mirror of
https://github.com/pelican-dev/panel.git
synced 2026-07-16 04:03:50 +03:00
[PR #2002] [CLOSED] Fix role-based server access for users with node-restricted permissions #1698
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/pelican-dev/panel/pull/2002
Author: @memesalot
Created: 12/14/2025
Status: ❌ Closed
Base:
main← Head:main📝 Commits (3)
32cc844Refactor Node and User models for role management and permission checksd844673Update Node model to use NodeRole for role relationships028dba0fix oops📊 Changes
3 files changed (+44 additions, -11 deletions)
View changed files
📝
app/Models/Node.php(+2 -3)📝
app/Models/User.php(+27 -3)📝
app/Policies/ServerPolicy.php(+15 -5)📄 Description
Description
Fixes a bug where users assigned to roles with server permissions and node restrictions could not see or access servers on their assigned nodes. Users could only see servers they directly owned, even when their role granted them broader access.
Changes
app/Models/Node.phproles()relationship fromHasManyThroughtoBelongsToManyto correctly handle the many-to-many relationship through thenode_rolepivot table.app/Models/User.phpcanViewServers()method that directly checks for theviewList serverpermission using Spatie'shasPermissionTo(), bypassing the fragile policy chain.accessibleServers()to use the newcanViewServers()method instead ofcanned('viewAny', Server::class).canAccessTenant()to check for role-based access when the user is not an owner or subuser.app/Policies/ServerPolicy.phpbefore()to directly check role-based permissions usinghasPermissionTo()after verifying the user can target the server's node.Root Cause
The
Node::roles()relationship was incorrectly defined asHasManyThroughinstead ofBelongsToMany, causingaccessibleNodes()queries to return incorrect results. Additionally, permission checks were relying on a complex policy chain that wasn't properly triggering Spatie's permission verification.🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.