Push basis of new API key policy

Will need to revisit this another day when I’m fresh to figure out the best method to do this.
2017-04-07 21:25:17 -04:00 · 2017-04-07 21:25:17 -04:00 · db4df2bfa1
commit db4df2bfa1
parent 51204b8d9d
6 changed files with 104 additions and 19 deletions
--- a/app/Http/Controllers/API/Admin/ServerController.php
+++ b/app/Http/Controllers/API/Admin/ServerController.php
@ -60,9 +60,17 @@ class ServerController extends Controller
    public function view(Request $request, $id)
    {
        $server = Server::findOrFail($id);
-
        $fractal = Fractal::create()->item($server);

+        // dd($request->user()->can('view-node', $request->apiKey()));
+
+        // Have the api key model return a list of includes that would be allowed
+        // given the permissions they have aleady been granted?
+        //
+        // If someone has 'view-node' they would then be able to use ->parseIncludes(['*.node.*']);
+        // How that logic will work is beyond me currently, but should keep things
+        // fairly clean?
+
        if ($request->input('include')) {
            $fractal->parseIncludes(explode(',', $request->input('include')));
        }
--- a/app/Http/Middleware/HMACAuthorization.php
+++ b/app/Http/Middleware/HMACAuthorization.php
@ -92,6 +92,7 @@ class HMACAuthorization

        $this->checkBearer();
        $this->validateRequest();
+        $this->validateIPAccess();
        $this->validateContents();

        Auth::loginUsingId($this->key()->user_id);
@ -137,23 +138,6 @@ class HMACAuthorization
        if (! $this->key) {
            throw new AccessDeniedHttpException('Unable to identify requester. Authorization token is invalid.');
        }
-
-        if (empty($this->request()->route()->getName())) {
-            throw new \Exception('Attempting to access un-named route. This should not be possible.');
-        }
-
-        $this->validateIPAccess();
-
-        $query = APIPermission::where('key_id', $this->key()->id)
-            ->where('permission', $this->request()->route()->getName());
-
-        if (starts_with($this->request()->route()->getName(), 'api.user')) {
-            $query->orWhere('permission', 'api.user.*');
-        }
-
-        if (! $query->first()) {
-            throw new AccessDeniedHttpException('You do not have permission to access this resource on the API.');
-        }
    }

    /**