Massively simplify API binding logic
Changes the API internals to use normal Laravel binding which automatically supports nested-models and can determine their relationships. This removes a lot of confusingly complex internal logic and replaces it with standard Laravel code. This also removes a deprecated "getModel" method and fully replaces it with a "parameter" method that does stricter type-checking.
This commit is contained in:
DaneEveritt
parent
f1235c7f88
commit
e313dff674
53 changed files with 290 additions and 604 deletions
|
|
@ -2,14 +2,12 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Application;
|
||||
|
||||
use Pterodactyl\Models\ApiKey;
|
||||
use Webmozart\Assert\Assert;
|
||||
use Illuminate\Validation\Validator;
|
||||
use Illuminate\Database\Eloquent\Model;
|
||||
use Pterodactyl\Services\Acl\Api\AdminAcl;
|
||||
use Illuminate\Foundation\Http\FormRequest;
|
||||
use Pterodactyl\Exceptions\PterodactylException;
|
||||
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\Routing\Exception\InvalidParameterException;
|
||||
|
||||
abstract class ApplicationApiRequest extends FormRequest
|
||||
{
|
||||
|
|
@ -49,15 +47,7 @@ abstract class ApplicationApiRequest extends FormRequest
|
|||
throw new PterodactylException('An ACL resource must be defined on API requests.');
|
||||
}
|
||||
|
||||
return AdminAcl::check($this->key(), $this->resource, $this->permission);
|
||||
}
|
||||
|
||||
/**
|
||||
* Determine if the requested resource exists on the server.
|
||||
*/
|
||||
public function resourceExists(): bool
|
||||
{
|
||||
return true;
|
||||
return AdminAcl::check($this->attributes->get('api_key'), $this->resource, $this->permission);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -68,35 +58,6 @@ abstract class ApplicationApiRequest extends FormRequest
|
|||
return [];
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the API key being used for the request.
|
||||
*/
|
||||
public function key(): ApiKey
|
||||
{
|
||||
return $this->attributes->get('api_key');
|
||||
}
|
||||
|
||||
/**
|
||||
* Grab a model from the route parameters. If no model is found in the
|
||||
* binding mappings an exception will be thrown.
|
||||
*
|
||||
* @return mixed
|
||||
*
|
||||
* @deprecated
|
||||
*
|
||||
* @throws \Symfony\Component\Routing\Exception\InvalidParameterException
|
||||
*/
|
||||
public function getModel(string $model)
|
||||
{
|
||||
$parameterKey = array_get(array_flip(ApiSubstituteBindings::getMappings()), $model);
|
||||
|
||||
if (is_null($parameterKey)) {
|
||||
throw new InvalidParameterException();
|
||||
}
|
||||
|
||||
return $this->route()->parameter($parameterKey);
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper method allowing a developer to easily hook into this logic without having
|
||||
* to remember what the method name is called or where to use it. By default this is
|
||||
|
|
@ -108,50 +69,26 @@ abstract class ApplicationApiRequest extends FormRequest
|
|||
}
|
||||
|
||||
/**
|
||||
* Validate that the resource exists and can be accessed prior to booting
|
||||
* the validator and attempting to use the data.
|
||||
* Returns the named route parameter and asserts that it is a real model that
|
||||
* exists in the database.
|
||||
*
|
||||
* @throws \Illuminate\Auth\Access\AuthorizationException
|
||||
* @template T of \Illuminate\Database\Eloquent\Model
|
||||
*
|
||||
* @param class-string<T> $expect
|
||||
*
|
||||
* @return T
|
||||
* @noinspection PhpUndefinedClassInspection
|
||||
* @noinspection PhpDocSignatureInspection
|
||||
*/
|
||||
protected function prepareForValidation()
|
||||
public function parameter(string $key, string $expect)
|
||||
{
|
||||
if (!$this->passesAuthorization()) {
|
||||
$this->failedAuthorization();
|
||||
}
|
||||
$value = $this->route()->parameter($key);
|
||||
|
||||
$this->hasValidated = true;
|
||||
}
|
||||
Assert::isInstanceOf($value, $expect);
|
||||
Assert::isInstanceOf($value, Model::class);
|
||||
Assert::true($value->exists);
|
||||
|
||||
/*
|
||||
* Determine if the request passes the authorization check as well
|
||||
* as the exists check.
|
||||
*
|
||||
* @return bool
|
||||
*
|
||||
* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
|
||||
*/
|
||||
protected function passesAuthorization()
|
||||
{
|
||||
// If we have already validated we do not need to call this function
|
||||
// again. This is needed to work around Laravel's normal auth validation
|
||||
// that occurs after validating the request params since we are doing auth
|
||||
// validation in the prepareForValidation() function.
|
||||
if ($this->hasValidated) {
|
||||
return true;
|
||||
}
|
||||
|
||||
if (!parent::passesAuthorization()) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Only let the user know that a resource does not exist if they are
|
||||
// authenticated to access the endpoint. This avoids exposing that
|
||||
// an item exists (or does not exist) to the user until they can prove
|
||||
// that they have permission to know about it.
|
||||
if ($this->attributes->get('is_missing_model', false) || !$this->resourceExists()) {
|
||||
throw new NotFoundHttpException(trans('exceptions.api.resource_not_found'));
|
||||
}
|
||||
|
||||
return true;
|
||||
/* @var T $value */
|
||||
return $value;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue