Improved logic for handling permissions on API routes.

Still only partially implemented, however this method will allow the inclusion of data that is granted with servers (such as viewing more about the node, node location, allocations, etc) while still limiting someone from doing `?include=node.servers` and listing all servers when they don’t have list-servers as a permission.
2026-04-17 13:53:45 +02:00 · 2017-04-08 12:05:29 -04:00
parent db4df2bfa1
commit 4479d3bf19
16 changed files with 296 additions and 29 deletions
--- a/app/Policies/APIKeyPolicy.php
+++ b/app/Policies/APIKeyPolicy.php
@@ -42,7 +42,9 @@ class APIKeyPolicy
     */
    private function checkPermission(User $user, Key $key, $permission)
    {
-        $permissions = Cache::remember('APIKeyPolicy.' . $user->uuid . $key->public, Carbon::now()->addSeconds(5), function () use ($key) {
+        // We don't tag this cache key with the user uuid because the key is already unique,
+        // and multiple users are not defiend for a single key.
+        $permissions = Cache::remember('APIKeyPolicy.' . $key->public, Carbon::now()->addSeconds(5), function () use ($key) {
            return $key->permissions()->get()->transform(function ($item) {
                return $item->permission;
            })->values();