user(); $server = $request->route()->parameter('server'); throw_unless($server instanceof Server, new NotFoundHttpException(trans('exceptions.api.resource_not_found'))); // At the very least, ensure that the user trying to make this request is the // server owner, a subuser, or an admin. We'll leave it up to the controllers // to authenticate more detailed permissions if needed. if ($user->id !== $server->owner_id && $user->cannot('update server', $server)) { // Check for subuser status. throw_unless($server->subusers->contains('user_id', $user->id), new NotFoundHttpException(trans('exceptions.api.resource_not_found'))); } try { $server->validateCurrentState(); } catch (ServerStateConflictException $exception) { // Still allow users to get information about their server if it is installing or // being transferred. if (!$request->routeIs('api:client:server.view')) { throw_if(($server->isSuspended() || $server->node->isUnderMaintenance()) && !$request->routeIs('api:client:server.resources'), $exception); throw_if($user->cannot('update server', $server) || !$request->routeIs($this->except), $exception); } } $request->attributes->set('server', $server); return $next($request); } }