mirror of
https://github.com/pelican-dev/panel.git
synced 2025-05-20 04:04:45 +02:00
fc643f57f9
* add spatie/permissions * add policies * add role resource * add root admin role handling * replace some "root_admin" with function * add model specific permissions * make permission selection nicer * fix user creation * fix tests * add back subuser checks in server policy * add custom model for role * assign new users to role if root_admin is set * add api for roles * fix phpstan * add permissions for settings page * remove "restore" and "forceDelete" permissions * add user count to list * prevent deletion if role has users * update user list * fix server policy * remove old `root_admin` column * small refactor * fix tests * forgot can checks here * forgot use * disable editing own roles & disable assigning root admin * don't allow to rename root admin role * remove php bombing exception handler * fix role assignment when creating a user * fix disableOptionWhen * fix missing `root_admin` attribute on react frontend * add permission check for bulk delete * rename viewAny to viewList * improve canAccessPanel check * fix admin not displaying for non-root admins * make sure non root admins can't edit root admins * fix import * fix settings page permission check * fix server permissions for non-subusers * fix settings page permission check v2 * small cleanup * cleanup config file * move consts from resouce into enum & model * Update database/migrations/2024_08_01_114538_remove_root_admin_column.php Co-authored-by: Lance Pioch <lancepioch@gmail.com> * fix config * fix phpstan * fix phpstan 2.0 --------- Co-authored-by: Lance Pioch <lancepioch@gmail.com>
74 lines
2.5 KiB
PHP
74 lines
2.5 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Requests\Api\Client\Servers\Subusers;
|
|
|
|
use Illuminate\Http\Request;
|
|
use App\Models\User;
|
|
use App\Models\Subuser;
|
|
use App\Exceptions\Http\HttpForbiddenException;
|
|
use App\Http\Requests\Api\Client\ClientApiRequest;
|
|
use App\Services\Servers\GetUserPermissionsService;
|
|
|
|
abstract class SubuserRequest extends ClientApiRequest
|
|
{
|
|
protected ?Subuser $model;
|
|
|
|
/**
|
|
* Authorize the request and ensure that a user is not trying to modify themselves.
|
|
*
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
public function authorize(): bool
|
|
{
|
|
if (!parent::authorize()) {
|
|
return false;
|
|
}
|
|
|
|
$user = $this->route()->parameter('user');
|
|
// Don't allow a user to edit themselves on the server.
|
|
if ($user instanceof User) {
|
|
if ($user->uuid === $this->user()->uuid) {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
// If this is a POST request, validate that the user can even assign the permissions they
|
|
// have selected to assign.
|
|
if ($this->method() === Request::METHOD_POST && $this->has('permissions')) {
|
|
$this->validatePermissionsCanBeAssigned(
|
|
$this->input('permissions') ?? []
|
|
);
|
|
}
|
|
|
|
return true;
|
|
}
|
|
|
|
/**
|
|
* Validates that the permissions we are trying to assign can actually be assigned
|
|
* by the user making the request.
|
|
*
|
|
* @throws \Illuminate\Contracts\Container\BindingResolutionException
|
|
*/
|
|
protected function validatePermissionsCanBeAssigned(array $permissions)
|
|
{
|
|
$user = $this->user();
|
|
/** @var \App\Models\Server $server */
|
|
$server = $this->route()->parameter('server');
|
|
|
|
// If we are a root admin or the server owner, no need to perform these checks.
|
|
if ($user->isRootAdmin() || $user->id === $server->owner_id) {
|
|
return;
|
|
}
|
|
|
|
// Otherwise, get the current subuser's permission set, and ensure that the
|
|
// permissions they are trying to assign are not _more_ than the ones they
|
|
// already have.
|
|
/** @var \App\Services\Servers\GetUserPermissionsService $service */
|
|
$service = $this->container->make(GetUserPermissionsService::class);
|
|
|
|
if (count(array_diff($permissions, $service->handle($server, $user))) > 0) {
|
|
throw new HttpForbiddenException('Cannot assign permissions to a subuser that your account does not actively possess.');
|
|
}
|
|
}
|
|
}
|