From 463f465deac75691bac6440576949c79ea7112a8 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sat, 8 Apr 2017 12:07:17 -0400
Subject: [PATCH] Block viewing node allocations and location unless user has
 permission

Blocks viewing the allocation list and location for a node unless a
user has permission to view the node in the first place.
---
 app/Transformers/Admin/NodeTransformer.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/app/Transformers/Admin/NodeTransformer.php b/app/Transformers/Admin/NodeTransformer.php
index cc42719a9..7f93410c8 100644
--- a/app/Transformers/Admin/NodeTransformer.php
+++ b/app/Transformers/Admin/NodeTransformer.php
@@ -80,6 +80,10 @@ class NodeTransformer extends TransformerAbstract
      */
     public function includeAllocations(Node $node)
     {
+        if ($this->request && ! $this->request->apiKeyHasPermission('view-node')) {
+            return;
+        }
+
         return $this->collection($node->allocations, new AllocationTransformer, 'allocation');
     }
 
@@ -90,6 +94,10 @@ class NodeTransformer extends TransformerAbstract
      */
     public function includeLocation(Node $node)
     {
+        if ($this->request && ! $this->request->apiKeyHasPermission('view-node')) {
+            return;
+        }
+
         return $this->item($node->location, new LocationTransformer, 'location');
     }