app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php

<?php

namespace App\Http\Middleware\Api\Client\Server;

use Illuminate\Http\Request;
use App\Models\Server;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use App\Exceptions\Http\Server\ServerStateConflictException;

class AuthenticateServerAccess
{
    /**
     * Routes that this middleware should not apply to if the user is an admin.
     *
     * @var string[]
     */
    protected array $except = [
        'api:client:server.ws',
    ];

    /**
     * AuthenticateServerAccess constructor.
     */
    public function __construct() {}

    /**
     * Authenticate that this server exists and is not suspended or marked as installing.
     */
    public function handle(Request $request, \Closure $next): mixed
    {
        /** @var \App\Models\User $user */
        $user = $request->user();
        $server = $request->route()->parameter('server');

        if (!$server instanceof Server) {
            throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
        }

        // At the very least, ensure that the user trying to make this request is the
        // server owner, a subuser, or an admin. We'll leave it up to the controllers
        // to authenticate more detailed permissions if needed.
        if ($user->id !== $server->owner_id && $user->cannot('update server', $server)) {
            // Check for subuser status.
            if (!$server->subusers->contains('user_id', $user->id)) {
                throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
            }
        }

        try {
            $server->validateCurrentState();
        } catch (ServerStateConflictException $exception) {
            // Still allow users to get information about their server if it is installing or
            // being transferred.
            if (!$request->routeIs('api:client:server.view')) {
                if (($server->isSuspended() || $server->node->isUnderMaintenance()) && !$request->routeIs('api:client:server.resources')) {
                    throw $exception;
                }
                if ($user->cannot('update server', $server) || !$request->routeIs($this->except)) {
                    throw $exception;
                }
            }
        }

        $request->attributes->set('server', $server);

        return $next($request);
    }
}
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`<?php`

Switch namespace back to App 2024-03-12 22:39:16 -04:00			`namespace App\Http\Middleware\Api\Client\Server;`
More logic for deleting databases 2018-08-25 15:07:42 -07:00
			`use Illuminate\Http\Request;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Models\Server;`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Exceptions\Http\Server\ServerStateConflictException;`
More logic for deleting databases 2018-08-25 15:07:42 -07:00
			`class AuthenticateServerAccess`
			`{`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`/**`
			`* Routes that this middleware should not apply to if the user is an admin.`
PHPstan updates (#1047) * Not found property rule * Make these “better” * Day 1 * Day 2 * Day 3 * Dat 4 * Remove disabled check * Day 4 continued * Run pint * Final changes hopefully * Pint fixes * Fix again * Reset these * Update app/Filament/Admin/Pages/Health.php Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com> * Update app/Traits/CheckMigrationsTrait.php Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com> --------- Co-authored-by: MartinOscar <40749467+rmartinoscar@users.noreply.github.com> 2025-03-03 14:41:19 -05:00			`*`
			`* @var string[]`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`*/`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`protected array $except = [`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`'api:client:server.ws',`
			`];`

More logic for deleting databases 2018-08-25 15:07:42 -07:00			`/**`
			`* AuthenticateServerAccess constructor.`
			`*/`
Update all dependencies (#712) * update composer.lock * run pint * fix phpstan * update migrations (sqlite `dropForeign`) * fix migrations * Reset these back for now * Alphabetize the rules * run `php artisan filament:upgrade` --------- Co-authored-by: Lance Pioch <git@lance.sh> 2024-11-22 09:27:57 +01:00			`public function __construct() {}`
More logic for deleting databases 2018-08-25 15:07:42 -07:00
			`/**`
			`* Authenticate that this server exists and is not suspended or marked as installing.`
			`*/`
Laravel 10 (#4706) 2023-02-23 12:30:16 -07:00			`public function handle(Request $request, \Closure $next): mixed`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`{`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`/** @var \App\Models\User $user */`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`$user = $request->user();`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`$server = $request->route()->parameter('server');`

Use more standardized phpcs 2021-01-23 12:33:34 -08:00			`if (!$server instanceof Server) {`
Update logic that handles creation of folders for a server 2019-05-01 21:45:39 -07:00			`throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`}`

Authenticate that the request is coming from someone that should even know about the server 2020-03-28 16:23:18 -07:00			`// At the very least, ensure that the user trying to make this request is the`
Fix server access for admins without subuser (#919) * fix server access for admins without subuser * add permission checks to power buttons * add permission check for console command sending * fix tests * fix websocket token permissions * fix sftp access * fix server api + small cleanup * it's "update", not "edit"... * fix tests * fix permission const for "activity read" * fix activity subuser permission 2025-01-17 23:04:22 +01:00			`// server owner, a subuser, or an admin. We'll leave it up to the controllers`
Authenticate that the request is coming from someone that should even know about the server 2020-03-28 16:23:18 -07:00			`// to authenticate more detailed permissions if needed.`
Fix server access for admins without subuser (#919) * fix server access for admins without subuser * add permission checks to power buttons * add permission check for console command sending * fix tests * fix websocket token permissions * fix sftp access * fix server api + small cleanup * it's "update", not "edit"... * fix tests * fix permission const for "activity read" * fix activity subuser permission 2025-01-17 23:04:22 +01:00			`if ($user->id !== $server->owner_id && $user->cannot('update server', $server)) {`
Authenticate that the request is coming from someone that should even know about the server 2020-03-28 16:23:18 -07:00			`// Check for subuser status.`
Use more standardized phpcs 2021-01-23 12:33:34 -08:00			`if (!$server->subusers->contains('user_id', $user->id)) {`
Authenticate that the request is coming from someone that should even know about the server 2020-03-28 16:23:18 -07:00			`throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));`
			`}`
			`}`

Simplify logic when a server is in an unsupported state 2021-01-30 13:28:31 -08:00			`try {`
			`$server->validateCurrentState();`
			`} catch (ServerStateConflictException $exception) {`
			`// Still allow users to get information about their server if it is installing or`
			`// being transferred.`
			`if (!$request->routeIs('api:client:server.view')) {`
Apply node maintenance mode to servers (#4421) 2022-11-07 00:02:30 +01:00			`if (($server->isSuspended() \|\| $server->node->isUnderMaintenance()) && !$request->routeIs('api:client:server.resources')) {`
Simplify logic when a server is in an unsupported state 2021-01-30 13:28:31 -08:00			`throw $exception;`
Update logic for tracking a server's transfer state 2020-12-16 09:34:47 -07:00			`}`
Fix server access for admins without subuser (#919) * fix server access for admins without subuser * add permission checks to power buttons * add permission check for console command sending * fix tests * fix websocket token permissions * fix sftp access * fix server api + small cleanup * it's "update", not "edit"... * fix tests * fix permission const for "activity read" * fix activity subuser permission 2025-01-17 23:04:22 +01:00			`if ($user->cannot('update server', $server) \|\| !$request->routeIs($this->except)) {`
Simplify logic when a server is in an unsupported state 2021-01-30 13:28:31 -08:00			`throw $exception;`
Update logic for tracking a server's transfer state 2020-12-16 09:34:47 -07:00			`}`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`}`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`}`

			`$request->attributes->set('server', $server);`

			`return $next($request);`
			`}`
			`}`