Implement fix to allow root admins to view all servers.

closes #722
2017-11-05 12:38:39 -06:00 · 2017-11-05 12:38:39 -06:00 · 6409fffdad
commit 6409fffdad
parent fb2909a1c7
22 changed files with 143 additions and 166 deletions
--- a/app/Http/Controllers/Base/IndexController.php
+++ b/app/Http/Controllers/Base/IndexController.php
@ -93,7 +93,7 @@ class IndexController extends Controller
    public function status(Request $request, $uuid)
    {
        $server = $this->repository->findFirstWhere([['uuidShort', '=', $uuid]]);
-        $token = $this->keyProviderService->handle($server->id, $request->user()->id);
+        $token = $this->keyProviderService->handle($server, $request->user());

        if (! $server->installed) {
            return response()->json(['status' => 20]);
--- a/app/Http/Middleware/AdminAuthenticate.php
+++ b/app/Http/Middleware/AdminAuthenticate.php
@ -11,7 +11,7 @@ namespace Pterodactyl\Http\Middleware;

 use Closure;
 use Illuminate\Http\Request;
-use Symfony\Component\HttpKernel\Exception\HttpException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

 class AdminAuthenticate
 {
@ -25,7 +25,7 @@ class AdminAuthenticate
    public function handle(Request $request, Closure $next)
    {
        if (! $request->user() || ! $request->user()->root_admin) {
-            throw new HttpException(403, 'Access Denied');
+            throw new AccessDeniedHttpException;
        }

        return $next($request);
--- a/app/Http/Middleware/Authenticate.php
+++ b/app/Http/Middleware/Authenticate.php
@ -20,11 +20,7 @@ class Authenticate
    public function handle(Request $request, Closure $next)
    {
        if (! $request->user()) {
-            if ($request->ajax() || $request->expectsJson()) {
-                throw new AuthenticationException();
-            } else {
-                return redirect()->route('auth.login');
-            }
+            throw new AuthenticationException;
        }

        return $next($request);
--- a/app/Http/Middleware/Daemon/DaemonAuthenticate.php
+++ b/app/Http/Middleware/Daemon/DaemonAuthenticate.php
@ -29,6 +29,7 @@ use Illuminate\Http\Request;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Pterodactyl\Contracts\Repository\NodeRepositoryInterface;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

 class DaemonAuthenticate
 {
@ -80,7 +81,7 @@ class DaemonAuthenticate
        try {
            $node = $this->repository->findFirstWhere([['daemonSecret', '=', $token]]);
        } catch (RecordNotFoundException $exception) {
-            throw new HttpException(403);
+            throw new AccessDeniedHttpException;
        }

        $request->attributes->set('node', $node);
--- a/app/Http/Middleware/Server/AuthenticateAsSubuser.php
+++ b/app/Http/Middleware/Server/AuthenticateAsSubuser.php
@ -12,9 +12,9 @@ namespace Pterodactyl\Http\Middleware\Server;
 use Closure;
 use Illuminate\Http\Request;
 use Illuminate\Contracts\Session\Session;
-use Illuminate\Auth\AuthenticationException;
 use Pterodactyl\Services\DaemonKeys\DaemonKeyProviderService;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;

 class AuthenticateAsSubuser
 {
@ -56,9 +56,9 @@ class AuthenticateAsSubuser
        $server = $request->attributes->get('server');

        try {
-            $token = $this->keyProviderService->handle($server->id, $request->user()->id);
+            $token = $this->keyProviderService->handle($server, $request->user());
        } catch (RecordNotFoundException $exception) {
-            throw new AuthenticationException('This account does not have permission to access this server.');
+            throw new AccessDeniedHttpException('This account does not have permission to access this server.');
        }

        $this->session->now('server_data.token', $token);