Massively simplify API binding logic
Changes the API internals to use normal Laravel binding which automatically supports nested-models and can determine their relationships. This removes a lot of confusingly complex internal logic and replaces it with standard Laravel code. This also removes a deprecated "getModel" method and fully replaces it with a "parameter" method that does stricter type-checking.
This commit is contained in:
DaneEveritt
parent
f1235c7f88
commit
e313dff674
53 changed files with 290 additions and 604 deletions
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Allocations;
|
||||
|
||||
use Pterodactyl\Models\Node;
|
||||
use Pterodactyl\Models\Allocation;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
|
||||
|
||||
|
|
@ -18,22 +16,4 @@ class DeleteAllocationRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::WRITE;
|
||||
|
||||
/**
|
||||
* Determine if the requested allocation exists and belongs to the node that
|
||||
* is being passed in the URL.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$node = $this->route()->parameter('node');
|
||||
$allocation = $this->route()->parameter('allocation');
|
||||
|
||||
if ($node instanceof Node && $node->exists) {
|
||||
if ($allocation instanceof Allocation && $allocation->exists && $allocation->node_id === $node->id) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Allocations;
|
||||
|
||||
use Pterodactyl\Models\Node;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
|
||||
|
||||
|
|
@ -17,15 +16,4 @@ class GetAllocationsRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::READ;
|
||||
|
||||
/**
|
||||
* Determine if the node that we are requesting the allocations
|
||||
* for exists on the Panel.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$node = $this->route()->parameter('node');
|
||||
|
||||
return $node instanceof Node && $node->exists;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,14 +2,12 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application;
|
||||
|
||||
use Pterodactyl\Models\ApiKey;
|
||||
use Webmozart\Assert\Assert;
|
||||
use Illuminate\Validation\Validator;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Illuminate\Foundation\Http\FormRequest;
|
||||
use Pterodactyl\Exceptions\PterodactylException;
|
||||
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\Routing\Exception\InvalidParameterException;
|
||||
|
||||
abstract class ApplicationApiRequest extends FormRequest
|
||||
{
|
||||
|
|
@ -49,15 +47,7 @@ abstract class ApplicationApiRequest extends FormRequest
|
|||
throw new PterodactylException('An ACL resource must be defined on API requests.');
|
||||
}
|
||||
|
||||
return AdminAcl::check($this->key(), $this->resource, $this->permission);
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if the requested resource exists on the server.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
return true;
|
||||
return AdminAcl::check($this->attributes->get('api_key'), $this->resource, $this->permission);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -68,35 +58,6 @@ abstract class ApplicationApiRequest extends FormRequest
|
|||
return [];
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the API key being used for the request.
|
||||
*/
|
||||
public function key(): ApiKey
|
||||
{
|
||||
return $this->attributes->get('api_key');
|
||||
}
|
||||
|
||||
/**
|
||||
* Grab a model from the route parameters. If no model is found in the
|
||||
* binding mappings an exception will be thrown.
|
||||
*
|
||||
* @return mixed
|
||||
*
|
||||
* @deprecated
|
||||
*
|
||||
* @throws \Symfony\Component\Routing\Exception\InvalidParameterException
|
||||
*/
|
||||
public function getModel(string $model)
|
||||
{
|
||||
$parameterKey = array_get(array_flip(ApiSubstituteBindings::getMappings()), $model);
|
||||
|
||||
if (is_null($parameterKey)) {
|
||||
throw new InvalidParameterException();
|
||||
}
|
||||
|
||||
return $this->route()->parameter($parameterKey);
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method allowing a developer to easily hook into this logic without having
|
||||
* to remember what the method name is called or where to use it. By default this is
|
||||
|
|
@ -108,50 +69,26 @@ abstract class ApplicationApiRequest extends FormRequest
|
|||
}
|
||||
|
||||
/**
|
||||
* Validate that the resource exists and can be accessed prior to booting
|
||||
* the validator and attempting to use the data.
|
||||
* Returns the named route parameter and asserts that it is a real model that
|
||||
* exists in the database.
|
||||
*
|
||||
* @throws \Illuminate\Auth\Access\AuthorizationException
|
||||
* @template T of \Illuminate\Database\Eloquent\Model
|
||||
*
|
||||
* @param class-string<T> $expect
|
||||
*
|
||||
* @return T
|
||||
* @noinspection PhpUndefinedClassInspection
|
||||
* @noinspection PhpDocSignatureInspection
|
||||
*/
|
||||
protected function prepareForValidation()
|
||||
public function parameter(string $key, string $expect)
|
||||
{
|
||||
if (!$this->passesAuthorization()) {
|
||||
$this->failedAuthorization();
|
||||
}
|
||||
$value = $this->route()->parameter($key);
|
||||
|
||||
$this->hasValidated = true;
|
||||
}
|
||||
Assert::isInstanceOf($value, $expect);
|
||||
Assert::isInstanceOf($value, Model::class);
|
||||
Assert::true($value->exists);
|
||||
|
||||
/*
|
||||
* Determine if the request passes the authorization check as well
|
||||
* as the exists check.
|
||||
*
|
||||
* @return bool
|
||||
*
|
||||
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
|
||||
*/
|
||||
protected function passesAuthorization()
|
||||
{
|
||||
// If we have already validated we do not need to call this function
|
||||
// again. This is needed to work around Laravel's normal auth validation
|
||||
// that occurs after validating the request params since we are doing auth
|
||||
// validation in the prepareForValidation() function.
|
||||
if ($this->hasValidated) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (!parent::passesAuthorization()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Only let the user know that a resource does not exist if they are
|
||||
// authenticated to access the endpoint. This avoids exposing that
|
||||
// an item exists (or does not exist) to the user until they can prove
|
||||
// that they have permission to know about it.
|
||||
if ($this->attributes->get('is_missing_model', false) || !$this->resourceExists()) {
|
||||
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
|
||||
}
|
||||
|
||||
return true;
|
||||
/* @var T $value */
|
||||
return $value;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Locations;
|
||||
|
||||
use Pterodactyl\Models\Location;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
|
||||
|
||||
|
|
@ -17,14 +16,4 @@ class DeleteLocationRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::WRITE;
|
||||
|
||||
/**
|
||||
* Determine if the requested location exists on the Panel.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$location = $this->route()->parameter('location');
|
||||
|
||||
return $location instanceof Location && $location->exists;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,17 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Locations;
|
||||
|
||||
use Pterodactyl\Models\Location;
|
||||
|
||||
class GetLocationRequest extends GetLocationsRequest
|
||||
{
|
||||
/**
|
||||
* Determine if the requested location exists on the Panel.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$location = $this->route()->parameter('location');
|
||||
|
||||
return $location instanceof Location && $location->exists;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -6,16 +6,6 @@ use Pterodactyl\Models\Location;
|
|||
|
||||
class UpdateLocationRequest extends StoreLocationRequest
|
||||
{
|
||||
/**
|
||||
* Determine if the requested location exists on the Panel.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$location = $this->route()->parameter('location');
|
||||
|
||||
return $location instanceof Location && $location->exists;
|
||||
}
|
||||
|
||||
/**
|
||||
* Rules to validate this request against.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Nests\Eggs;
|
||||
|
||||
use Pterodactyl\Models\Egg;
|
||||
use Pterodactyl\Models\Nest;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
|
||||
|
||||
|
|
@ -18,12 +16,4 @@ class GetEggRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::READ;
|
||||
|
||||
/**
|
||||
* Determine if the requested egg exists for the selected nest.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
return $this->getModel(Nest::class)->id === $this->getModel(Egg::class)->nest_id;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Nodes;
|
||||
|
||||
use Pterodactyl\Models\Node;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
|
||||
|
||||
|
|
@ -17,15 +16,4 @@ class DeleteNodeRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::WRITE;
|
||||
|
||||
/**
|
||||
* Determine if the node being requested for editing exists
|
||||
* on the Panel before validating the data.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$node = $this->route()->parameter('node');
|
||||
|
||||
return $node instanceof Node && $node->exists;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,17 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Nodes;
|
||||
|
||||
use Pterodactyl\Models\Node;
|
||||
|
||||
class GetNodeRequest extends GetNodesRequest
|
||||
{
|
||||
/**
|
||||
* Determine if the requested node exists on the Panel.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$node = $this->route()->parameter('node');
|
||||
|
||||
return $node instanceof Node && $node->exists;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,8 +12,8 @@ class UpdateNodeRequest extends StoreNodeRequest
|
|||
*/
|
||||
public function rules(array $rules = null): array
|
||||
{
|
||||
$nodeId = $this->getModel(Node::class)->id;
|
||||
$node = $this->route()->parameter('node')->id;
|
||||
|
||||
return parent::rules(Node::getRulesForUpdate($nodeId));
|
||||
return parent::rules(Node::getRulesForUpdate($node));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -16,15 +16,4 @@ class GetServerDatabaseRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::READ;
|
||||
|
||||
/**
|
||||
* Determine if the requested server database exists.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$server = $this->route()->parameter('server');
|
||||
$database = $this->route()->parameter('database');
|
||||
|
||||
return $database->server_id === $server->id;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,19 +2,11 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Servers;
|
||||
|
||||
use Pterodactyl\Models\Server;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
|
||||
use Pterodactyl\Contracts\Repository\ServerRepositoryInterface;
|
||||
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
|
||||
|
||||
class GetExternalServerRequest extends ApplicationApiRequest
|
||||
{
|
||||
/**
|
||||
* @var \Pterodactyl\Models\Server
|
||||
*/
|
||||
private $serverModel;
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
|
|
@ -24,30 +16,4 @@ class GetExternalServerRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::READ;
|
||||
|
||||
/**
|
||||
* Determine if the requested external user exists.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$repository = $this->container->make(ServerRepositoryInterface::class);
|
||||
|
||||
try {
|
||||
$this->serverModel = $repository->findFirstWhere([
|
||||
['external_id', '=', $this->route()->parameter('external_id')],
|
||||
]);
|
||||
} catch (RecordNotFoundException $exception) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the server model for the requested external server.
|
||||
*/
|
||||
public function getServerModel(): Server
|
||||
{
|
||||
return $this->serverModel;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ class UpdateServerBuildConfigurationRequest extends ServerWriteRequest
|
|||
*/
|
||||
public function rules(): array
|
||||
{
|
||||
$rules = Server::getRulesForUpdate($this->getModel(Server::class));
|
||||
$rules = Server::getRulesForUpdate($this->parameter('server', Server::class));
|
||||
|
||||
return [
|
||||
'allocation' => $rules['allocation_id'],
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ class UpdateServerDetailsRequest extends ServerWriteRequest
|
|||
*/
|
||||
public function rules(): array
|
||||
{
|
||||
$rules = Server::getRulesForUpdate($this->getModel(Server::class));
|
||||
$rules = Server::getRulesForUpdate($this->parameter('server', Server::class));
|
||||
|
||||
return [
|
||||
'external_id' => $rules['external_id'],
|
||||
|
|
|
|||
|
|
@ -23,7 +23,7 @@ class UpdateServerStartupRequest extends ApplicationApiRequest
|
|||
*/
|
||||
public function rules(): array
|
||||
{
|
||||
$data = Server::getRulesForUpdate($this->getModel(Server::class));
|
||||
$data = Server::getRulesForUpdate($this->parameter('server', Server::class));
|
||||
|
||||
return [
|
||||
'startup' => $data['startup'],
|
||||
|
|
|
|||
|
|
@ -2,7 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Users;
|
||||
|
||||
use Pterodactyl\Models\User;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
|
||||
|
||||
|
|
@ -17,14 +16,4 @@ class DeleteUserRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::WRITE;
|
||||
|
||||
/**
|
||||
* Determine if the requested user exists on the Panel.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$user = $this->route()->parameter('user');
|
||||
|
||||
return $user instanceof User && $user->exists;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,19 +2,11 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application\Users;
|
||||
|
||||
use Pterodactyl\Models\User;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
|
||||
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
|
||||
use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
|
||||
|
||||
class GetExternalUserRequest extends ApplicationApiRequest
|
||||
{
|
||||
/**
|
||||
* @var User
|
||||
*/
|
||||
private $userModel;
|
||||
|
||||
/**
|
||||
* @var string
|
||||
*/
|
||||
|
|
@ -24,30 +16,4 @@ class GetExternalUserRequest extends ApplicationApiRequest
|
|||
* @var int
|
||||
*/
|
||||
protected $permission = AdminAcl::READ;
|
||||
|
||||
/**
|
||||
* Determine if the requested external user exists.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
$repository = $this->container->make(UserRepositoryInterface::class);
|
||||
|
||||
try {
|
||||
$this->userModel = $repository->findFirstWhere([
|
||||
['external_id', '=', $this->route()->parameter('external_id')],
|
||||
]);
|
||||
} catch (RecordNotFoundException $exception) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the user model for the requested external user.
|
||||
*/
|
||||
public function getUserModel(): User
|
||||
{
|
||||
return $this->userModel;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,7 +11,7 @@ class UpdateUserRequest extends StoreUserRequest
|
|||
*/
|
||||
public function rules(array $rules = null): array
|
||||
{
|
||||
$userId = $this->getModel(User::class)->id;
|
||||
$userId = $this->parameter('user', User::class)->id;
|
||||
|
||||
return parent::rules(User::getRulesForUpdate($userId));
|
||||
}
|
||||
|
|
|
|||
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Client\Servers\Databases;
|
||||
|
||||
use Pterodactyl\Models\Server;
|
||||
use Pterodactyl\Models\Database;
|
||||
use Pterodactyl\Models\Permission;
|
||||
use Pterodactyl\Contracts\Http\ClientPermissionsRequest;
|
||||
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
|
||||
|
|
@ -14,9 +12,4 @@ class DeleteDatabaseRequest extends ClientApiRequest implements ClientPermission
|
|||
{
|
||||
return Permission::ACTION_DATABASE_DELETE;
|
||||
}
|
||||
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
return $this->getModel(Server::class)->id === $this->getModel(Database::class)->server_id;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,6 +13,6 @@ class DownloadFileRequest extends ClientApiRequest
|
|||
*/
|
||||
public function authorize(): bool
|
||||
{
|
||||
return $this->user()->can('file.read', $this->getModel(Server::class));
|
||||
return $this->user()->can('file.read', $this->parameter('server', Server::class));
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue