mirror of
https://github.com/pelican-dev/panel.git
synced 2026-07-15 21:48:08 +03:00
Add proper checks for subuser permissions (#2402)
This commit is contained in:
@@ -56,6 +56,7 @@ class Startup extends ServerFormPage
|
||||
->disabled(fn (Server $server) => !user()?->can(SubuserPermission::StartupUpdate, $server))
|
||||
->formatStateUsing(fn (Server $server) => $server->startup)
|
||||
->afterStateUpdated(function ($state, Server $server, Set $set) {
|
||||
abort_unless(user()?->can(SubuserPermission::StartupUpdate, $server), 403);
|
||||
$original = $server->startup;
|
||||
$server->forceFill(['startup' => $state])->saveOrFail();
|
||||
|
||||
@@ -89,6 +90,7 @@ class Startup extends ServerFormPage
|
||||
->visible(fn (Server $server) => in_array($server->image, $server->egg->docker_images))
|
||||
->disabled(fn (Server $server) => !user()?->can(SubuserPermission::StartupDockerImage, $server))
|
||||
->afterStateUpdated(function ($state, Server $server) {
|
||||
abort_unless(user()?->can(SubuserPermission::StartupDockerImage, $server), 403);
|
||||
$original = $server->image;
|
||||
$server->forceFill(['image' => $state])->saveOrFail();
|
||||
|
||||
@@ -151,6 +153,8 @@ class Startup extends ServerFormPage
|
||||
|
||||
public function update(null|string|bool $state, ServerVariable $serverVariable): void
|
||||
{
|
||||
abort_unless(user()?->can(SubuserPermission::StartupUpdate, $this->getRecord()), 403);
|
||||
|
||||
if (!$serverVariable->variable->user_editable) {
|
||||
return;
|
||||
}
|
||||
|
||||
@@ -101,6 +101,8 @@ return [
|
||||
'backup_delete' => 'Allows a user to remove backups from the system.',
|
||||
'backup_download' => 'Allows a user to download a backup for the server. Danger: this allows a user to access all files for the server in the backup.',
|
||||
'backup_restore' => 'Allows a user to restore a backup for the server. Danger: this allows the user to delete all of the server files in the process.',
|
||||
|
||||
'mount_title' => 'Mounts',
|
||||
'mount_desc' => 'Permissions that control a user\'s ability to manage mounts for this server.',
|
||||
'mount_read' => 'Allows a user to view the mounts page and see available mounts.',
|
||||
'mount_update' => 'Allows a user to toggle mounts on or off for the server.',
|
||||
|
||||
Reference in New Issue
Block a user