Update all of the permissions checking to be constant based

DaneEveritt · DaneEveritt · commit 23d594f65519 · 2020-03-22T15:31:25.000-07:00
diff --git a/app/Http/Controllers/Api/Client/Servers/WebsocketController.php b/app/Http/Controllers/Api/Client/Servers/WebsocketController.php
@@ -4,14 +4,15 @@
 
 use Cake\Chronos\Chronos;
 use Lcobucci\JWT\Builder;
-use Illuminate\Http\Request;
 use Lcobucci\JWT\Signer\Key;
 use Illuminate\Http\Response;
 use Pterodactyl\Models\Server;
 use Illuminate\Http\JsonResponse;
+use Pterodactyl\Models\Permission;
 use Lcobucci\JWT\Signer\Hmac\Sha256;
 use Illuminate\Contracts\Cache\Repository;
 use Symfony\Component\HttpKernel\Exception\HttpException;
+use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
 
 class WebsocketController extends ClientApiController
@@ -39,13 +40,13 @@ public function __construct(Repository $cache)
      * allows us to continually renew this token and avoid users mainitaining sessions wrongly,
      * as well as ensure that user's only perform actions they're allowed to.
      *
-     * @param \Illuminate\Http\Request $request
+     * @param \Pterodactyl\Http\Requests\Api\Client\ClientApiRequest $request
      * @param \Pterodactyl\Models\Server $server
      * @return \Illuminate\Http\JsonResponse
      */
-    public function __invoke(Request $request, Server $server)
+    public function __invoke(ClientApiRequest $request, Server $server)
     {
-        if (! $request->user()->can('websocket.*', $server)) {
+        if ($request->user()->cannot(Permission::ACTION_WEBSOCKET, $server)) {
             throw new HttpException(
                 Response::HTTP_FORBIDDEN, 'You do not have permission to connect to this server\'s websocket.'
             );
diff --git a/app/Http/Requests/Api/Client/Servers/Databases/DeleteDatabaseRequest.php b/app/Http/Requests/Api/Client/Servers/Databases/DeleteDatabaseRequest.php
@@ -4,6 +4,7 @@
 
 use Pterodactyl\Models\Server;
 use Pterodactyl\Models\Database;
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -14,7 +15,7 @@ class DeleteDatabaseRequest extends ClientApiRequest implements ClientPermission
      */
     public function permission(): string
     {
-        return 'database.delete';
+        return Permission::ACTION_DATABASE_DELETE;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Databases/GetDatabasesRequest.php b/app/Http/Requests/Api/Client/Servers/Databases/GetDatabasesRequest.php
@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Databases;
 
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -12,6 +13,6 @@ class GetDatabasesRequest extends ClientApiRequest implements ClientPermissionsR
      */
     public function permission(): string
     {
-        return 'database.read';
+        return Permission::ACTION_DATABASE_READ;
     }
 }
diff --git a/app/Http/Requests/Api/Client/Servers/Databases/RotatePasswordRequest.php b/app/Http/Requests/Api/Client/Servers/Databases/RotatePasswordRequest.php
@@ -2,18 +2,18 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Databases;
 
-use Pterodactyl\Models\Server;
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
 class RotatePasswordRequest extends ClientApiRequest
 {
     /**
      * Check that the user has permission to rotate the password.
      *
-     * @return bool
+     * @return string
      */
-    public function authorize(): bool
+    public function permission(): string
     {
-        return $this->user()->can('database.update', $this->getModel(Server::class));
+        return Permission::ACTION_DATABASE_UPDATE;
     }
 }
diff --git a/app/Http/Requests/Api/Client/Servers/Databases/StoreDatabaseRequest.php b/app/Http/Requests/Api/Client/Servers/Databases/StoreDatabaseRequest.php
@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Databases;
 
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -12,7 +13,7 @@ class StoreDatabaseRequest extends ClientApiRequest implements ClientPermissions
      */
     public function permission(): string
     {
-        return 'database.create';
+        return Permission::ACTION_DATABASE_CREATE;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Files/CopyFileRequest.php b/app/Http/Requests/Api/Client/Servers/Files/CopyFileRequest.php
@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;
 
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -12,7 +13,7 @@ class CopyFileRequest extends ClientApiRequest implements ClientPermissionsReque
      */
     public function permission(): string
     {
-        return 'file.create';
+        return Permission::ACTION_FILE_CREATE;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Files/CreateFolderRequest.php b/app/Http/Requests/Api/Client/Servers/Files/CreateFolderRequest.php
@@ -2,19 +2,19 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;
 
-use Pterodactyl\Models\Server;
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
 class CreateFolderRequest extends ClientApiRequest
 {
     /**
      * Checks that the authenticated user is allowed to create files on the server.
      *
-     * @return bool
+     * @return string
      */
-    public function authorize(): bool
+    public function permission(): string
     {
-        return $this->user()->can('file.create', $this->getModel(Server::class));
+        return Permission::ACTION_FILE_CREATE;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Files/DeleteFileRequest.php b/app/Http/Requests/Api/Client/Servers/Files/DeleteFileRequest.php
@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;
 
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -12,7 +13,7 @@ class DeleteFileRequest extends ClientApiRequest implements ClientPermissionsReq
      */
     public function permission(): string
     {
-        return 'file.delete';
+        return Permission::ACTION_FILE_DELETE;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php b/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php
@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;
 
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -16,7 +17,7 @@ class GetFileContentsRequest extends ClientApiRequest implements ClientPermissio
      */
     public function permission(): string
     {
-        return 'file.read';
+        return Permission::ACTION_FILE_READ;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Files/ListFilesRequest.php b/app/Http/Requests/Api/Client/Servers/Files/ListFilesRequest.php
@@ -2,7 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;
 
-use Pterodactyl\Models\Server;
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
 class ListFilesRequest extends ClientApiRequest
@@ -11,11 +11,11 @@ class ListFilesRequest extends ClientApiRequest
      * Check that the user making this request to the API is authorized to list all
      * of the files that exist for a given server.
      *
-     * @return bool
+     * @return string
      */
-    public function authorize(): bool
+    public function permission(): string
     {
-        return $this->user()->can('file.read', $this->getModel(Server::class));
+        return Permission::ACTION_FILE_READ;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Files/RenameFileRequest.php b/app/Http/Requests/Api/Client/Servers/Files/RenameFileRequest.php
@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;
 
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -15,7 +16,7 @@ class RenameFileRequest extends ClientApiRequest implements ClientPermissionsReq
      */
     public function permission(): string
     {
-        return 'file.update';
+        return Permission::ACTION_FILE_UPDATE;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Files/WriteFileContentRequest.php b/app/Http/Requests/Api/Client/Servers/Files/WriteFileContentRequest.php
@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;
 
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -16,7 +17,7 @@ class WriteFileContentRequest extends ClientApiRequest implements ClientPermissi
      */
     public function permission(): string
     {
-        return 'file.create';
+        return Permission::ACTION_FILE_CREATE;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Network/GetNetworkRequest.php b/app/Http/Requests/Api/Client/Servers/Network/GetNetworkRequest.php
@@ -2,7 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Network;
 
-use Pterodactyl\Models\Server;
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
 class GetNetworkRequest extends ClientApiRequest
@@ -11,10 +11,10 @@ class GetNetworkRequest extends ClientApiRequest
      * Check that the user has permission to view the allocations for
      * this server.
      *
-     * @return bool
+     * @return string
      */
-    public function authorize(): bool
+    public function permission(): string
     {
-        return $this->user()->can('allocation.read', $this->getModel(Server::class));
+        return Permission::ACTION_ALLOCATION_READ;
     }
 }
diff --git a/app/Http/Requests/Api/Client/Servers/SendCommandRequest.php b/app/Http/Requests/Api/Client/Servers/SendCommandRequest.php
@@ -2,18 +2,18 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers;
 
-use Pterodactyl\Models\Server;
+use Pterodactyl\Models\Permission;
 
 class SendCommandRequest extends GetServerRequest
 {
     /**
      * Determine if the API user has permission to perform this action.
      *
-     * @return bool
+     * @return string
      */
-    public function authorize(): bool
+    public function permission(): string
     {
-        return $this->user()->can('control.console', $this->getModel(Server::class));
+        return Permission::ACTION_CONTROL_CONSOLE;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php b/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
@@ -2,19 +2,30 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers;
 
-use Pterodactyl\Models\Server;
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
 class SendPowerRequest extends ClientApiRequest
 {
     /**
      * Determine if the user has permission to send a power command to a server.
      *
-     * @return bool
+     * @return string
      */
-    public function authorize(): bool
+    public function permission(): string
     {
-        return $this->user()->can('control.' . $this->input('signal', ''), $this->getModel(Server::class));
+        switch ($this->input('signal')) {
+            case 'start':
+                return Permission::ACTION_CONTROL_START;
+            case 'stop':
+                return Permission::ACTION_CONTROL_STOP;
+            case 'restart':
+                return Permission::ACTION_CONTROL_RESTART;
+            case 'kill':
+                return Permission::ACTION_CONTROL_KILL;
+        }
+
+        return '__invalid';
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Settings/RenameServerRequest.php b/app/Http/Requests/Api/Client/Servers/Settings/RenameServerRequest.php
@@ -3,6 +3,7 @@
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Settings;
 
 use Pterodactyl\Models\Server;
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
@@ -17,7 +18,7 @@ class RenameServerRequest extends ClientApiRequest implements ClientPermissionsR
      */
     public function permission(): string
     {
-        return 'settings.rename';
+        return Permission::ACTION_SETTINGS_RENAME;
     }
 
     /**
diff --git a/app/Http/Requests/Api/Client/Servers/Subusers/GetSubuserRequest.php b/app/Http/Requests/Api/Client/Servers/Subusers/GetSubuserRequest.php
@@ -2,17 +2,18 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client\Servers\Subusers;
 
+use Pterodactyl\Models\Permission;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 
 class GetSubuserRequest extends ClientApiRequest
 {
     /**
      * Confirm that a user is able to view subusers for the specified server.
      *
-     * @return bool
+     * @return string
      */
-    public function authorize(): bool
+    public function permission(): string
     {
-        return $this->user()->can('user.read', $this->route()->parameter('server'));
+        return Permission::ACTION_USER_READ;
     }
 }
diff --git a/app/Models/Permission.php b/app/Models/Permission.php

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@`
`4`	`4`
`5`	`5`	`use Pterodactyl\Models\Server;`
`6`	`6`	`use Pterodactyl\Models\Database;`
	`7`	`+use Pterodactyl\Models\Permission;`
`7`	`8`	`use Pterodactyl\Contracts\Http\ClientPermissionsRequest;`
`8`	`9`	`use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;`
`9`	`10`
`@@ -14,7 +15,7 @@ class DeleteDatabaseRequest extends ClientApiRequest implements ClientPermission`
`14`	`15`	`*/`
`15`	`16`	`public function permission(): string`
`16`	`17`	`{`
`17`		`- return 'database.delete';`
	`18`	`+ return Permission::ACTION_DATABASE_DELETE;`
`18`	`19`	`}`
`19`	`20`
`20`	`21`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`
`3`	`3`	`namespace Pterodactyl\Http\Requests\Api\Client\Servers\Databases;`
`4`	`4`
	`5`	`+use Pterodactyl\Models\Permission;`
`5`	`6`	`use Pterodactyl\Contracts\Http\ClientPermissionsRequest;`
`6`	`7`	`use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;`
`7`	`8`
`@@ -12,6 +13,6 @@ class GetDatabasesRequest extends ClientApiRequest implements ClientPermissionsR`
`12`	`13`	`*/`
`13`	`14`	`public function permission(): string`
`14`	`15`	`{`
`15`		`- return 'database.read';`
	`16`	`+ return Permission::ACTION_DATABASE_READ;`
`16`	`17`	`}`
`17`	`18`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,18 +2,18 @@`
`2`	`2`
`3`	`3`	`namespace Pterodactyl\Http\Requests\Api\Client\Servers\Databases;`
`4`	`4`
`5`		`-use Pterodactyl\Models\Server;`
	`5`	`+use Pterodactyl\Models\Permission;`
`6`	`6`	`use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;`
`7`	`7`
`8`	`8`	`class RotatePasswordRequest extends ClientApiRequest`
`9`	`9`	`{`
`10`	`10`	`/**`
`11`	`11`	`* Check that the user has permission to rotate the password.`
`12`	`12`	`*`
`13`		`- * @return bool`
	`13`	`+ * @return string`
`14`	`14`	`*/`
`15`		`- public function authorize(): bool`
	`15`	`+ public function permission(): string`
`16`	`16`	`{`
`17`		`- return $this->user()->can('database.update', $this->getModel(Server::class));`
	`17`	`+ return Permission::ACTION_DATABASE_UPDATE;`
`18`	`18`	`}`
`19`	`19`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2,19 +2,19 @@`
`2`	`2`
`3`	`3`	`namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;`
`4`	`4`
`5`		`-use Pterodactyl\Models\Server;`
	`5`	`+use Pterodactyl\Models\Permission;`
`6`	`6`	`use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;`
`7`	`7`
`8`	`8`	`class CreateFolderRequest extends ClientApiRequest`
`9`	`9`	`{`
`10`	`10`	`/**`
`11`	`11`	`* Checks that the authenticated user is allowed to create files on the server.`
`12`	`12`	`*`
`13`		`- * @return bool`
	`13`	`+ * @return string`
`14`	`14`	`*/`
`15`		`- public function authorize(): bool`
	`15`	`+ public function permission(): string`
`16`	`16`	`{`
`17`		`- return $this->user()->can('file.create', $this->getModel(Server::class));`
	`17`	`+ return Permission::ACTION_FILE_CREATE;`
`18`	`18`	`}`
`19`	`19`
`20`	`20`	`/**`
Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`
`3`	`3`	`namespace Pterodactyl\Http\Requests\Api\Client\Servers\Files;`
`4`	`4`
`5`		`-use Pterodactyl\Models\Server;`
	`5`	`+use Pterodactyl\Models\Permission;`
`6`	`6`	`use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;`
`7`	`7`
`8`	`8`	`class ListFilesRequest extends ClientApiRequest`
`@@ -11,11 +11,11 @@ class ListFilesRequest extends ClientApiRequest`
`11`	`11`	`* Check that the user making this request to the API is authorized to list all`
`12`	`12`	`* of the files that exist for a given server.`
`13`	`13`	`*`
`14`		`- * @return bool`
	`14`	`+ * @return string`
`15`	`15`	`*/`
`16`		`- public function authorize(): bool`
	`16`	`+ public function permission(): string`
`17`	`17`	`{`
`18`		`- return $this->user()->can('file.read', $this->getModel(Server::class));`
	`18`	`+ return Permission::ACTION_FILE_READ;`
`19`	`19`	`}`
`20`	`20`
`21`	`21`	`/**`