app/Http/Middleware/Api/Client/Server/AuthenticateServerAccess.php

<?php

namespace App\Http\Middleware\Api\Client\Server;

use Illuminate\Http\Request;
use App\Models\Server;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use App\Exceptions\Http\Server\ServerStateConflictException;

class AuthenticateServerAccess
{
    /**
     * Routes that this middleware should not apply to if the user is an admin.
     */
    protected array $except = [
        'api:client:server.ws',
    ];

    /**
     * AuthenticateServerAccess constructor.
     */
    public function __construct() {}

    /**
     * Authenticate that this server exists and is not suspended or marked as installing.
     */
    public function handle(Request $request, \Closure $next): mixed
    {
        /** @var \App\Models\User $user */
        $user = $request->user();
        $server = $request->route()->parameter('server');

        if (!$server instanceof Server) {
            throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
        }

        // At the very least, ensure that the user trying to make this request is the
        // server owner, a subuser, or a root admin. We'll leave it up to the controllers
        // to authenticate more detailed permissions if needed.
        if ($user->id !== $server->owner_id && !$user->isRootAdmin()) {
            // Check for subuser status.
            if (!$server->subusers->contains('user_id', $user->id)) {
                throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
            }
        }

        try {
            $server->validateCurrentState();
        } catch (ServerStateConflictException $exception) {
            // Still allow users to get information about their server if it is installing or
            // being transferred.
            if (!$request->routeIs('api:client:server.view')) {
                if (($server->isSuspended() || $server->node->isUnderMaintenance()) && !$request->routeIs('api:client:server.resources')) {
                    throw $exception;
                }
                if (!$user->isRootAdmin() || !$request->routeIs($this->except)) {
                    throw $exception;
                }
            }
        }

        $request->attributes->set('server', $server);

        return $next($request);
    }
}
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`<?php`

Switch namespace back to App 2024-03-12 22:39:16 -04:00			`namespace App\Http\Middleware\Api\Client\Server;`
More logic for deleting databases 2018-08-25 15:07:42 -07:00
			`use Illuminate\Http\Request;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Models\Server;`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`use App\Exceptions\Http\Server\ServerStateConflictException;`
More logic for deleting databases 2018-08-25 15:07:42 -07:00
			`class AuthenticateServerAccess`
			`{`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`/**`
			`* Routes that this middleware should not apply to if the user is an admin.`
			`*/`
Upgrade to Laravel 9 (#4413) Co-authored-by: DaneEveritt <dane@daneeveritt.com> 2022-10-14 10:59:20 -06:00			`protected array $except = [`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`'api:client:server.ws',`
			`];`

More logic for deleting databases 2018-08-25 15:07:42 -07:00			`/**`
			`* AuthenticateServerAccess constructor.`
			`*/`
Update all dependencies (#712) * update composer.lock * run pint * fix phpstan * update migrations (sqlite `dropForeign`) * fix migrations * Reset these back for now * Alphabetize the rules * run `php artisan filament:upgrade` --------- Co-authored-by: Lance Pioch <git@lance.sh> 2024-11-22 09:27:57 +01:00			`public function __construct() {}`
More logic for deleting databases 2018-08-25 15:07:42 -07:00
			`/**`
			`* Authenticate that this server exists and is not suspended or marked as installing.`
			`*/`
Laravel 10 (#4706) 2023-02-23 12:30:16 -07:00			`public function handle(Request $request, \Closure $next): mixed`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`{`
Switch namespace back to App 2024-03-12 22:39:16 -04:00			`/** @var \App\Models\User $user */`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`$user = $request->user();`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`$server = $request->route()->parameter('server');`

Use more standardized phpcs 2021-01-23 12:33:34 -08:00			`if (!$server instanceof Server) {`
Update logic that handles creation of folders for a server 2019-05-01 21:45:39 -07:00			`throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`}`

Authenticate that the request is coming from someone that should even know about the server 2020-03-28 16:23:18 -07:00			`// At the very least, ensure that the user trying to make this request is the`
			`// server owner, a subuser, or a root admin. We'll leave it up to the controllers`
			`// to authenticate more detailed permissions if needed.`
Admin Roles (#502) * add spatie/permissions * add policies * add role resource * add root admin role handling * replace some "root_admin" with function * add model specific permissions * make permission selection nicer * fix user creation * fix tests * add back subuser checks in server policy * add custom model for role * assign new users to role if root_admin is set * add api for roles * fix phpstan * add permissions for settings page * remove "restore" and "forceDelete" permissions * add user count to list * prevent deletion if role has users * update user list * fix server policy * remove old `root_admin` column * small refactor * fix tests * forgot can checks here * forgot use * disable editing own roles & disable assigning root admin * don't allow to rename root admin role * remove php bombing exception handler * fix role assignment when creating a user * fix disableOptionWhen * fix missing `root_admin` attribute on react frontend * add permission check for bulk delete * rename viewAny to viewList * improve canAccessPanel check * fix admin not displaying for non-root admins * make sure non root admins can't edit root admins * fix import * fix settings page permission check * fix server permissions for non-subusers * fix settings page permission check v2 * small cleanup * cleanup config file * move consts from resouce into enum & model * Update database/migrations/2024_08_01_114538_remove_root_admin_column.php Co-authored-by: Lance Pioch <lancepioch@gmail.com> * fix config * fix phpstan * fix phpstan 2.0 --------- Co-authored-by: Lance Pioch <lancepioch@gmail.com> 2024-09-21 12:27:41 +02:00			`if ($user->id !== $server->owner_id && !$user->isRootAdmin()) {`
Authenticate that the request is coming from someone that should even know about the server 2020-03-28 16:23:18 -07:00			`// Check for subuser status.`
Use more standardized phpcs 2021-01-23 12:33:34 -08:00			`if (!$server->subusers->contains('user_id', $user->id)) {`
Authenticate that the request is coming from someone that should even know about the server 2020-03-28 16:23:18 -07:00			`throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));`
			`}`
			`}`

Simplify logic when a server is in an unsupported state 2021-01-30 13:28:31 -08:00			`try {`
			`$server->validateCurrentState();`
			`} catch (ServerStateConflictException $exception) {`
			`// Still allow users to get information about their server if it is installing or`
			`// being transferred.`
			`if (!$request->routeIs('api:client:server.view')) {`
Apply node maintenance mode to servers (#4421) 2022-11-07 00:02:30 +01:00			`if (($server->isSuspended() \|\| $server->node->isUnderMaintenance()) && !$request->routeIs('api:client:server.resources')) {`
Simplify logic when a server is in an unsupported state 2021-01-30 13:28:31 -08:00			`throw $exception;`
Update logic for tracking a server's transfer state 2020-12-16 09:34:47 -07:00			`}`
Admin Roles (#502) * add spatie/permissions * add policies * add role resource * add root admin role handling * replace some "root_admin" with function * add model specific permissions * make permission selection nicer * fix user creation * fix tests * add back subuser checks in server policy * add custom model for role * assign new users to role if root_admin is set * add api for roles * fix phpstan * add permissions for settings page * remove "restore" and "forceDelete" permissions * add user count to list * prevent deletion if role has users * update user list * fix server policy * remove old `root_admin` column * small refactor * fix tests * forgot can checks here * forgot use * disable editing own roles & disable assigning root admin * don't allow to rename root admin role * remove php bombing exception handler * fix role assignment when creating a user * fix disableOptionWhen * fix missing `root_admin` attribute on react frontend * add permission check for bulk delete * rename viewAny to viewList * improve canAccessPanel check * fix admin not displaying for non-root admins * make sure non root admins can't edit root admins * fix import * fix settings page permission check * fix server permissions for non-subusers * fix settings page permission check v2 * small cleanup * cleanup config file * move consts from resouce into enum & model * Update database/migrations/2024_08_01_114538_remove_root_admin_column.php Co-authored-by: Lance Pioch <lancepioch@gmail.com> * fix config * fix phpstan * fix phpstan 2.0 --------- Co-authored-by: Lance Pioch <lancepioch@gmail.com> 2024-09-21 12:27:41 +02:00			`if (!$user->isRootAdmin() \|\| !$request->routeIs($this->except)) {`
Simplify logic when a server is in an unsupported state 2021-01-30 13:28:31 -08:00			`throw $exception;`
Update logic for tracking a server's transfer state 2020-12-16 09:34:47 -07:00			`}`
Show console when an admin is viewing an installing server 2020-04-26 13:21:39 -07:00			`}`
More logic for deleting databases 2018-08-25 15:07:42 -07:00			`}`

			`$request->attributes->set('server', $server);`

			`return $next($request);`
			`}`
			`}`