MrUnknownDE/panel
1
0
Fork 0
mirror of https://github.com/MrUnknownDE/panel.git synced 2026-04-17 05:43:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Push basis of new API key policy

Browse Source 
Will need to revisit this another day when I’m fresh to figure out the
best method to do this.
This commit is contained in:
Dane Everitt
2017-04-07 21:25:17 -04:00
parent 51204b8d9d
commit db4df2bfa1
6 changed files with 104 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/Http/Controllers/API/Admin/ServerController.php
View File

@@ -60,9 +60,17 @@ class ServerController extends Controller
public function view(Request $request, $id)
{
$server = Server::findOrFail($id);
$fractal = Fractal::create()->item($server);
// dd($request->user()->can('view-node', $request->apiKey()));
// Have the api key model return a list of includes that would be allowed
// given the permissions they have aleady been granted?
//
// If someone has 'view-node' they would then be able to use ->parseIncludes(['*.node.*']);
// How that logic will work is beyond me currently, but should keep things
// fairly clean?
if ($request->input('include')) {
$fractal->parseIncludes(explode(',', $request->input('include')));
}

18
app/Http/Middleware/HMACAuthorization.php
View File

@@ -92,6 +92,7 @@ class HMACAuthorization
$this->checkBearer();
$this->validateRequest();
$this->validateIPAccess();
$this->validateContents();
Auth::loginUsingId($this->key()->user_id);
@@ -137,23 +138,6 @@ class HMACAuthorization
if (! $this->key) {
throw new AccessDeniedHttpException('Unable to identify requester. Authorization token is invalid.');
}
if (empty($this->request()->route()->getName())) {
throw new \Exception('Attempting to access un-named route. This should not be possible.');
}
$this->validateIPAccess();
$query = APIPermission::where('key_id', $this->key()->id)
->where('permission', $this->request()->route()->getName());
if (starts_with($this->request()->route()->getName(), 'api.user')) {
$query->orWhere('permission', 'api.user.*');
}
if (! $query->first()) {
throw new AccessDeniedHttpException('You do not have permission to access this resource on the API.');
}
}
/**