Don't return things a user shouldn't be able to see via the API includes

Author: DaneEveritt

app/Transformers/Api/Client/DatabaseTransformer.php

@@ -4,6 +4,7 @@
 
 use Pterodactyl\Models\Database;
 use League\Fractal\Resource\Item;
+use Pterodactyl\Models\Permission;
 use Illuminate\Contracts\Encryption\Encrypter;
 use Pterodactyl\Contracts\Extensions\HashidsInterface;
 
@@ -65,12 +66,16 @@ public function transform(Database $model): array
     /**
      * Include the database password in the request.
      *
-     * @param \Pterodactyl\Models\Database $model
-     * @return \League\Fractal\Resource\Item
+     * @param \Pterodactyl\Models\Database $database
+     * @return \League\Fractal\Resource\Item|\League\Fractal\Resource\NullResource
      */
-    public function includePassword(Database $model): Item
+    public function includePassword(Database $database): Item
     {
-        return $this->item($model, function (Database $model) {
+        if (!$this->getUser()->can(Permission::ACTION_DATABASE_VIEW_PASSWORD, $database->server)) {
+            return $this->null();
+        }
+
+        return $this->item($database, function (Database $model) {
             return [
                 'password' => $this->encrypter->decrypt($model->password),
             ];

app/Transformers/Api/Client/ServerTransformer.php

@@ -6,10 +6,10 @@
 use Pterodactyl\Models\Server;
 use Pterodactyl\Models\Subuser;
 use Pterodactyl\Models\Allocation;
+use Pterodactyl\Models\Permission;
 use Illuminate\Container\Container;
 use Pterodactyl\Models\EggVariable;
 use Pterodactyl\Services\Servers\StartupCommandService;
-use Pterodactyl\Transformers\Api\Client\EggVariableTransformer;
 
 class ServerTransformer extends BaseClientTransformer
 {
@@ -76,11 +76,16 @@ public function transform(Server $server): array
      * Returns the allocations associated with this server.
      *
      * @param \Pterodactyl\Models\Server $server
-     * @return \League\Fractal\Resource\Collection
+     * @return \League\Fractal\Resource\Collection|\League\Fractal\Resource\NullResource
+     *
      * @throws \Pterodactyl\Exceptions\Transformer\InvalidTransformerLevelException
      */
     public function includeAllocations(Server $server)
     {
+        if (! $this->getUser()->can(Permission::ACTION_ALLOCATION_READ, $server)) {
+            return $this->null();
+        }
+
         return $this->collection(
             $server->allocations,
             $this->makeTransformer(AllocationTransformer::class),
@@ -90,11 +95,16 @@ public function includeAllocations(Server $server)
 
     /**
      * @param \Pterodactyl\Models\Server $server
-     * @return \League\Fractal\Resource\Collection
+     * @return \League\Fractal\Resource\Collection|\League\Fractal\Resource\NullResource
+     *
      * @throws \Pterodactyl\Exceptions\Transformer\InvalidTransformerLevelException
      */
     public function includeVariables(Server $server)
     {
+        if (! $this->getUser()->can(Permission::ACTION_STARTUP_READ, $server)) {
+            return $this->null();
+        }
+
         return $this->collection(
             $server->variables->where('user_viewable', true),
             $this->makeTransformer(EggVariableTransformer::class),
@@ -118,11 +128,16 @@ public function includeEgg(Server $server)
      * Returns the subusers associated with this server.
      *
      * @param \Pterodactyl\Models\Server $server
-     * @return \League\Fractal\Resource\Collection
+     * @return \League\Fractal\Resource\Collection|\League\Fractal\Resource\NullResource
+     *
      * @throws \Pterodactyl\Exceptions\Transformer\InvalidTransformerLevelException
      */
     public function includeSubusers(Server $server)
     {
+        if (! $this->getUser()->can(Permission::ACTION_USER_READ, $server)) {
+            return $this->null();
+        }
+
         return $this->collection($server->subusers, $this->makeTransformer(SubuserTransformer::class), Subuser::RESOURCE_NAME);
     }
 }