From e55d3c1a9a0d1e8a8cafc07a1d32244fac3b089b Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sat, 10 Mar 2018 14:26:00 -0600
Subject: [PATCH] Add check on SFTP page to make sure the permission is
 assigned before showing

---
 CHANGELOG.md                                            | 1 +
 app/Http/Controllers/Server/Settings/SftpController.php | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 77cad6222..e6e4e33d0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 * Debug bar is only checked when the app is set to debug mode in the API session handler, rather than when it is in local mode to match the plugin settings.
 * Added validation to port allocations to prevent allocation of restricted or invalid ports.
 * Fix data integrity exception thrown when attempting to store updated server egg variables.
+* Added missing permissions check on 'SFTP Configuration' page to ensure user has permission to access a server's SFTP server before showing a user credentials.
 
 ### Changed
 * Panel now throws proper 504: Gateway Timeout errors on server listing when daemon is offline.
diff --git a/app/Http/Controllers/Server/Settings/SftpController.php b/app/Http/Controllers/Server/Settings/SftpController.php
index b128ba5c9..58b110bd3 100644
--- a/app/Http/Controllers/Server/Settings/SftpController.php
+++ b/app/Http/Controllers/Server/Settings/SftpController.php
@@ -16,9 +16,12 @@ class SftpController extends Controller
      *
      * @param \Illuminate\Http\Request $request
      * @return \Illuminate\View\View
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
      */
     public function index(Request $request): View
     {
+        $this->authorize('access-sftp', $request->attributes->get('server'));
         $this->setRequest($request)->injectJavascript();
 
         return view('server.settings.sftp');