fix: exclude any permissions not defined internally when updating or creating subusers (#4416)

2022-10-09 15:14:16 -07:00 · 2022-10-09 15:14:16 -07:00 · c748fa9842
commit c748fa9842
parent 597821b3bb
3 changed files with 154 additions and 31 deletions
--- a/app/Http/Controllers/Api/Client/Servers/SubuserController.php
+++ b/app/Http/Controllers/Api/Client/Servers/SubuserController.php
@ -190,10 +190,23 @@ class SubuserController extends ClientApiController
    }

    /**
-     * Returns the default permissions for all subusers to ensure none are ever removed wrongly.
+     * Returns the default permissions for subusers and parses out any permissions
+     * that were passed that do not also exist in the internally tracked list of
+     * permissions.
     */
    protected function getDefaultPermissions(Request $request): array
    {
-        return array_unique(array_merge($request->input('permissions') ?? [], [Permission::ACTION_WEBSOCKET_CONNECT]));
+        $allowed = Permission::permissions()
+            ->map(function ($value, $prefix) {
+                return array_map(function ($value) use ($prefix) {
+                    return "$prefix.$value";
+                }, array_keys($value['keys']));
+            })
+            ->flatten()
+            ->all();
+
+        $cleaned = array_intersect($request->input('permissions') ?? [], $allowed);
+
+        return array_unique(array_merge($cleaned, [Permission::ACTION_WEBSOCKET_CONNECT]));
    }
 }
--- a/app/Policies/ServerPolicy.php
+++ b/app/Policies/ServerPolicy.php
@ -2,45 +2,22 @@

 namespace Pterodactyl\Policies;

-use Carbon\Carbon;
 use Pterodactyl\Models\User;
 use Pterodactyl\Models\Server;
-use Illuminate\Contracts\Cache\Repository as CacheRepository;

 class ServerPolicy
 {
-    /**
-     * @var \Illuminate\Contracts\Cache\Repository
-     */
-    private $cache;
-
-    /**
-     * ServerPolicy constructor.
-     */
-    public function __construct(CacheRepository $cache)
-    {
-        $this->cache = $cache;
-    }
-
    /**
     * Checks if the user has the given permission on/for the server.
-     *
-     * @param string $permission
-     *
-     * @return bool
     */
-    protected function checkPermission(User $user, Server $server, $permission)
+    protected function checkPermission(User $user, Server $server, string $permission): bool
    {
-        $key = sprintf('ServerPolicy.%s.%s', $user->uuid, $server->uuid);
+        $subuser = $server->subusers->where('user_id', $user->id)->first();
+        if (!$subuser || empty($permission)) {
+            return false;
+        }

-        $permissions = $this->cache->remember($key, Carbon::now()->addSeconds(5), function () use ($user, $server) {
-            /** @var \Pterodactyl\Models\Subuser|null $subuser */
-            $subuser = $server->subusers()->where('user_id', $user->id)->first();
-
-            return $subuser ? $subuser->permissions : [];
-        });
-
-        return in_array($permission, $permissions);
+        return in_array($permission, $subuser->permissions);
    }

    /**