Improved logic for handling permissions on API routes.

Still only partially implemented, however this method will allow the inclusion of data that is granted with servers (such as viewing more about the node, node location, allocations, etc) while still limiting someone from doing `?include=node.servers` and listing all servers when they don’t have list-servers as a permission.
2017-04-08 12:05:29 -04:00 · 2017-04-08 12:05:29 -04:00 · 4479d3bf19
commit 4479d3bf19
parent db4df2bfa1
16 changed files with 296 additions and 29 deletions
--- a/app/Transformers/Admin/AllocationTransformer.php
+++ b/app/Transformers/Admin/AllocationTransformer.php
@ -24,6 +24,7 @@

 namespace Pterodactyl\Transformers\Admin;

+use Illuminate\Http\Request;
 use Pterodactyl\Models\Allocation;
 use League\Fractal\TransformerAbstract;

@ -37,13 +38,26 @@ class AllocationTransformer extends TransformerAbstract
    protected $filter;

    /**
-     * Transformer constructor.
+     * The Illuminate Request object if provided.
     *
-     * @param  bool|string  $filter
+     * @var \Illuminate\Http\Request|bool
+     */
+    protected $request;
+
+    /**
+     * Setup request object for transformer.
+     *
+     * @param  \Illuminate\Http\Request|bool  $request
+     * @param  bool                           $filter
     * @return void
     */
-    public function __construct($filter = false)
+    public function __construct($request = false, $filter = false)
    {
+        if (! $request instanceof Request && $request !== false) {
+            throw new DisplayException('Request passed to constructor must be of type Request or false.');
+        }
+
+        $this->request = $request;
        $this->filter = $filter;
    }