Require specific permission for reading the actual contents of a file; ref #2288

2020-08-31 19:36:30 -07:00 · 2020-08-31 19:36:30 -07:00 · 981edb0d64
parent d87438621f
commit 981edb0d64
4 changed files with 7 additions and 53 deletions
--- a/app/Http/Controllers/Api/Remote/FileDownloadController.php
+++ b/app/Http/Controllers/Api/Remote/FileDownloadController.php
@ -1,50 +0,0 @@
-<?php
-
-namespace Pterodactyl\Http\Controllers\Api\Remote;
-
-use Illuminate\Http\Request;
-use Illuminate\Http\JsonResponse;
-use Pterodactyl\Http\Controllers\Controller;
-use Illuminate\Contracts\Cache\Repository as CacheRepository;
-use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
-
-class FileDownloadController extends Controller
-{
-    /**
-     * @var \Illuminate\Contracts\Cache\Repository
-     */
-    private $cache;
-
-    /**
-     * FileDownloadController constructor.
-     *
-     * @param \Illuminate\Contracts\Cache\Repository $cache
-     */
-    public function __construct(CacheRepository $cache)
-    {
-        $this->cache = $cache;
-    }
-
-    /**
-     * Handle a request to authenticate a download using a token and return
-     * the path of the file to the daemon.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @return \Illuminate\Http\JsonResponse
-     *
-     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
-     */
-    public function index(Request $request): JsonResponse
-    {
-        $download = $this->cache->pull('Server:Downloads:' . $request->input('token', ''));
-
-        if (is_null($download)) {
-            throw new NotFoundHttpException('No file was found using the token provided.');
-        }
-
-        return response()->json([
-            'path' => array_get($download, 'path'),
-            'server' => array_get($download, 'server'),
-        ]);
-    }
-}
--- a/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php
+++ b/app/Http/Requests/Api/Client/Servers/Files/GetFileContentsRequest.php
@ -17,7 +17,7 @@ class GetFileContentsRequest extends ClientApiRequest implements ClientPermissio
     */
    public function permission(): string
    {
-        return Permission::ACTION_FILE_READ;
+        return Permission::ACTION_FILE_READ_CONTENT;
    }

    /**
--- a/app/Models/Permission.php
+++ b/app/Models/Permission.php
@ -49,6 +49,7 @@ class Permission extends Model
    const ACTION_ALLOCATION_DELETE = 'allocation.delete';

    const ACTION_FILE_READ = 'file.read';
+    const ACTION_FILE_READ_CONTENT = 'file.read-content';
    const ACTION_FILE_CREATE = 'file.create';
    const ACTION_FILE_UPDATE = 'file.update';
    const ACTION_FILE_DELETE = 'file.delete';
@ -138,7 +139,8 @@ class Permission extends Model
            'description' => 'Permissions that control a user\'s ability to modify the filesystem for this server.',
            'keys' => [
                'create' => 'Allows a user to create additional files and folders via the Panel or direct upload.',
-                'read' => 'Allows a user to view the contents of a directory and read the contents of a file. Users with this permission can also download files.',
+                'read' => 'Allows a user to view the contents of a directory, but not view the contents of or download files.',
+                'read-content' => 'Allows a user to view the contents of a given file. This will also allow the user to download files.',
                'update' => 'Allows a user to update the contents of an existing file or directory.',
                'delete' => 'Allows a user to delete files or directories.',
                'archive' => 'Allows a user to archive the contents of a directory as well as decompress existing archives on the system.',
--- a/resources/scripts/components/server/files/FileObjectRow.tsx
+++ b/resources/scripts/components/server/files/FileObjectRow.tsx
@ -11,12 +11,14 @@ import tw from 'twin.macro';
 import isEqual from 'react-fast-compare';
 import styled from 'styled-components/macro';
 import SelectFileCheckbox from '@/components/server/files/SelectFileCheckbox';
+import { usePermissions } from '@/plugins/usePermissions';

 const Row = styled.div`
    ${tw`flex bg-neutral-700 rounded-sm mb-px text-sm hover:text-neutral-100 cursor-pointer items-center no-underline hover:bg-neutral-600`};
 `;

 const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => {
+    const [ canReadContents ] = usePermissions([ 'file.read-content' ]);
    const directory = ServerContext.useStoreState(state => state.files.directory);

    const history = useHistory();
@ -35,7 +37,7 @@ const Clickable: React.FC<{ file: FileObject }> = memo(({ file, children }) => {
    };

    return (
-        file.isFile && !file.isEditable() ?
+        (!canReadContents || (file.isFile && !file.isEditable())) ?
            <div css={tw`flex flex-1 text-neutral-300 no-underline p-3 cursor-default`}>
                {children}
            </div>