[PR #919] [MERGED] Fix server access for admins without subuser #1059

New Issue

Closed

opened 2026-02-05 18:02:34 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 18:02:34 +03:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/pelican-dev/panel/pull/919
Author: @Boy132
Created: 1/16/2025
Status: ✅ Merged
Merged: 1/18/2025
Merged by: @Boy132

Base: main ← Head: boy132/fix-admin-server-access

---

📝 Commits (10+)

• 57c87ba fix server access for admins without subuser
• 291e6f2 add permission checks to power buttons
• 5022118 add permission check for console command sending
• 03c2f03 fix tests
• d83b049 fix websocket token permissions
• 9517533 fix sftp access
• f3a2afc fix server api + small cleanup
• d0fb6fb it's "update", not "edit"...
• 44ba4fb fix tests
• 63dd0bb Merge remote-tracking branch 'upstream/main' into boy132/fix-admin-server-access

📊 Changes

13 files changed (+103 additions, -45 deletions)

View changed files

📝 app/Filament/App/Resources/ServerResource/Pages/ListServers.php (+1 -1)
📝 app/Filament/Server/Pages/Console.php (+5 -0)
📝 app/Filament/Server/Resources/UserResource/Pages/ListUsers.php (+21 -1)
📝 app/Filament/Server/Widgets/ServerConsole.php (+6 -1)
📝 app/Http/Controllers/Api/Client/ClientController.php (+2 -2)
📝 app/Http/Controllers/Api/Remote/SftpAuthenticationController.php (+1 -1)
📝 app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php (+3 -3)
📝 app/Http/Requests/Api/Client/Servers/Subusers/SubuserRequest.php (+2 -2)
📝 app/Models/Permission.php (+1 -1)
📝 app/Models/User.php (+28 -5)
📝 app/Services/Servers/GetUserPermissionsService.php (+11 -9)
📝 lang/en/server/users.php (+3 -2)
📝 resources/views/filament/components/server-console.blade.php (+19 -17)

📄 Description

• If an admin has view permissions they can only view the console & settings page. (read only)
• If an admin has update permissions they have full control over a server (like root admins or the server owner)
• Added permissions checks for the power buttons and the console command input
• Also fixes the "read activity" subuser permission

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/pelican-dev/panel/pull/919 **Author:** [@Boy132](https://github.com/Boy132) **Created:** 1/16/2025 **Status:** ✅ Merged **Merged:** 1/18/2025 **Merged by:** [@Boy132](https://github.com/Boy132) **Base:** `main` ← **Head:** `boy132/fix-admin-server-access` --- ### 📝 Commits (10+) - [`57c87ba`](https://github.com/pelican-dev/panel/commit/57c87ba1ac567b448c63d4e0c381cd7d26944fb1) fix server access for admins without subuser - [`291e6f2`](https://github.com/pelican-dev/panel/commit/291e6f2e9c8ad90c9f5ce7c9abdcd20303299f66) add permission checks to power buttons - [`5022118`](https://github.com/pelican-dev/panel/commit/5022118e13c5334d195ad95e3fa6cdadf64df6f7) add permission check for console command sending - [`03c2f03`](https://github.com/pelican-dev/panel/commit/03c2f03fd52b1bc94753765e4f882d1ea9f4d829) fix tests - [`d83b049`](https://github.com/pelican-dev/panel/commit/d83b049e758d256de93c2b9d8f8249fad0b3d3c8) fix websocket token permissions - [`9517533`](https://github.com/pelican-dev/panel/commit/9517533d9dc29b8a2d93058b431e62370d9405d7) fix sftp access - [`f3a2afc`](https://github.com/pelican-dev/panel/commit/f3a2afc34835dbb1f99b7c6559c959927ab5a4eb) fix server api + small cleanup - [`d0fb6fb`](https://github.com/pelican-dev/panel/commit/d0fb6fb7c819647cc0153ac6af62c22e525f18ab) it's "update", not "edit"... - [`44ba4fb`](https://github.com/pelican-dev/panel/commit/44ba4fbb8489028529c3acd7dbb683e7f9d1f011) fix tests - [`63dd0bb`](https://github.com/pelican-dev/panel/commit/63dd0bb7625d4fba77e2f11a36fd523db393b2e5) Merge remote-tracking branch 'upstream/main' into boy132/fix-admin-server-access ### 📊 Changes **13 files changed** (+103 additions, -45 deletions) <details> <summary>View changed files</summary> 📝 `app/Filament/App/Resources/ServerResource/Pages/ListServers.php` (+1 -1) 📝 `app/Filament/Server/Pages/Console.php` (+5 -0) 📝 `app/Filament/Server/Resources/UserResource/Pages/ListUsers.php` (+21 -1) 📝 `app/Filament/Server/Widgets/ServerConsole.php` (+6 -1) 📝 `app/Http/Controllers/Api/Client/ClientController.php` (+2 -2) 📝 `app/Http/Controllers/Api/Remote/SftpAuthenticationController.php` (+1 -1) 📝 `app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php` (+3 -3) 📝 `app/Http/Requests/Api/Client/Servers/Subusers/SubuserRequest.php` (+2 -2) 📝 `app/Models/Permission.php` (+1 -1) 📝 `app/Models/User.php` (+28 -5) 📝 `app/Services/Servers/GetUserPermissionsService.php` (+11 -9) 📝 `lang/en/server/users.php` (+3 -2) 📝 `resources/views/filament/components/server-console.blade.php` (+19 -17) </details> ### 📄 Description - If an admin has `view` permissions they can only view the console & settings page. (read only) - If an admin has `update` permissions they have full control over a server (like root admins or the server owner) - Added permissions checks for the power buttons and the console command input - Also fixes the "read activity" subuser permission --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

OVERLORD added the pull-request label 2026-02-05 18:02:34 +03:00

OVERLORD closed this issue 2026-02-05 18:02:37 +03:00

OVERLORD referenced this issue 2026-02-05 18:05:23 +03:00

[PR #1059] [MERGED] Make `restart` the default payload when using `PowerAction` in `Schedules` #1147

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

boy132/composer-update

boy132/reorderable-egg-stuff

boy132/replace-hardcoded-hex-strings

boy132/backup-notifications

boy132/backup-hosts

shift-2026-04

charles/filament-v5

release/v1.0.0-beta33

release/v1.0.0-beta32

lance/1228

lance/2026

lance/1022

lance/1585

lance/2163

charles/spotlight

charles/ex-im-servers

auto-claude/022-docker-image-links-plugin-dir-wrong

auto-claude/022-docker-image-links-plugin-dir-wrong-clean

release/v1.0.0-beta31

auto-claude/005-run-unit-tests-in-parallel

charles/new-activitylog

release/v1.0.0-beta30

release/v1.0.0-beta29

release/v1.0.0-beta28

release/v1.0.0-beta27

release/v1.0.0-beta26

release/v1.0.0-beta25

release/v1.0.0-beta24

release/v1.0.0-beta23

release/v1.0.0-beta22

release/v1.0.0-beta21

release/v1.0.0-beta20

release/v1.0.0-beta19

release/v1.0.0-beta18

release/v1.0.0-beta17

release/v1.0.0-beta16

release/v1.0.0-beta15

release/v1.0.0-beta14

release/v1.0.0-beta13

release/v1.0.0-beta11

release/v1.0.0-beta10

release/v1.0.0-beta9

release/v1.0.0-beta8

release/v1.0.0-beta7

release/v1.0.0-beta6

release/v1.0.0-beta5

release/v1.0.0-beta4

release/v1.0.0-beta3

release/v1.0.0-beta2

release/v1.0.0-beta1

3.x

v1.0.0-beta33

v1.0.0-beta32

v1.0.0-beta31

v1.0.0-beta30

v1.0.0-beta29

v1.0.0-beta28

v1.0.0-beta27

v1.0.0-beta26

v1.0.0-beta25

v1.0.0-beta24

v1.0.0-beta23

v1.0.0-beta22

v1.0.0-beta21

v1.0.0-beta20

v1.0.0-beta19

v1.0.0-beta18

v1.0.0-beta17

v1.0.0-beta16

v1.0.0-beta15

v1.0.0-beta14

v1.0.0-beta13

v1.0.0-beta11

v1.0.0-beta10

v1.0.0-beta9

v1.0.0-beta8

v1.0.0-beta7

v1.0.0-beta6

v1.0.0-beta5

v1.0.0-beta4

v1.0.0-beta3

v1.0.0-beta2

v1.0.0-beta1

2.x

1.x

0.x

Labels

Clear labels

not confirmed

pull-request

Mirrored from GitHub Pull Request

👑 sponsor

💰 fund

🔴 hard

🟡 medium

🟡 medium

🟡 medium

🟢 easy

🟢 easy

🟢 easy

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/panel-pelican-dev#1059