Improved logic for handling permissions on API routes.

Still only partially implemented, however this method will allow the
inclusion of data that is granted with servers (such as viewing more
about the node, node location, allocations, etc) while still limiting
someone from doing `?include=node.servers` and listing all servers when
they don’t have list-servers as a permission.

Author: DaneEveritt

app/Http/Controllers/API/Admin/ServerController.php

@@ -45,7 +45,7 @@ public function index(Request $request)
 
         return Fractal::create()
             ->collection($servers)
-            ->transformWith(new ServerTransformer)
+            ->transformWith(new ServerTransformer($request))
             ->paginateWith(new IlluminatePaginatorAdapter($servers))
             ->withResourceName('server')
             ->toArray();
@@ -62,20 +62,11 @@ public function view(Request $request, $id)
         $server = Server::findOrFail($id);
         $fractal = Fractal::create()->item($server);
 
-        // dd($request->user()->can('view-node', $request->apiKey()));
-
-        // Have the api key model return a list of includes that would be allowed
-        // given the permissions they have aleady been granted?
-        //
-        // If someone has 'view-node' they would then be able to use ->parseIncludes(['*.node.*']);
-        // How that logic will work is beyond me currently, but should keep things
-        // fairly clean?
-
         if ($request->input('include')) {
             $fractal->parseIncludes(explode(',', $request->input('include')));
         }
 
-        return $fractal->transformWith(new ServerTransformer)
+        return $fractal->transformWith(new ServerTransformer($request))
             ->withResourceName('server')
             ->toArray();
     }

app/Models/APIKey.php

@@ -28,6 +28,13 @@
 
 class APIKey extends Model
 {
+    /**
+     * Public key defined length used in verification methods.
+     *
+     * @var int
+     */
+    const PUBLIC_KEY_LEN = 16;
+
     /**
      * The table associated with the model.
      *

app/Policies/APIKeyPolicy.php

@@ -42,7 +42,9 @@ class APIKeyPolicy
      */
     private function checkPermission(User $user, Key $key, $permission)
     {
-        $permissions = Cache::remember('APIKeyPolicy.' . $user->uuid . $key->public, Carbon::now()->addSeconds(5), function () use ($key) {
+        // We don't tag this cache key with the user uuid because the key is already unique,
+        // and multiple users are not defiend for a single key.
+        $permissions = Cache::remember('APIKeyPolicy.' . $key->public, Carbon::now()->addSeconds(5), function () use ($key) {
             return $key->permissions()->get()->transform(function ($item) {
                 return $item->permission;
             })->values();

app/Providers/MacroServiceProvider.php

@@ -25,7 +25,10 @@
 namespace Pterodactyl\Providers;
 
 use File;
+use Cache;
+use Carbon;
 use Request;
+use Pterodactyl\Models\APIKey;
 use Illuminate\Support\ServiceProvider;
 
 class MacroServiceProvider extends ServiceProvider
@@ -57,11 +60,27 @@ public function boot()
 
             $parts = explode('.', Request::bearerToken());
 
-            if (count($parts) === 2) {
-                return \Pterodactyl\Models\APIKey::where('public', $parts[0])->first();
+            if (count($parts) === 2 && strlen($parts[0]) === APIKey::PUBLIC_KEY_LEN) {
+                // Because the key itself isn't changing frequently, we simply cache this for
+                // 15 minutes to speed up the API and keep requests flowing.
+                return Cache::tags([
+                    'ApiKeyMacro',
+                    'ApiKeyMacro:Key:' . $parts[0],
+                ])->remember('ApiKeyMacro.' . $parts[0], Carbon::now()->addMinutes(15), function() use ($parts) {
+                    return APIKey::where('public', $parts[0])->first();
+                });
             }
 
             return false;
         });
+
+        Request::macro('apiKeyHasPermission', function($permission) {
+            $key = Request::apiKey();
+            if (! $key) {
+                return false;
+            }
+
+            return Request::user()->can($permission, $key);
+        });
     }
 }

app/Transformers/Admin/AllocationTransformer.php

@@ -24,6 +24,7 @@
 
 namespace Pterodactyl\Transformers\Admin;
 
+use Illuminate\Http\Request;
 use Pterodactyl\Models\Allocation;
 use League\Fractal\TransformerAbstract;
 
@@ -37,13 +38,26 @@ class AllocationTransformer extends TransformerAbstract
     protected $filter;
 
     /**
-     * Transformer constructor.
+     * The Illuminate Request object if provided.
      *
-     * @param  bool|string  $filter
+     * @var \Illuminate\Http\Request|bool
+     */
+    protected $request;
+
+    /**
+     * Setup request object for transformer.
+     *
+     * @param  \Illuminate\Http\Request|bool  $request
+     * @param  bool                           $filter
      * @return void
      */
-    public function __construct($filter = false)
+    public function __construct($request = false, $filter = false)
     {
+        if (! $request instanceof Request && $request !== false) {
+            throw new DisplayException('Request passed to constructor must be of type Request or false.');
+        }
+
+        $this->request = $request;
         $this->filter = $filter;
     }
 

app/Transformers/Admin/LocationTransformer.php

@@ -24,6 +24,7 @@
 
 namespace Pterodactyl\Transformers\Admin;
 
+use Illuminate\Http\Request;
 use Pterodactyl\Models\Location;
 use League\Fractal\TransformerAbstract;
 
@@ -39,6 +40,28 @@ class LocationTransformer extends TransformerAbstract
         'servers',
     ];
 
+    /**
+     * The Illuminate Request object if provided.
+     *
+     * @var \Illuminate\Http\Request|bool
+     */
+    protected $request;
+
+    /**
+     * Setup request object for transformer.
+     *
+     * @param  \Illuminate\Http\Request|bool  $request
+     * @return void
+     */
+    public function __construct($request = false)
+    {
+        if (! $request instanceof Request && $request !== false) {
+            throw new DisplayException('Request passed to constructor must be of type Request or false.');
+        }
+
+        $this->request = $request;
+    }
+
     /**
      * Return a generic transformed pack array.
      *

app/Transformers/Admin/NodeTransformer.php

@@ -24,6 +24,7 @@
 
 namespace Pterodactyl\Transformers\Admin;
 
+use Illuminate\Http\Request;
 use Pterodactyl\Models\Node;
 use League\Fractal\TransformerAbstract;
 
@@ -40,6 +41,28 @@ class NodeTransformer extends TransformerAbstract
         'servers',
     ];
 
+    /**
+     * The Illuminate Request object if provided.
+     *
+     * @var \Illuminate\Http\Request|bool
+     */
+    protected $request;
+
+    /**
+     * Setup request object for transformer.
+     *
+     * @param  \Illuminate\Http\Request|bool  $request
+     * @return void
+     */
+    public function __construct($request = false)
+    {
+        if (! $request instanceof Request && $request !== false) {
+            throw new DisplayException('Request passed to constructor must be of type Request or false.');
+        }
+
+        $this->request = $request;
+    }
+
     /**
      * Return a generic transformed pack array.
      *
@@ -77,6 +100,10 @@ public function includeLocation(Node $node)
      */
     public function includeServers(Node $node)
     {
+        if ($this->request && ! $this->request->apiKeyHasPermission('list-servers')) {
+            return;
+        }
+
         return $this->collection($node->servers, new ServerTransformer, 'server');
     }
 }

app/Transformers/Admin/OptionTransformer.php

@@ -24,6 +24,7 @@
 
 namespace Pterodactyl\Transformers\Admin;
 
+use Illuminate\Http\Request;
 use Pterodactyl\Models\ServiceOption;
 use League\Fractal\TransformerAbstract;
 
@@ -41,6 +42,28 @@ class OptionTransformer extends TransformerAbstract
         'variables',
     ];
 
+    /**
+     * The Illuminate Request object if provided.
+     *
+     * @var \Illuminate\Http\Request|bool
+     */
+    protected $request;
+
+    /**
+     * Setup request object for transformer.
+     *
+     * @param  \Illuminate\Http\Request|bool  $request
+     * @return void
+     */
+    public function __construct($request = false)
+    {
+        if (! $request instanceof Request && $request !== false) {
+            throw new DisplayException('Request passed to constructor must be of type Request or false.');
+        }
+
+        $this->request = $request;
+    }
+
     /**
      * Return a generic transformed service option array.
      *

app/Transformers/Admin/PackTransformer.php

@@ -24,6 +24,7 @@
 
 namespace Pterodactyl\Transformers\Admin;
 
+use Illuminate\Http\Request;
 use Pterodactyl\Models\Pack;
 use League\Fractal\TransformerAbstract;
 
@@ -39,6 +40,28 @@ class PackTransformer extends TransformerAbstract
         'servers',
     ];
 
+    /**
+     * The Illuminate Request object if provided.
+     *
+     * @var \Illuminate\Http\Request|bool
+     */
+    protected $request;
+
+    /**
+     * Setup request object for transformer.
+     *
+     * @param  \Illuminate\Http\Request|bool  $request
+     * @return void
+     */
+    public function __construct($request = false)
+    {
+        if (! $request instanceof Request && $request !== false) {
+            throw new DisplayException('Request passed to constructor must be of type Request or false.');
+        }
+
+        $this->request = $request;
+    }
+
     /**
      * Return a generic transformed pack array.
      *