sonot
/
PteroTheme
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Authenticate that the request is coming from someone that should even know about the server

This commit is contained in:
Dane Everitt 2020-03-28 16:23:18 -07:00
parent 5717a705a8
commit 1f92a7de33
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php
View File

@ -42,6 +42,16 @@ class AuthenticateServerAccess
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found')); throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
} }
// At the very least, ensure that the user trying to make this request is the
// server owner, a subuser, or a root admin. We'll leave it up to the controllers
// to authenticate more detailed permissions if needed.
if ($request->user()->id !== $server->owner_id && ! $request->user()->root_admin) {
// Check for subuser status.
if (! $server->subusers->contains('user_id', $request->user()->id)) {
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
}
}
if ($server->suspended) { if ($server->suspended) {
throw new AccessDeniedHttpException('Cannot access a server that is marked as being suspended.'); throw new AccessDeniedHttpException('Cannot access a server that is marked as being suspended.');
} }