StarMC/Astral-nook
StarMC/Astral-nook
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fix: exclude any permissions not defined internally when updating or creating subusers (#4416)

Browse source
This commit is contained in:
Dane Everitt 2022-10-09 15:14:16 -07:00 committed by GitHub
parent 597821b3bb
commit c748fa9842
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 154 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

17
app/Http/Controllers/Api/Client/Servers/SubuserController.php
View file

@ -190,10 +190,23 @@ class SubuserController extends ClientApiController
}
/**
* Returns the default permissions for all subusers to ensure none are ever removed wrongly.
* Returns the default permissions for subusers and parses out any permissions
* that were passed that do not also exist in the internally tracked list of
* permissions.
*/
protected function getDefaultPermissions(Request $request): array
{
return array_unique(array_merge($request->input('permissions') ?? [], [Permission::ACTION_WEBSOCKET_CONNECT]));
$allowed = Permission::permissions()
->map(function ($value, $prefix) {
return array_map(function ($value) use ($prefix) {
return "$prefix.$value";
}, array_keys($value['keys']));
})
->flatten()
->all();
$cleaned = array_intersect($request->input('permissions') ?? [], $allowed);
return array_unique(array_merge($cleaned, [Permission::ACTION_WEBSOCKET_CONNECT]));
}
}