Skip to content

Commit c20d53b

Browse files
committed
Always return the primary allocation for a server, even without the allocation permissions
1 parent f99ac0e commit c20d53b

File tree

3 files changed

+43
-7
lines changed

3 files changed

+43
-7
lines changed

app/Models/Permission.php

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -163,7 +163,7 @@ class Permission extends Model
163163
'allocation' => [
164164
'description' => 'Permissions that control a user\'s ability to modify the port allocations for this server.',
165165
'keys' => [
166-
'read' => 'Allows a user to view the allocations assigned to this server.',
166+
'read' => 'Allows a user to view all allocations currently assigned to this server. Users with any level of access to this server can always view the primary allocation.',
167167
'create' => 'Allows a user to assign additional allocations to the server.',
168168
'update' => 'Allows a user to change the primary server allocation and attach notes to each allocation.',
169169
'delete' => 'Allows a user to delete an allocation from the server.',

app/Transformers/Api/Client/ServerTransformer.php

Lines changed: 14 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -83,15 +83,23 @@ public function transform(Server $server): array
8383
*/
8484
public function includeAllocations(Server $server)
8585
{
86+
$transformer = $this->makeTransformer(AllocationTransformer::class);
87+
88+
// While we include this permission, we do need to actually handle it slightly different here
89+
// for the purpose of keeping things functionally working. If the user doesn't have read permissions
90+
// for the allocations we'll only return the primary server allocation, and any notes associated
91+
// with it will be hidden.
92+
//
93+
// This allows us to avoid too much permission regression, without also hiding information that
94+
// is generally needed for the frontend to make sense when browsing or searching results.
8695
if (! $this->getUser()->can(Permission::ACTION_ALLOCATION_READ, $server)) {
87-
return $this->null();
96+
$primary = clone $server->allocation;
97+
$primary->notes = null;
98+
99+
return $this->collection([$primary], $transformer, Allocation::RESOURCE_NAME);
88100
}
89101

90-
return $this->collection(
91-
$server->allocations,
92-
$this->makeTransformer(AllocationTransformer::class),
93-
Allocation::RESOURCE_NAME
94-
);
102+
return $this->collection($server->allocations, $transformer, Allocation::RESOURCE_NAME);
95103
}
96104

97105
/**

tests/Integration/Api/Client/ClientControllerTest.php

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -304,6 +304,34 @@ public function testNoServersAreReturnedIfAdminFilterIsPassedByRegularUser($type
304304
$response->assertJsonCount(0, 'data');
305305
}
306306

307+
/**
308+
* Test that a subuser without the allocation.read permission is only able to see the primary
309+
* allocation for the server.
310+
*/
311+
public function testOnlyPrimaryAllocationIsReturnedToSubuser()
312+
{
313+
/** @var \Pterodactyl\Models\Server $server */
314+
[$user, $server] = $this->generateTestAccount([Permission::ACTION_WEBSOCKET_CONNECT]);
315+
$server->allocation->notes = 'Test notes';
316+
$server->allocation->save();
317+
318+
factory(Allocation::class)->times(2)->create([
319+
'node_id' => $server->node_id,
320+
'server_id' => $server->id,
321+
]);
322+
323+
$server->refresh();
324+
$response = $this->actingAs($user)->getJson('/api/client');
325+
326+
$response->assertOk();
327+
$response->assertJsonCount(1, 'data');
328+
$response->assertJsonPath('data.0.attributes.server_owner', false);
329+
$response->assertJsonPath('data.0.attributes.uuid', $server->uuid);
330+
$response->assertJsonCount(1, 'data.0.attributes.relationships.allocations.data');
331+
$response->assertJsonPath('data.0.attributes.relationships.allocations.data.0.attributes.id', $server->allocation->id);
332+
$response->assertJsonPath('data.0.attributes.relationships.allocations.data.0.attributes.notes', null);
333+
}
334+
307335
/**
308336
* @return array
309337
*/

0 commit comments

Comments
 (0)