Require specific permission for reading the actual contents of a file; ref pterodactyl#2288

DaneEveritt · DaneEveritt · commit 981edb0d640e · 2020-08-31T19:36:30.000-07:00
diff --git a/app/Http/Controllers/Api/Remote/FileDownloadController.php b/app/Http/Controllers/Api/Remote/FileDownloadController.php
diff --git a/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php b/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php
@@ -17,7 +17,7 @@ class GetFileContentsRequest extends ClientApiRequest implements ClientPermissio
      */
     public function permission(): string
     {
-        return Permission::ACTION_FILE_READ;
+        return Permission::ACTION_FILE_READ_CONTENT;
     }
 
     /**
diff --git a/app/Models/Permission.php b/app/Models/Permission.php
@@ -49,6 +49,7 @@ class Permission extends Model
     const ACTION_ALLOCATION_DELETE = 'allocation.delete';
 
     const ACTION_FILE_READ = 'file.read';
+    const ACTION_FILE_READ_CONTENT = 'file.read-content';
     const ACTION_FILE_CREATE = 'file.create';
     const ACTION_FILE_UPDATE = 'file.update';
     const ACTION_FILE_DELETE = 'file.delete';
@@ -138,7 +139,8 @@ class Permission extends Model
             'description' => 'Permissions that control a user\'s ability to modify the filesystem for this server.',
             'keys' => [
                 'create' => 'Allows a user to create additional files and folders via the Panel or direct upload.',
-                'read' => 'Allows a user to view the contents of a directory and read the contents of a file. Users with this permission can also download files.',
+                'read' => 'Allows a user to view the contents of a directory, but not view the contents of or download files.',
+                'read-content' => 'Allows a user to view the contents of a given file. This will also allow the user to download files.',
                 'update' => 'Allows a user to update the contents of an existing file or directory.',
                 'delete' => 'Allows a user to delete files or directories.',
                 'archive' => 'Allows a user to archive the contents of a directory as well as decompress existing archives on the system.',
diff --git a/resources/scripts/components/server/files/FileObjectRow.tsx b/resources/scripts/components/server/files/FileObjectRow.tsx
@@ -11,12 +11,14 @@ import tw from 'twin.macro';
 import isEqual from 'react-fast-compare';
 import styled from 'styled-components/macro';
 import SelectFileCheckbox from '@/components/server/files/SelectFileCheckbox';
+import { usePermissions } from '@/plugins/usePermissions';
 
 const Row = styled.div`
     ${tw`flex bg-neutral-700 rounded-sm mb-px text-sm hover:text-neutral-100 cursor-pointer items-center no-underline hover:bg-neutral-600`};
 `;
 
 const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => {
+    const [ canReadContents ] = usePermissions([ 'file.read-content' ]);
     const directory = ServerContext.useStoreState(state => state.files.directory);
 
     const history = useHistory();
@@ -35,7 +37,7 @@ const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => {
     };
 
     return (
-        file.isFile && !file.isEditable() ?
+        (!canReadContents || (file.isFile && !file.isEditable())) ?
             <div css={tw`flex flex-1 text-neutral-300 no-underline p-3 cursor-default`}>
                 {children}
             </div>

Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@ class GetFileContentsRequest extends ClientApiRequest implements ClientPermissio`
`17`	`17`	`*/`
`18`	`18`	`public function permission(): string`
`19`	`19`	`{`
`20`		`- return Permission::ACTION_FILE_READ;`
	`20`	`+ return Permission::ACTION_FILE_READ_CONTENT;`
`21`	`21`	`}`
`22`	`22`
`23`	`23`	`/**`