panel/app/Http/Requests/Api/Application/ApplicationApiRequest.php at b99ea53ca1a9e17177ce59cd1228cbdad380e169 · ghzhost/panel · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
<?php

namespace Pterodactyl\Http\Requests\Api\Application;

use Pterodactyl\Models\ApiKey;
use Pterodactyl\Services\Acl\Api\AdminAcl;
use Illuminate\Foundation\Http\FormRequest;
use Pterodactyl\Exceptions\PterodactylException;
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Symfony\Component\Routing\Exception\InvalidParameterException;

abstract class ApplicationApiRequest extends FormRequest
{
    /**
     * Tracks if the request has been validated internally or not to avoid
     * making duplicate validation calls.
     *
     * @var bool
     */
    private $hasValidated = false;

    /**
     * The resource that should be checked when performing the authorization
     * function for this request.
     *
     * @var string|null
     */
    protected $resource;

    /**
     * The permission level that a given API key should have for accessing
     * the defined $resource during the request cycle.
     *
     * @var int
     */
    protected $permission = AdminAcl::NONE;

    /**
     * Determine if the current user is authorized to perform
     * the requested action against the API.
     *
     * @return bool
     *
     * @throws \Pterodactyl\Exceptions\PterodactylException
     */
    public function authorize(): bool
    {
        if (is_null($this->resource)) {
            throw new PterodactylException('An ACL resource must be defined on API requests.');
        }

        return AdminAcl::check($this->key(), $this->resource, $this->permission);
    }

    /**
     * Determine if the requested resource exists on the server.
     *
     * @return bool
     */
    public function resourceExists(): bool
    {
        return true;
    }

    /**
     * Default set of rules to apply to API requests.
     *
     * @return array
     */
    public function rules(): array
    {
        return [];
    }

    /**
     * Return the API key being used for the request.
     *
     * @return \Pterodactyl\Models\ApiKey
     */
    public function key(): ApiKey
    {
        return $this->attributes->get('api_key');
    }

    /**
     * Grab a model from the route parameters. If no model is found in the
     * binding mappings an exception will be thrown.
     *
     * @param string $model
     * @return mixed
     * @deprecated
     *
     * @throws \Symfony\Component\Routing\Exception\InvalidParameterException
     */
    public function getModel(string $model)
    {
        $parameterKey = array_get(array_flip(ApiSubstituteBindings::getMappings()), $model);

        if (is_null($parameterKey)) {
            throw new InvalidParameterException;
        }

        return $this->route()->parameter($parameterKey);
    }

    /**
     * Validate that the resource exists and can be accessed prior to booting
     * the validator and attempting to use the data.
     *
     * @throws \Illuminate\Auth\Access\AuthorizationException
     */
    protected function prepareForValidation()
    {
        if (! $this->passesAuthorization()) {
            $this->failedAuthorization();
        }

        $this->hasValidated = true;
    }

    /*
     * Determine if the request passes the authorization check as well
     * as the exists check.
     *
     * @return bool
     *
     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
     */
    protected function passesAuthorization()
    {
        // If we have already validated we do not need to call this function
        // again. This is needed to work around Laravel's normal auth validation
        // that occurs after validating the request params since we are doing auth
        // validation in the prepareForValidation() function.
        if ($this->hasValidated) {
            return true;
        }

        if (! parent::passesAuthorization()) {
            return false;
        }

        // Only let the user know that a resource does not exist if they are
        // authenticated to access the endpoint. This avoids exposing that
        // an item exists (or does not exist) to the user until they can prove
        // that they have permission to know about it.
        if ($this->attributes->get('is_missing_model', false) || ! $this->resourceExists()) {
            throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
        }

        return true;
    }
}