Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
pterodactyl
GitHub Repository: pterodactyl/panel
 Path: blob/1.0-develop/app/Http/Requests/Api/Client/Servers/Subusers/SubuserRequest.php
10284 views
1
<?php

2


3
namespace Pterodactyl\Http\Requests\Api\Client\Servers\Subusers;

4


5
use Illuminate\Http\Request;

6
use Pterodactyl\Models\User;

7
use Pterodactyl\Models\Subuser;

8
use Pterodactyl\Exceptions\Http\HttpForbiddenException;

9
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;

10
use Pterodactyl\Services\Servers\GetUserPermissionsService;

11


12
abstract class SubuserRequest extends ClientApiRequest

13
{

14
    protected ?Subuser $model;

15


16
    /**

17
     * Authorize the request and ensure that a user is not trying to modify themselves.

18
     *

19
     * @throws \Illuminate\Contracts\Container\BindingResolutionException

20
     */

21
    public function authorize(): bool

22
    {

23
        if (!parent::authorize()) {

24
            return false;

25
        }

26


27
        $user = $this->route()->parameter('user');

28
        // Don't allow a user to edit themselves on the server.

29
        if ($user instanceof User) {

30
            if ($user->uuid === $this->user()->uuid) {

31
                return false;

32
            }

33
        }

34


35
        // If this is a POST request, validate that the user can even assign the permissions they

36
        // have selected to assign.

37
        if ($this->method() === Request::METHOD_POST && $this->has('permissions')) {

38
            $this->validatePermissionsCanBeAssigned(

39
                $this->input('permissions') ?? []

40
            );

41
        }

42


43
        return true;

44
    }

45


46
    /**

47
     * Validates that the permissions we are trying to assign can actually be assigned

48
     * by the user making the request.

49
     *

50
     * @throws \Illuminate\Contracts\Container\BindingResolutionException

51
     */

52
    protected function validatePermissionsCanBeAssigned(array $permissions)

53
    {

54
        $user = $this->user();

55
        /** @var \Pterodactyl\Models\Server $server */

56
        $server = $this->route()->parameter('server');

57


58
        // If we are a root admin or the server owner, no need to perform these checks.

59
        if ($user->root_admin || $user->id === $server->owner_id) {

60
            return;

61
        }

62


63
        // Otherwise, get the current subuser's permission set, and ensure that the

64
        // permissions they are trying to assign are not _more_ than the ones they

65
        // already have.

66
        $service = $this->container->make(GetUserPermissionsService::class);

67


68
        if (count(array_diff($permissions, $service->handle($server, $user))) > 0) {

69
            throw new HttpForbiddenException('Cannot assign permissions to a subuser that your account does not actively possess.');

70
        }

71
    }

72
}

73


74