Improved logic for handling permissions on API routes.

Still only partially implemented, however this method will allow the inclusion of data that is granted with servers (such as viewing more about the node, node location, allocations, etc) while still limiting someone from doing `?include=node.servers` and listing all servers when they don’t have list-servers as a permission.
2026-04-09 18:03:44 +02:00 · 2017-04-08 12:05:29 -04:00
parent db4df2bfa1
commit 4479d3bf19
16 changed files with 296 additions and 29 deletions
--- a/app/Http/Controllers/API/Admin/ServerController.php
+++ b/app/Http/Controllers/API/Admin/ServerController.php
@@ -45,7 +45,7 @@ class ServerController extends Controller

        return Fractal::create()
            ->collection($servers)
-            ->transformWith(new ServerTransformer)
+            ->transformWith(new ServerTransformer($request))
            ->paginateWith(new IlluminatePaginatorAdapter($servers))
            ->withResourceName('server')
            ->toArray();
@@ -62,20 +62,11 @@ class ServerController extends Controller
        $server = Server::findOrFail($id);
        $fractal = Fractal::create()->item($server);

-        // dd($request->user()->can('view-node', $request->apiKey()));
-
-        // Have the api key model return a list of includes that would be allowed
-        // given the permissions they have aleady been granted?
-        //
-        // If someone has 'view-node' they would then be able to use ->parseIncludes(['*.node.*']);
-        // How that logic will work is beyond me currently, but should keep things
-        // fairly clean?
-
        if ($request->input('include')) {
            $fractal->parseIncludes(explode(',', $request->input('include')));
        }

-        return $fractal->transformWith(new ServerTransformer)
+        return $fractal->transformWith(new ServerTransformer($request))
            ->withResourceName('server')
            ->toArray();
    }