Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
pterodactyl
GitHub Repository: pterodactyl/panel
 Path: blob/1.0-develop/app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php
10280 views
1
<?php

2


3
namespace Pterodactyl\Http\Middleware\Api\Client\Server;

4


5
use Illuminate\Http\Request;

6
use Pterodactyl\Models\Server;

7
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;

8
use Pterodactyl\Exceptions\Http\Server\ServerStateConflictException;

9


10
class AuthenticateServerAccess

11
{

12
    /**

13
     * Routes that this middleware should not apply to if the user is an admin.

14
     */

15
    protected array $except = [

16
        'api:client:server.ws',

17
    ];

18


19
    /**

20
     * AuthenticateServerAccess constructor.

21
     */

22
    public function __construct()

23
    {

24
    }

25


26
    /**

27
     * Authenticate that this server exists and is not suspended or marked as installing.

28
     */

29
    public function handle(Request $request, \Closure $next): mixed

30
    {

31
        /** @var \Pterodactyl\Models\User $user */

32
        $user = $request->user();

33
        $server = $request->route()->parameter('server');

34


35
        if (!$server instanceof Server) {

36
            throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));

37
        }

38


39
        // At the very least, ensure that the user trying to make this request is the

40
        // server owner, a subuser, or a root admin. We'll leave it up to the controllers

41
        // to authenticate more detailed permissions if needed.

42
        if ($user->id !== $server->owner_id && !$user->root_admin) {

43
            // Check for subuser status.

44
            if (!$server->subusers->contains('user_id', $user->id)) {

45
                throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));

46
            }

47
        }

48


49
        try {

50
            $server->validateCurrentState();

51
        } catch (ServerStateConflictException $exception) {

52
            // Still allow users to get information about their server if it is installing or

53
            // being transferred.

54
            if (!$request->routeIs('api:client:server.view')) {

55
                if (($server->isSuspended() || $server->node->isUnderMaintenance()) && !$request->routeIs('api:client:server.resources')) {

56
                    throw $exception;

57
                }

58
                if (!$user->root_admin || !$request->routeIs($this->except)) {

59
                    throw $exception;

60
                }

61
            }

62
        }

63


64
        $request->attributes->set('server', $server);

65


66
        return $next($request);

67
    }

68
}

69


70