First round of changes to API to support simpler permissions.

Author: DaneEveritt

app/Contracts/Repository/ApiKeyRepositoryInterface.php

@@ -18,6 +18,7 @@ interface ApiKeyRepositoryInterface extends RepositoryInterface
      *
      * @param \Pterodactyl\Models\APIKey $model
      * @param bool                       $refresh
+     * @deprecated
      * @return \Pterodactyl\Models\APIKey
      */
     public function loadPermissions(APIKey $model, bool $refresh = false): APIKey;

app/Http/Controllers/API/Admin/Users/UserController.php

@@ -15,6 +15,8 @@
 use Pterodactyl\Transformers\Api\Admin\UserTransformer;
 use League\Fractal\Pagination\IlluminatePaginatorAdapter;
 use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
+use Pterodactyl\Http\Requests\API\Admin\Users\GetUserRequest;
+use Pterodactyl\Http\Requests\API\Admin\Users\GetUsersRequest;
 
 class UserController extends Controller
 {
@@ -67,19 +69,19 @@ public function __construct(
     }
 
     /**
-     * Handle request to list all users on the panel. Returns a JSONAPI representation
+     * Handle request to list all users on the panel. Returns a JSON-API representation
      * of a collection of users including any defined relations passed in
      * the request.
      *
-     * @param \Illuminate\Http\Request $request
+     * @param \Pterodactyl\Http\Requests\API\Admin\Users\GetUsersRequest $request
      * @return array
      */
-    public function index(Request $request): array
+    public function index(GetUsersRequest $request): array
     {
         $users = $this->repository->paginated(100);
 
         return $this->fractal->collection($users)
-            ->transformWith(new UserTransformer($request))
+            ->transformWith((new UserTransformer)->setKey($request->key()))
             ->withResourceName('user')
             ->paginateWith(new IlluminatePaginatorAdapter($users))
             ->toArray();
@@ -89,14 +91,14 @@ public function index(Request $request): array
      * Handle a request to view a single user. Includes any relations that
      * were defined in the request.
      *
-     * @param \Illuminate\Http\Request $request
-     * @param \Pterodactyl\Models\User $user
+     * @param \Pterodactyl\Http\Requests\API\Admin\Users\GetUserRequest $request
+     * @param \Pterodactyl\Models\User                                  $user
      * @return array
      */
-    public function view(Request $request, User $user): array
+    public function view(GetUserRequest $request, User $user): array
     {
         return $this->fractal->item($user)
-            ->transformWith(new UserTransformer($request))
+            ->transformWith((new UserTransformer)->setKey($request->key()))
             ->withResourceName('user')
             ->toArray();
     }

app/Http/Kernel.php

@@ -25,7 +25,6 @@
 use Pterodactyl\Http\Middleware\Daemon\DaemonAuthenticate;
 use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
-use Pterodactyl\Http\Middleware\API\HasPermissionToResource;
 use Pterodactyl\Http\Middleware\Server\AuthenticateAsSubuser;
 use Pterodactyl\Http\Middleware\Server\SubuserBelongsToServer;
 use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
@@ -98,9 +97,6 @@ class Kernel extends HttpKernel
         'bindings' => SubstituteBindings::class,
         'recaptcha' => VerifyReCaptcha::class,
 
-        // API specific middleware.
-        'api..user_level' => HasPermissionToResource::class,
-
         // Server specific middleware (used for authenticating access to resources)
         //
         // These are only used for individual server authentication, and not gloabl

app/Http/Middleware/API/HasPermissionToResource.php

@@ -0,0 +1,98 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\API\Admin;
+
+use Pterodactyl\Models\APIKey;
+use Illuminate\Foundation\Http\FormRequest;
+use Pterodactyl\Exceptions\PterodactylException;
+use Pterodactyl\Services\Acl\Api\AdminAcl as Acl;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+
+abstract class ApiAdminRequest extends FormRequest
+{
+    /**
+     * The resource that should be checked when performing the authorization
+     * function for this request.
+     *
+     * @var string|null
+     */
+    protected $resource;
+
+    /**
+     * The permission level that a given API key should have for accessing
+     * the defined $resource during the request cycle.
+     *
+     * @var int
+     */
+    protected $permission = Acl::NONE;
+
+    /**
+     * Determine if the current user is authorized to perform
+     * the requested action aganist the API.
+     *
+     * @return bool
+     *
+     * @throws \Pterodactyl\Exceptions\PterodactylException
+     */
+    public function authorize(): bool
+    {
+        if (is_null($this->resource)) {
+            throw new PterodactylException('An ACL resource must be defined on API requests.');
+        }
+
+        return Acl::check($this->key(), $this->resource, $this->permission);
+    }
+
+    /**
+     * Determine if the requested resource exists on the server.
+     *
+     * @return bool
+     */
+    public function resourceExists(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Default set of rules to apply to API requests.
+     *
+     * @return array
+     */
+    public function rules(): array
+    {
+        return [];
+    }
+
+    /**
+     * Return the API key being used for the request.
+     *
+     * @return \Pterodactyl\Models\APIKey
+     */
+    public function key(): APIKey
+    {
+        return $this->attributes->get('api_key');
+    }
+
+    /**
+     * Determine if the request passes the authorization check as well
+     * as the exists check.
+     *
+     * @return bool
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
+     */
+    protected function passesAuthorization()
+    {
+        $passes = parent::passesAuthorization();
+
+        // Only let the user know that a resource does not exist if they are
+        // authenticated to access the endpoint. This avoids exposing that
+        // an item exists (or does not exist) to the user until they can prove
+        // that they have permission to know about it.
+        if ($passes && ! $this->resourceExists()) {
+            throw new NotFoundHttpException('The requested resource does not exist on this server.');
+        }
+
+        return $passes;
+    }
+}

app/Http/Requests/API/Admin/ApiAdminRequest.php

@@ -0,0 +1,32 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\API\Admin\Users;
+
+use Pterodactyl\Models\User;
+use Pterodactyl\Services\Acl\Api\AdminAcl;
+use Pterodactyl\Http\Requests\API\Admin\ApiAdminRequest;
+
+class GetUserRequest extends ApiAdminRequest
+{
+    /**
+     * @var string
+     */
+    protected $resource = AdminAcl::RESOURCE_USERS;
+
+    /**
+     * @var int
+     */
+    protected $permission = AdminAcl::READ;
+
+    /**
+     * Determine if the requested user exists on the Panel.
+     *
+     * @return bool
+     */
+    public function resourceExists(): bool
+    {
+        $user = $this->route()->parameter('user');
+
+        return $user instanceof  User && $user->exists;
+    }
+}

app/Http/Requests/API/Admin/Users/GetUserRequest.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\API\Admin\Users;
+
+use Pterodactyl\Services\Acl\Api\AdminAcl as Acl;
+use Pterodactyl\Http\Requests\API\Admin\ApiAdminRequest;
+
+class GetUsersRequest extends ApiAdminRequest
+{
+    /**
+     * @var string
+     */
+    protected $resource = Acl::RESOURCE_USERS;
+
+    /**
+     * @var int
+     */
+    protected $permission = Acl::READ;
+}

app/Http/Requests/API/Admin/Users/GetUsersRequest.php

@@ -2,9 +2,9 @@
 
 namespace Pterodactyl\Http\Requests\API\Remote;
 
-use Pterodactyl\Http\Requests\Request;
+use Illuminate\Foundation\Http\FormRequest;
 
-class SftpAuthenticationFormRequest extends Request
+class SftpAuthenticationFormRequest extends FormRequest
 {
     /**
      * Authenticate the request.

app/Http/Requests/API/Remote/SftpAuthenticationFormRequest.php

@@ -1,17 +1,11 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Models;
 
 use Sofa\Eloquence\Eloquence;
 use Sofa\Eloquence\Validable;
 use Illuminate\Database\Eloquent\Model;
+use Pterodactyl\Services\Acl\Api\AdminAcl;
 use Sofa\Eloquence\Contracts\CleansAttributes;
 use Sofa\Eloquence\Contracts\Validable as ValidableContract;
 
@@ -35,14 +29,29 @@ class APIKey extends Model implements CleansAttributes, ValidableContract
      */
     protected $casts = [
         'allowed_ips' => 'json',
+        'user_id' => 'int',
+        'r_' . AdminAcl::RESOURCE_USERS => 'int',
+        'r_' . AdminAcl::RESOURCE_ALLOCATIONS => 'int',
+        'r_' . AdminAcl::RESOURCE_DATABASES => 'int',
+        'r_' . AdminAcl::RESOURCE_EGGS => 'int',
+        'r_' . AdminAcl::RESOURCE_LOCATIONS => 'int',
+        'r_' . AdminAcl::RESOURCE_NESTS => 'int',
+        'r_' . AdminAcl::RESOURCE_NODES => 'int',
+        'r_' . AdminAcl::RESOURCE_PACKS => 'int',
+        'r_' . AdminAcl::RESOURCE_SERVERS => 'int',
     ];
 
     /**
-     * Fields that are not mass assignable.
+     * Fields that are mass assignable.
      *
      * @var array
      */
-    protected $guarded = ['id', 'created_at', 'updated_at'];
+    protected $fillable = [
+        'token',
+        'allowed_ips',
+        'memo',
+        'expires_at',
+    ];
 
     /**
      * Rules defining what fields must be passed when making a model.
@@ -66,6 +75,24 @@ class APIKey extends Model implements CleansAttributes, ValidableContract
         'memo' => 'nullable|string|max:500',
         'allowed_ips' => 'nullable|json',
         'expires_at' => 'nullable|datetime',
+        'r_' . AdminAcl::RESOURCE_USERS => 'integer|min:0|max:3',
+        'r_' . AdminAcl::RESOURCE_ALLOCATIONS => 'integer|min:0|max:3',
+        'r_' . AdminAcl::RESOURCE_DATABASES => 'integer|min:0|max:3',
+        'r_' . AdminAcl::RESOURCE_EGGS => 'integer|min:0|max:3',
+        'r_' . AdminAcl::RESOURCE_LOCATIONS => 'integer|min:0|max:3',
+        'r_' . AdminAcl::RESOURCE_NESTS => 'integer|min:0|max:3',
+        'r_' . AdminAcl::RESOURCE_NODES => 'integer|min:0|max:3',
+        'r_' . AdminAcl::RESOURCE_PACKS => 'integer|min:0|max:3',
+        'r_' . AdminAcl::RESOURCE_SERVERS => 'integer|min:0|max:3',
+    ];
+
+    /**
+     * @var array
+     */
+    protected $dates = [
+        self::CREATED_AT,
+        self::UPDATED_AT,
+        'expires_at',
     ];
 
     /**