Merge branch 'develop' of github.com:Pterodactyl/Panel into improve-password-reset

Author: schrej

CHANGELOG.md

@@ -3,6 +3,17 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.6.0-pre.8 (Courageous Carniadactylus)
+### Fixed
+* `[pre.7]` — Fixes bug with subuser checkbox display.
+* `[pre.7]` — Fixes bug with injected JS that was causing `<!DOCTYPE html>` to be ignored in templates.
+* `[pre.7]` — Fixes exception thrown when trying to delete a node due to a misnamed model.
+
+### Changed
+* Subuser permissions are now stored in `Permission::list()` to make views way cleaner and make adding to views significantly cleaner.
+* `[pre.7]` — Sidebar for file manager now is a single link rather than a dropdown.
+* Attempting to reset a password for an account that does not exist no longer returns an error, rather it displays a success message. Failed resets trigger a `Pterodactyl\Events\Auth\FailedPasswordReset` event that can be caught if needed to perform other actions.
+
 ## v0.6.0-pre.7 (Courageous Carniadactylus)
 ### Fixed
 * `[pre.6]` — Addresses misconfigured console queue that was still sending data way to quickly thus causing the console to explode on some devices when large amounts of data were sent.

app/Events/Auth/FailedPasswordReset.php

@@ -0,0 +1,59 @@
+<?php
+/**
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Events\Auth;
+
+use Illuminate\Queue\SerializesModels;
+
+class FailedPasswordReset
+{
+    use SerializesModels;
+
+    /**
+     * The IP that the request originated from.
+     *
+     * @var string
+     */
+    public $ip;
+
+    /**
+     * The email address that was used when the reset request failed.
+     *
+     * @var string
+     */
+    public $email;
+
+    /**
+     * Create a new event instance.
+     *
+     * @param  string  $ip
+     * @param  string  $email
+     * @return void
+     */
+    public function __construct($ip, $email)
+    {
+        $this->ip = $ip;
+        $this->email = $email;
+    }
+}

app/Http/Controllers/Auth/ForgotPasswordController.php

@@ -1,8 +1,33 @@
 <?php
+/**
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
 
 namespace Pterodactyl\Http\Controllers\Auth;
 
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Password;
 use Pterodactyl\Http\Controllers\Controller;
+use Pterodactyl\Events\Auth\FailedPasswordReset;
 use Illuminate\Foundation\Auth\SendsPasswordResetEmails;
 
 class ForgotPasswordController extends Controller
@@ -29,4 +54,21 @@ public function __construct()
     {
         $this->middleware('guest');
     }
+
+    /**
+     * Get the response for a failed password reset link.
+     *
+     * @param  \Illuminate\Http\Request
+     * @param  string  $response
+     * @return \Illuminate\Http\RedirectResponse
+     */
+    protected function sendResetLinkFailedResponse(Request $request, $response)
+    {
+        // As noted in #358 we will return success even if it failed
+        // to avoid pointing out that an account does or does not
+        // exist on the system.
+        event(new FailedPasswordReset($request->ip(), $request->only('email')));
+
+        return $this->sendResetLinkResponse(Password::RESET_LINK_SENT);
+    }
 }

app/Http/Controllers/Server/SubuserController.php

@@ -79,6 +79,7 @@ public function getView(Request $request, $uuid, $id)
             'server' => $server,
             'node' => $server->node,
             'subuser' => $subuser,
+            'permlist' => Models\Permission::list(),
             'permissions' => $subuser->permissions->mapWithKeys(function ($item, $key) {
                 return [$item->permission => true];
             }),
@@ -146,6 +147,7 @@ public function getNew(Request $request, $uuid)
 
         return view('server.users.new', [
             'server' => $server,
+            'permissions' => Models\Permission::list(),
             'node' => $server->node,
         ]);
     }

app/Models/Permission.php

@@ -58,6 +58,80 @@ class Permission extends Model
         'subuser_id' => 'integer',
     ];
 
+    /**
+     * A list of all permissions available for a user.
+     *
+     * @var array
+     */
+    protected static $permissions = [
+        'power' => [
+            'power-start' => 's:power:start',
+            'power-stop' => 's:power:stop',
+            'power-restart' => 's:power:restart',
+            'power-kill' => 's:power:kill',
+            'send-command' => 's:command',
+        ],
+        'subuser' => [
+            'list-subusers' => null,
+            'view-subuser' => null,
+            'edit-subuser' => null,
+            'create-subuser' => null,
+            'delete-subuser' => null,
+        ],
+        'server' => [
+            'set-connection' => null,
+            'view-startup' => null,
+            'edit-startup'  => null,
+        ],
+        'sftp' => [
+            'view-sftp' => null,
+            'view-sftp-password' => null,
+            'reset-sftp' => 's:set-password',
+        ],
+        'file' => [
+            'list-files' => 's:files:get',
+            'edit-files' => 's:files:read',
+            'save-files' => 's:files:post',
+            'move-files' => 's:files:move',
+            'copy-files' => 's:files:copy',
+            'compress-files' => 's:files:compress',
+            'decompress-files' => 's:files:decompress',
+            'create-files' => 's:files:create',
+            'upload-files' => 's:files:upload',
+            'delete-files' => 's:files:delete',
+            'download-files' => null,
+        ],
+        'task' => [
+            'list-tasks' => null,
+            'view-task' => null,
+            'toggle-task' => null,
+            'queue-task' => null,
+            'create-task' => null,
+            'delete-task' => null,
+        ],
+        'database' => [
+            'view-databases' => null,
+            'reset-db-password' => null,
+        ],
+    ];
+
+    /**
+     * Return a collection of permissions available.
+     *
+     * @param  array  $single
+     * @return \Illuminate\Support\Collection|array
+     */
+    public static function list($single = false)
+    {
+        if ($single) {
+            return collect(self::$permissions)->mapWithKeys(function ($item) {
+                return $item;
+            })->all();
+        }
+
+        return collect(self::$permissions);
+    }
+
     /**
      * Find permission by permission node.
      *

app/Repositories/NodeRepository.php

@@ -277,13 +277,9 @@ public function delete($id)
             throw new DisplayException('You cannot delete a node with servers currently attached to it.');
         }
 
-        DB::beginTransaction();
-
-        try {
+        DB::transaction(function () use ($node) {
             // Unlink Database Servers
-            Models\DatabaseServer::where('linked_node', $node->id)->update([
-                'linked_node' => null,
-            ]);
+            Models\DatabaseHost::where('node_id', $node->id)->update(['node_id' => null]);
 
             // Delete Allocations
             Models\Allocation::where('node_id', $node->id)->delete();
@@ -293,11 +289,6 @@ public function delete($id)
 
             // Delete Node
             $node->delete();
-
-            DB::commit();
-        } catch (\Exception $ex) {
-            DB::rollback();
-            throw $ex;
-        }
+        });
     }
 }

app/Repositories/SubuserRepository.php

@@ -45,62 +45,6 @@ class SubuserRepository
         's:console',
     ];
 
-    /**
-     * Allowed permissions and their related daemon permission.
-     *
-     * @var array
-     */
-    protected $permissions = [
-        // Power Permissions
-        'power-start' => 's:power:start',
-        'power-stop' => 's:power:stop',
-        'power-restart' => 's:power:restart',
-        'power-kill' => 's:power:kill',
-
-        // Commands
-        'send-command' => 's:command',
-
-        // File Manager
-        'list-files' => 's:files:get',
-        'edit-files' => 's:files:read',
-        'save-files' => 's:files:post',
-        'create-files' => 's:files:create',
-        'download-files' => null,
-        'upload-files' => 's:files:upload',
-        'delete-files' => 's:files:delete',
-        'move-files' => 's:files:move',
-        'copy-files' => 's:files:copy',
-        'compress-files' => 's:files:compress',
-        'decompress-files' => 's:files:decompress',
-
-        // Subusers
-        'list-subusers' => null,
-        'view-subuser' => null,
-        'edit-subuser' => null,
-        'create-subuser' => null,
-        'delete-subuser' => null,
-
-        // Tasks
-        'list-tasks' => null,
-        'view-task' => null,
-        'toggle-task' => null,
-        'delete-task' => null,
-        'create-task' => null,
-        'queue-task' => null,
-
-        // Management
-        'set-connection' => null,
-        'view-startup' => null,
-        'edit-startup' => null,
-        'view-sftp' => null,
-        'reset-sftp' => 's:set-password',
-        'view-sftp-password' => null,
-
-        // Databases
-        'view-databases' => null,
-        'reset-db-password' => null,
-    ];
-
     /**
      * Creates a new subuser on the server.
      *
@@ -155,12 +99,14 @@ public function create($sid, array $data)
                 'daemonSecret' => (string) $uuid->generate('servers', 'uuid'),
             ]);
 
+            $perms = Permission::list(true);
             $daemonPermissions = $this->coreDaemonPermissions;
+
             foreach ($data['permissions'] as $permission) {
-                if (array_key_exists($permission, $this->permissions)) {
+                if (array_key_exists($permission, $perms)) {
                     // Build the daemon permissions array for sending.
-                    if (! is_null($this->permissions[$permission])) {
-                        array_push($daemonPermissions, $this->permissions[$permission]);
+                    if (! is_null($perms[$permission])) {
+                        array_push($daemonPermissions, $perms[$permission]);
                     }
 
                     Models\Permission::create([
@@ -272,12 +218,14 @@ public function update($id, array $data)
                 $permission->delete();
             }
 
+            $perms = Permission::list(true);
             $daemonPermissions = $this->coreDaemonPermissions;
+
             foreach ($data['permissions'] as $permission) {
-                if (array_key_exists($permission, $this->permissions)) {
+                if (array_key_exists($permission, $perms)) {
                     // Build the daemon permissions array for sending.
-                    if (! is_null($this->permissions[$permission])) {
-                        array_push($daemonPermissions, $this->permissions[$permission]);
+                    if (! is_null($perms[$permission])) {
+                        array_push($daemonPermissions, $perms[$permission]);
                     }
                     Models\Permission::create([
                         'subuser_id' => $subuser->id,

composer.json

@@ -12,7 +12,7 @@
     ],
     "require": {
         "php": ">=5.6.4",
-        "laravel/framework": "5.3.21",
+        "laravel/framework": "5.3.31",
         "barryvdh/laravel-debugbar": "2.2.3",
         "doctrine/dbal": "2.5.5",
         "guzzlehttp/guzzle": "6.2.2",