[PR #1406] [MERGED] Permission check fixes #1375

New Issue

OVERLORD · 2026-02-04T19:41:08+03:00

OVERLORD commented

2026-02-04 19:41:08 +03:00

📋 Pull Request Information

Original PR: https://github.com/pelican-dev/panel/pull/1406
Author: @Boy132
Created: 5/26/2025
Status: ✅ Merged
Merged: 5/27/2025
Merged by: @Boy132

Base: main ← Head: boy132/fix-permission-checks

📝 Commits (3)

0e0f197 switch from "permission checks" to "policy checks"
0511475 add missing permissions checks to create options on CreateServer
e2745dd fix accessibleServers query when having viewList server permissions

📊 Changes

13 files changed (+36 additions, -32 deletions)

View changed files

📝 app/Filament/Admin/Resources/ApiKeyResource.php (+1 -1)
📝 app/Filament/Admin/Resources/DatabaseHostResource/RelationManagers/DatabasesRelationManager.php (+2 -2)
📝 app/Filament/Admin/Resources/NodeResource/RelationManagers/AllocationsRelationManager.php (+1 -1)
📝 app/Filament/Admin/Resources/ServerResource.php (+1 -3)
📝 app/Filament/Admin/Resources/ServerResource/Pages/CreateServer.php (+2 -0)
📝 app/Filament/Admin/Resources/ServerResource/Pages/EditServer.php (+5 -5)
📝 app/Filament/Admin/Resources/ServerResource/Pages/ListServers.php (+2 -2)
📝 app/Filament/Components/Forms/Actions/RotateDatabasePasswordAction.php (+1 -1)
📝 app/Filament/Server/Resources/ActivityResource.php (+2 -2)
📝 app/Http/Requests/Api/Client/Servers/Subusers/SubuserRequest.php (+1 -1)
📝 app/Models/User.php (+11 -7)
📝 app/Policies/ServerPolicy.php (+5 -5)
📝 app/Services/Servers/GetUserPermissionsService.php (+2 -2)

📄 Description

Switches from checking permissions directly (e.g. can('create server') or can('update server', $server)) to using the policies (e.g. can('create', Server::class) or can('update', $server)). This makes sure our before logic runs correctly.

Adds missing checks to the create options on CreateServer. (closes #1403)

Fixes accessibleServers query to make sure the correct servers are displayed in the client area. (closes #1402)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/pelican-dev/panel/pull/1406 **Author:** [@Boy132](https://github.com/Boy132) **Created:** 5/26/2025 **Status:** ✅ Merged **Merged:** 5/27/2025 **Merged by:** [@Boy132](https://github.com/Boy132) **Base:** `main` ← **Head:** `boy132/fix-permission-checks` --- ### 📝 Commits (3) - [`0e0f197`](https://github.com/pelican-dev/panel/commit/0e0f19750a83bfb9f5001d4ac251c531907f2dc7) switch from "permission checks" to "policy checks" - [`0511475`](https://github.com/pelican-dev/panel/commit/05114752c2ee400d9257b5cc506c33505366bd89) add missing permissions checks to create options on CreateServer - [`e2745dd`](https://github.com/pelican-dev/panel/commit/e2745dda1ee166435b223397ef9a15d7f51ef505) fix accessibleServers query when having `viewList server` permissions ### 📊 Changes **13 files changed** (+36 additions, -32 deletions) <details> <summary>View changed files</summary> 📝 `app/Filament/Admin/Resources/ApiKeyResource.php` (+1 -1) 📝 `app/Filament/Admin/Resources/DatabaseHostResource/RelationManagers/DatabasesRelationManager.php` (+2 -2) 📝 `app/Filament/Admin/Resources/NodeResource/RelationManagers/AllocationsRelationManager.php` (+1 -1) 📝 `app/Filament/Admin/Resources/ServerResource.php` (+1 -3) 📝 `app/Filament/Admin/Resources/ServerResource/Pages/CreateServer.php` (+2 -0) 📝 `app/Filament/Admin/Resources/ServerResource/Pages/EditServer.php` (+5 -5) 📝 `app/Filament/Admin/Resources/ServerResource/Pages/ListServers.php` (+2 -2) 📝 `app/Filament/Components/Forms/Actions/RotateDatabasePasswordAction.php` (+1 -1) 📝 `app/Filament/Server/Resources/ActivityResource.php` (+2 -2) 📝 `app/Http/Requests/Api/Client/Servers/Subusers/SubuserRequest.php` (+1 -1) 📝 `app/Models/User.php` (+11 -7) 📝 `app/Policies/ServerPolicy.php` (+5 -5) 📝 `app/Services/Servers/GetUserPermissionsService.php` (+2 -2) </details> ### 📄 Description Switches from checking permissions directly (e.g. `can('create server')` or `can('update server', $server)`) to using the policies (e.g. `can('create', Server::class)` or `can('update', $server)`). This makes sure our `before` logic runs correctly. Adds missing checks to the create options on `CreateServer`. (closes #1403) Fixes `accessibleServers` query to make sure the correct servers are displayed in the client area. (closes #1402) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

OVERLORD added the pull-request label 2026-02-04 19:41:08 +03:00

OVERLORD closed this issue

2026-02-04 19:41:09 +03:00

Sign in to join this conversation.

Branches Tags

main

shift-ci-v12.53.0

boy132/translatable-subuser-permissions

boy132/backup-hosts

charles/filament-v5

release/v1.0.0-beta33

lance/encodings

release/v1.0.0-beta32

lance/1228

lance/2026

lance/1022

lance/1585

lance/2163

lance/2077

charles/spotlight

charles/ex-im-servers

auto-claude/022-docker-image-links-plugin-dir-wrong

auto-claude/022-docker-image-links-plugin-dir-wrong-clean

release/v1.0.0-beta31

auto-claude/005-run-unit-tests-in-parallel

charles/new-activitylog

release/v1.0.0-beta30

release/v1.0.0-beta29

release/v1.0.0-beta28

release/v1.0.0-beta27

release/v1.0.0-beta26

release/v1.0.0-beta25

release/v1.0.0-beta24

release/v1.0.0-beta23

release/v1.0.0-beta22

release/v1.0.0-beta21

release/v1.0.0-beta20

release/v1.0.0-beta19

release/v1.0.0-beta18

release/v1.0.0-beta17

release/v1.0.0-beta16

release/v1.0.0-beta15

release/v1.0.0-beta14

release/v1.0.0-beta13

release/v1.0.0-beta11

release/v1.0.0-beta10

release/v1.0.0-beta9

release/v1.0.0-beta8

release/v1.0.0-beta7

release/v1.0.0-beta6

release/v1.0.0-beta5

release/v1.0.0-beta4

release/v1.0.0-beta3

release/v1.0.0-beta2

release/v1.0.0-beta1

3.x

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/panel#1375