StarMC/Astral-nook
StarMC/Astral-nook
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Don't return things a user shouldn't be able to see via the API includes

Browse source
This commit is contained in:
Dane Everitt 2020-08-22 16:54:12 -07:00
parent 9b16f5883c
commit 1b69d82daa
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
2 changed files with 28 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

13
app/Transformers/Api/Client/DatabaseTransformer.php
View file

@ -4,6 +4,7 @@ namespace Pterodactyl\Transformers\Api\Client;
use Pterodactyl\Models\Database;
use League\Fractal\Resource\Item;
use Pterodactyl\Models\Permission;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Contracts\Extensions\HashidsInterface;
@ -65,12 +66,16 @@ class DatabaseTransformer extends BaseClientTransformer
/**
* Include the database password in the request.
*
* @param \Pterodactyl\Models\Database $model
* @return \League\Fractal\Resource\Item
* @param \Pterodactyl\Models\Database $database
* @return \League\Fractal\Resource\Item|\League\Fractal\Resource\NullResource
*/
public function includePassword(Database $model): Item
public function includePassword(Database $database): Item
{
return $this->item($model, function (Database $model) {
if (!$this->getUser()->can(Permission::ACTION_DATABASE_VIEW_PASSWORD, $database->server)) {
return $this->null();
}
return $this->item($database, function (Database $model) {
return [
'password' => $this->encrypter->decrypt($model->password),
];