Fix subuser permissions not migrating correctly from 0.7; closes pterodactyl#2309

DaneEveritt · DaneEveritt · commit 18fce3756554 · 2020-10-11T15:13:17.000-07:00
diff --git a/app/Models/Permission.php b/app/Models/Permission.php
@@ -219,80 +219,4 @@ public static function permissions(): Collection
     {
         return Collection::make(self::$permissions);
     }
-
-    /**
-     * A list of all permissions available for a user.
-     *
-     * @var array
-     * @deprecated
-     */
-    protected static $deprecatedPermissions = [
-        'power' => [
-            'power-start' => 's:power:start',
-            'power-stop' => 's:power:stop',
-            'power-restart' => 's:power:restart',
-            'power-kill' => 's:power:kill',
-            'send-command' => 's:command',
-        ],
-        'subuser' => [
-            'list-subusers' => null,
-            'view-subuser' => null,
-            'edit-subuser' => null,
-            'create-subuser' => null,
-            'delete-subuser' => null,
-        ],
-        'server' => [
-            'view-allocations' => null,
-            'edit-allocation' => null,
-            'view-startup' => null,
-            'edit-startup' => null,
-        ],
-        'database' => [
-            'view-databases' => null,
-            'reset-db-password' => null,
-            'delete-database' => null,
-            'create-database' => null,
-        ],
-        'file' => [
-            'access-sftp' => null,
-            'list-files' => 's:files:get',
-            'edit-files' => 's:files:read',
-            'save-files' => 's:files:post',
-            'move-files' => 's:files:move',
-            'copy-files' => 's:files:copy',
-            'compress-files' => 's:files:compress',
-            'decompress-files' => 's:files:decompress',
-            'create-files' => 's:files:create',
-            'upload-files' => 's:files:upload',
-            'delete-files' => 's:files:delete',
-            'download-files' => 's:files:download',
-        ],
-        'task' => [
-            'list-schedules' => null,
-            'view-schedule' => null,
-            'toggle-schedule' => null,
-            'queue-schedule' => null,
-            'edit-schedule' => null,
-            'create-schedule' => null,
-            'delete-schedule' => null,
-        ],
-    ];
-
-    /**
-     * Return a collection of permissions available.
-     *
-     * @param bool $array
-     * @return array|\Illuminate\Database\Eloquent\Collection
-     * @deprecated
-     */
-    public static function getPermissions($array = false)
-    {
-        if ($array) {
-            return collect(self::$deprecatedPermissions)->mapWithKeys(function ($item) {
-                return $item;
-            })->all();
-        }
-
-        return collect(self::$deprecatedPermissions);
-    }
 }
diff --git a/database/migrations/2020_03_22_163911_merge_permissions_table_into_subusers.php b/database/migrations/2020_03_22_163911_merge_permissions_table_into_subusers.php
@@ -1,12 +1,64 @@
 <?php
 
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Collection;
+use Pterodactyl\Models\Permission;
 use Illuminate\Support\Facades\Schema;
+use Pterodactyl\Models\Permission as P;
 use Illuminate\Database\Schema\Blueprint;
 use Illuminate\Database\Migrations\Migration;
 
 class MergePermissionsTableIntoSubusers extends Migration
 {
+    /**
+     * A list of all pre-1.0 permissions available to a user and their associated
+     * casting for the new permissions system.
+     *
+     * @var array
+     */
+    protected static $permissionsMap = [
+        'power-start' => P::ACTION_CONTROL_START,
+        'power-stop' => P::ACTION_CONTROL_STOP,
+        'power-restart' => P::ACTION_CONTROL_RESTART,
+        'power-kill' => P::ACTION_CONTROL_STOP,
+        'send-command' => P::ACTION_CONTROL_CONSOLE,
+        'list-subusers' => P::ACTION_USER_READ,
+        'view-subuser' => P::ACTION_USER_READ,
+        'edit-subuser' => P::ACTION_USER_UPDATE,
+        'create-subuser' => P::ACTION_USER_CREATE,
+        'delete-subuser' => P::ACTION_USER_DELETE,
+        'view-allocations' => P::ACTION_ALLOCATION_READ,
+        'edit-allocation' => P::ACTION_ALLOCATION_UPDATE,
+        'view-startup' => P::ACTION_STARTUP_READ,
+        'edit-startup' => P::ACTION_STARTUP_UPDATE,
+        'view-databases' => P::ACTION_DATABASE_READ,
+        // Better to just break this flow a bit than accidentally grant a dangerous permission.
+        'reset-db-password' => P::ACTION_DATABASE_UPDATE,
+        'delete-database' => P::ACTION_DATABASE_DELETE,
+        'create-database' => P::ACTION_DATABASE_CREATE,
+        'access-sftp' => P::ACTION_FILE_SFTP,
+        'list-files' => P::ACTION_FILE_READ,
+        'edit-files' => P::ACTION_FILE_READ_CONTENT,
+        'save-files' => P::ACTION_FILE_UPDATE,
+        'create-files' => P::ACTION_FILE_CREATE,
+        'delete-files' => P::ACTION_FILE_DELETE,
+        'compress-files' => P::ACTION_FILE_ARCHIVE,
+        'list-schedules' => P::ACTION_SCHEDULE_READ,
+        'view-schedule' => P::ACTION_SCHEDULE_READ,
+        'edit-schedule' => P::ACTION_SCHEDULE_UPDATE,
+        'create-schedule' => P::ACTION_SCHEDULE_CREATE,
+        'delete-schedule' => P::ACTION_SCHEDULE_DELETE,
+        // Skipping these permissions as they are granted if you have more specific read/write permissions.
+        'move-files' => null,
+        'copy-files' => null,
+        'decompress-files' => null,
+        'upload-files' => null,
+        'download-files' => null,
+        // These permissions do not exist in 1.0
+        'toggle-schedule' => null,
+        'queue-schedule' => null,
+    ];
+
     /**
      * Run the migrations.
      *
@@ -27,10 +79,19 @@ public function up()
 
         DB::transaction(function () use (&$cursor) {
             $cursor->each(function ($datum) {
-                DB::update('UPDATE subusers SET permissions = ? WHERE id = ?', [
-                    json_encode(explode(',', $datum->permissions)),
-                    $datum->subuser_id,
-                ]);
+                $updated = Collection::make(explode(',', $datum->permissions))
+                    ->map(function ($value) {
+                        return self::$permissionsMap[$value] ?? null;
+                    })->filter(function ($value) {
+                        return !is_null($value) && $value !== Permission::ACTION_WEBSOCKET_CONNECT;
+                    })
+                    // All subusers get this permission, so make sure it gets pushed into the array.
+                    ->merge([ Permission::ACTION_WEBSOCKET_CONNECT ])
+                    ->unique()
+                    ->values()
+                    ->toJson();
+
+                DB::update('UPDATE subusers SET permissions = ? WHERE id = ?', [$updated, $datum->subuser_id]);
             });
         });
     }
@@ -42,11 +103,15 @@ public function up()
      */
     public function down()
     {
+        $flipped = array_flip(self::$permissionsMap);
+
         foreach (DB::select('SELECT id, permissions FROM subusers') as $datum) {
             $values = [];
             foreach (json_decode($datum->permissions, true) as $permission) {
-                $values[] = $datum->id;
-                $values[] = $permission;
+                if (!empty($v = $flipped[$permission])) {
+                    $values[] = $datum->id;
+                    $values[] = $v;
+                }
             }
 
             if (! empty($values)) {
