Server Policy: Only do owner check if checking for subuser permissions (#1521)

2026-05-04 18:00:48 +03:00 · 2025-07-19 18:52:28 +02:00
parent 9f2305f351
commit 62ca53eeaf
4 changed files with 21 additions and 18 deletions
--- a/app/Http/Controllers/Api/Client/Servers/SubuserController.php
+++ b/app/Http/Controllers/Api/Client/Servers/SubuserController.php
@@ -138,15 +138,7 @@ class SubuserController extends ClientApiController
     */
    protected function getDefaultPermissions(Request $request): array
    {
-        $allowed = Permission::permissions()
-            ->map(function ($value, $prefix) {
-                return array_map(function ($value) use ($prefix) {
-                    return "$prefix.$value";
-                }, array_keys($value['keys']));
-            })
-            ->flatten()
-            ->all();
-
+        $allowed = Permission::permissionKeys()->all();
        $cleaned = array_intersect($request->input('permissions') ?? [], $allowed);

        return array_unique(array_merge($cleaned, [Permission::ACTION_WEBSOCKET_CONNECT]));
--- a/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
+++ b/app/Http/Requests/Api/Client/Servers/SendPowerRequest.php
@@ -22,7 +22,8 @@ class SendPowerRequest extends ClientApiRequest
                return Permission::ACTION_CONTROL_RESTART;
        }

-        return '__invalid';
+        // Fallback for invalid signals
+        return Permission::ACTION_WEBSOCKET_CONNECT;
    }

    /**