From 2771ccc421ade4cdc2d3983aa402fc2cde2c2ace Mon Sep 17 00:00:00 2001 From: Charles Date: Sun, 21 Jun 2026 16:37:42 -0400 Subject: [PATCH] Add proper checks for subuser permissions (#2402) --- app/Filament/Server/Pages/Startup.php | 4 ++++ lang/en/server/user.php | 2 ++ 2 files changed, 6 insertions(+) diff --git a/app/Filament/Server/Pages/Startup.php b/app/Filament/Server/Pages/Startup.php index b9be624e0..393e0fe24 100644 --- a/app/Filament/Server/Pages/Startup.php +++ b/app/Filament/Server/Pages/Startup.php @@ -56,6 +56,7 @@ class Startup extends ServerFormPage ->disabled(fn (Server $server) => !user()?->can(SubuserPermission::StartupUpdate, $server)) ->formatStateUsing(fn (Server $server) => $server->startup) ->afterStateUpdated(function ($state, Server $server, Set $set) { + abort_unless(user()?->can(SubuserPermission::StartupUpdate, $server), 403); $original = $server->startup; $server->forceFill(['startup' => $state])->saveOrFail(); @@ -89,6 +90,7 @@ class Startup extends ServerFormPage ->visible(fn (Server $server) => in_array($server->image, $server->egg->docker_images)) ->disabled(fn (Server $server) => !user()?->can(SubuserPermission::StartupDockerImage, $server)) ->afterStateUpdated(function ($state, Server $server) { + abort_unless(user()?->can(SubuserPermission::StartupDockerImage, $server), 403); $original = $server->image; $server->forceFill(['image' => $state])->saveOrFail(); @@ -151,6 +153,8 @@ class Startup extends ServerFormPage public function update(null|string|bool $state, ServerVariable $serverVariable): void { + abort_unless(user()?->can(SubuserPermission::StartupUpdate, $this->getRecord()), 403); + if (!$serverVariable->variable->user_editable) { return; } diff --git a/lang/en/server/user.php b/lang/en/server/user.php index 5af6b4a6e..03f0b1824 100644 --- a/lang/en/server/user.php +++ b/lang/en/server/user.php @@ -101,6 +101,8 @@ return [ 'backup_delete' => 'Allows a user to remove backups from the system.', 'backup_download' => 'Allows a user to download a backup for the server. Danger: this allows a user to access all files for the server in the backup.', 'backup_restore' => 'Allows a user to restore a backup for the server. Danger: this allows the user to delete all of the server files in the process.', + + 'mount_title' => 'Mounts', 'mount_desc' => 'Permissions that control a user\'s ability to manage mounts for this server.', 'mount_read' => 'Allows a user to view the mounts page and see available mounts.', 'mount_update' => 'Allows a user to toggle mounts on or off for the server.',