw_if(request()->user()?->id === $user->id, new DisplayException(__('admin/user.exceptions.user_is_self')));
|
|
});
|
|
}
|
|
|
|
public function getRouteKeyName(): string
|
|
{
|
|
return 'id';
|
|
}
|
|
|
|
/**
|
|
* Implement language verification by overriding Eloquence's gather
|
|
* rules function.
|
|
*/
|
|
public static function getRules(): array
|
|
{
|
|
$rules = parent::getRules();
|
|
|
|
$rules['language'][] = new In(array_keys((new self())->getAvailableLanguages()));
|
|
$rules['timezone'][] = new In(array_values(DateTimeZone::listIdentifiers()));
|
|
$rules['username'][] = new Username();
|
|
|
|
return $rules;
|
|
}
|
|
|
|
/**
|
|
* Return the user model in a format that can be passed over to React templates.
|
|
*/
|
|
public function toReactObject(): array
|
|
{
|
|
return array_merge(collect($this->toArray())->except(['id', 'external_id'])->toArray(), [
|
|
'root_admin' => $this->isRootAdmin(),
|
|
'admin' => $this->canAccessPanel(Filament::getPanel('admin')),
|
|
]);
|
|
}
|
|
|
|
/**
|
|
* Send the password reset notification.
|
|
*
|
|
* @param string $token
|
|
*/
|
|
public function sendPasswordResetNotification($token): void
|
|
{
|
|
Activity::event('auth:reset-password')
|
|
->withRequestMetadata()
|
|
->subject($this)
|
|
->log('sending password reset email');
|
|
|
|
$this->notify(new ResetPasswordNotification($token));
|
|
}
|
|
|
|
/**
|
|
* Store the username as a lowercase string.
|
|
*/
|
|
public function setUsernameAttribute(string $value): void
|
|
{
|
|
$this->attributes['username'] = mb_strtolower($value);
|
|
}
|
|
|
|
/**
|
|
* Store the email as a lowercase string.
|
|
*/
|
|
public function setEmailAttribute(string $value): void
|
|
{
|
|
$this->attributes['email'] = mb_strtolower($value);
|
|
}
|
|
|
|
/**
|
|
* Return a concatenated result for the accounts full name.
|
|
*/
|
|
public function getNameAttribute(): string
|
|
{
|
|
return trim($this->name_first . ' ' . $this->name_last);
|
|
}
|
|
|
|
/**
|
|
* Returns all servers that a user owns.
|
|
*/
|
|
public function servers(): HasMany
|
|
{
|
|
return $this->hasMany(Server::class, 'owner_id');
|
|
}
|
|
|
|
public function apiKeys(): HasMany
|
|
{
|
|
return $this->hasMany(ApiKey::class)
|
|
->where('key_type', ApiKey::TYPE_ACCOUNT);
|
|
}
|
|
|
|
public function recoveryTokens(): HasMany
|
|
{
|
|
return $this->hasMany(RecoveryToken::class);
|
|
}
|
|
|
|
public function sshKeys(): HasMany
|
|
{
|
|
return $this->hasMany(UserSSHKey::class);
|
|
}
|
|
|
|
/**
|
|
* Returns all the activity logs where this user is the subject — not to
|
|
* be confused by activity logs where this user is the _actor_.
|
|
*/
|
|
public function activity(): MorphToMany
|
|
{
|
|
return $this->morphToMany(ActivityLog::class, 'subject', 'activity_log_subjects');
|
|
}
|
|
|
|
/**
|
|
* Returns all the servers that a user can access by way of being the owner of the
|
|
* server, or because they are assigned as a subuser for that server.
|
|
*/
|
|
public function accessibleServers(): Builder
|
|
{
|
|
return Server::query()
|
|
->select('servers.*')
|
|
->leftJoin('subusers', 'subusers.server_id', '=', 'servers.id')
|
|
->where(function (Builder $builder) {
|
|
$builder->where('servers.owner_id', $this->id)->orWhere('subusers.user_id', $this->id);
|
|
})
|
|
->groupBy('servers.id');
|
|
}
|
|
|
|
public function subusers(): HasMany
|
|
{
|
|
return $this->hasMany(Subuser::class);
|
|
}
|
|
|
|
public function subServers(): BelongsToMany
|
|
{
|
|
return $this->belongsToMany(Server::class, 'subusers');
|
|
}
|
|
|
|
protected function checkPermission(Server $server, string $permission = ''): bool
|
|
{
|
|
if ($this->isRootAdmin() || $server->owner_id === $this->id) {
|
|
return true;
|
|
}
|
|
|
|
$subuser = $server->subusers->where('user_id', $this->id)->first();
|
|
if (!$subuser || empty($permission)) {
|
|
return false;
|
|
}
|
|
|
|
$check = in_array($permission, $subuser->permissions);
|
|
|
|
return $check;
|
|
}
|
|
|
|
/**
|
|
* Laravel's policies strictly check for the existence of a real method,
|
|
* this checks if the ability is one of our permissions and then checks if the user can do it or not
|
|
* Otherwise it calls the Authorizable trait's parent method
|
|
*/
|
|
public function can($abilities, mixed $arguments = []): bool
|
|
{
|
|
if (is_string($abilities) && str_contains($abilities, '.')) {
|
|
[$permission, $key] = str($abilities)->explode('.', 2);
|
|
|
|
if (isset(Permission::permissions()[$permission]['keys'][$key])) {
|
|
if ($arguments instanceof Server) {
|
|
return $this->checkPermission($arguments, $abilities);
|
|
}
|
|
}
|
|
}
|
|
|
|
return $this->canned($abilities, $arguments);
|
|
}
|
|
|
|
public function isLastRootAdmin(): bool
|
|
{
|
|
$rootAdmins = User::all()->filter(fn ($user) => $user->isRootAdmin());
|
|
|
|
return once(fn () => $rootAdmins->count() === 1 && $rootAdmins->first()->is($this));
|
|
}
|
|
|
|
public function isRootAdmin(): bool
|
|
{
|
|
return $this->hasRole(Role::ROOT_ADMIN);
|
|
}
|
|
|
|
public function canAccessPanel(Panel $panel): bool
|
|
{
|
|
if ($this->isRootAdmin()) {
|
|
return true;
|
|
}
|
|
|
|
if ($panel->getId() === 'admin') {
|
|
return $this->roles()->count() >= 1 && $this->getAllPermissions()->count() >= 1;
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
public function getFilamentName(): string
|
|
{
|
|
return $this->name_first ?: $this->username;
|
|
}
|
|
|
|
public function getFilamentAvatarUrl(): ?string
|
|
{
|
|
return 'https://gravatar.com/avatar/' . md5(strtolower($this->email));
|
|
}
|
|
|
|
public function canTarget(IlluminateModel $user): bool
|
|
{
|
|
if ($this->isRootAdmin()) {
|
|
return true;
|
|
}
|
|
|
|
return $user instanceof User && !$user->isRootAdmin();
|
|
}
|
|
|
|
public function getTenants(Panel $panel): array|Collection
|
|
{
|
|
return $this->accessibleServers()->get();
|
|
}
|
|
|
|
public function canAccessTenant(IlluminateModel $tenant): bool
|
|
{
|
|
if ($tenant instanceof Server) {
|
|
if ($this->isRootAdmin() || $tenant->owner_id === $this->id) {
|
|
return true;
|
|
}
|
|
|
|
$subuser = $tenant->subusers->where('user_id', $this->id)->first();
|
|
|
|
return $subuser !== null;
|
|
}
|
|
|
|
return false;
|
|
}
|
|
}
|