dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat(auth): introduce resource creation authorization middleware and policies for enhanced access control

Browse Source
This commit is contained in:
Andras Bacsai
2025-08-24 17:14:33 +02:00
parent 0702d29ae1
commit 3e1f47a243
9 changed files with 256 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
app/Http/Middleware/CanCreateResources.php Normal file
View File

@@ -0,0 +1,25 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Gate;
use Symfony\Component\HttpFoundation\Response;
class CanCreateResources
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
if (! Gate::allows('createAnyResource')) {
abort(403, 'You do not have permission to create resources.');
}
return $next($request);
}
}

8
app/Policies/ApplicationPolicy.php
View File

@@ -99,4 +99,12 @@ class ApplicationPolicy
{ {
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $application->team()->first()->id) !== null; return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $application->team()->first()->id) !== null;
} }
/**
* Determine whether the user can cleanup deployment queue.
*/
public function cleanupDeploymentQueue(User $user): bool
{
return $user->isAdmin();
}
} }

65
app/Policies/EnvironmentPolicy.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
namespace App\Policies;
use App\Models\Environment;
use App\Models\User;
class EnvironmentPolicy
{
/**
* Determine whether the user can view any models.
*/
public function viewAny(User $user): bool
{
return true;
}
/**
* Determine whether the user can view the model.
*/
public function view(User $user, Environment $environment): bool
{
return $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
}
/**
* Determine whether the user can create models.
*/
public function create(User $user): bool
{
return $user->isAdmin();
}
/**
* Determine whether the user can update the model.
*/
public function update(User $user, Environment $environment): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
}
/**
* Determine whether the user can delete the model.
*/
public function delete(User $user, Environment $environment): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
}
/**
* Determine whether the user can restore the model.
*/
public function restore(User $user, Environment $environment): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
}
/**
* Determine whether the user can permanently delete the model.
*/
public function forceDelete(User $user, Environment $environment): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $environment->project->team_id) !== null;
}
}

65
app/Policies/ProjectPolicy.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
namespace App\Policies;
use App\Models\Project;
use App\Models\User;
class ProjectPolicy
{
/**
* Determine whether the user can view any models.
*/
public function viewAny(User $user): bool
{
return true;
}
/**
* Determine whether the user can view the model.
*/
public function view(User $user, Project $project): bool
{
return $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
}
/**
* Determine whether the user can create models.
*/
public function create(User $user): bool
{
return $user->isAdmin();
}
/**
* Determine whether the user can update the model.
*/
public function update(User $user, Project $project): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
}
/**
* Determine whether the user can delete the model.
*/
public function delete(User $user, Project $project): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
}
/**
* Determine whether the user can restore the model.
*/
public function restore(User $user, Project $project): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
}
/**
* Determine whether the user can permanently delete the model.
*/
public function forceDelete(User $user, Project $project): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $project->team_id) !== null;
}
}

62
app/Policies/ResourceCreatePolicy.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
namespace App\Policies;
use App\Models\Application;
use App\Models\Service;
use App\Models\StandaloneClickhouse;
use App\Models\StandaloneDragonfly;
use App\Models\StandaloneKeydb;
use App\Models\StandaloneMariadb;
use App\Models\StandaloneMongodb;
use App\Models\StandaloneMysql;
use App\Models\StandalonePostgresql;
use App\Models\StandaloneRedis;
use App\Models\User;
class ResourceCreatePolicy
{
/**
* List of resource classes that can be created
*/
public const CREATABLE_RESOURCES = [
StandalonePostgresql::class,
StandaloneRedis::class,
StandaloneMongodb::class,
StandaloneMysql::class,
StandaloneMariadb::class,
StandaloneKeydb::class,
StandaloneDragonfly::class,
StandaloneClickhouse::class,
Service::class,
Application::class,
];
/**
* Determine whether the user can create any resource.
*/
public function createAny(User $user): bool
{
return $user->isAdmin();
}
/**
* Determine whether the user can create a specific resource type.
*/
public function create(User $user, string $resourceClass): bool
{
if (! in_array($resourceClass, self::CREATABLE_RESOURCES)) {
return false;
}
return $user->isAdmin();
}
/**
* Authorize creation of all supported resource types.
*/
public function authorizeAllResourceCreation(User $user): bool
{
return $this->createAny($user);
}
}

2
app/Policies/ServicePolicy.php
View File

@@ -28,7 +28,7 @@ class ServicePolicy
*/ */
public function create(User $user): bool public function create(User $user): bool
{ {
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $service->team()->first()->id) !== null; return $user->isAdmin();
} }
/** /**

9
app/Providers/AuthServiceProvider.php
View File

@@ -3,7 +3,9 @@
namespace App\Providers; namespace App\Providers;
// use Illuminate\Support\Facades\Gate; // use Illuminate\Support\Facades\Gate;
use App\Policies\ResourceCreatePolicy;
use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider; use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
use Illuminate\Support\Facades\Gate;
class AuthServiceProvider extends ServiceProvider class AuthServiceProvider extends ServiceProvider
{ {
@@ -20,6 +22,9 @@ class AuthServiceProvider extends ServiceProvider
\App\Models\Application::class => \App\Policies\ApplicationPolicy::class, \App\Models\Application::class => \App\Policies\ApplicationPolicy::class,
\App\Models\ApplicationPreview::class => \App\Policies\ApplicationPreviewPolicy::class, \App\Models\ApplicationPreview::class => \App\Policies\ApplicationPreviewPolicy::class,
\App\Models\ApplicationSetting::class => \App\Policies\ApplicationSettingPolicy::class, \App\Models\ApplicationSetting::class => \App\Policies\ApplicationSettingPolicy::class,
\App\Models\Service::class => \App\Policies\ServicePolicy::class,
\App\Models\Project::class => \App\Policies\ProjectPolicy::class,
\App\Models\Environment::class => \App\Policies\EnvironmentPolicy::class,
// Database policies - all use the shared DatabasePolicy // Database policies - all use the shared DatabasePolicy
\App\Models\StandalonePostgresql::class => \App\Policies\DatabasePolicy::class, \App\Models\StandalonePostgresql::class => \App\Policies\DatabasePolicy::class,
\App\Models\StandaloneMysql::class => \App\Policies\DatabasePolicy::class, \App\Models\StandaloneMysql::class => \App\Policies\DatabasePolicy::class,
@@ -29,6 +34,7 @@ class AuthServiceProvider extends ServiceProvider
\App\Models\StandaloneKeydb::class => \App\Policies\DatabasePolicy::class, \App\Models\StandaloneKeydb::class => \App\Policies\DatabasePolicy::class,
\App\Models\StandaloneDragonfly::class => \App\Policies\DatabasePolicy::class, \App\Models\StandaloneDragonfly::class => \App\Policies\DatabasePolicy::class,
\App\Models\StandaloneClickhouse::class => \App\Policies\DatabasePolicy::class, \App\Models\StandaloneClickhouse::class => \App\Policies\DatabasePolicy::class,
]; ];
/** /**
@@ -36,6 +42,7 @@ class AuthServiceProvider extends ServiceProvider
*/ */
public function boot(): void public function boot(): void
{ {
// // Register gates for resource creation policy
Gate::define('createAnyResource', [ResourceCreatePolicy::class, 'createAny']);
} }
} }

20
app/Traits/AuthorizesResourceCreation.php Normal file
View File

@@ -0,0 +1,20 @@
<?php
namespace App\Traits;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
trait AuthorizesResourceCreation
{
use AuthorizesRequests;
/**
* Authorize creation of all supported resources.
*
* @throws \Illuminate\Auth\Access\AuthorizationException
*/
protected function authorizeResourceCreation(): void
{
$this->authorize('createAnyResource');
}
}

4
routes/web.php
View File

@@ -179,8 +179,8 @@ Route::middleware(['auth', 'verified'])->group(function () {
}); });
Route::prefix('project/{project_uuid}/environment/{environment_uuid}')->group(function () { Route::prefix('project/{project_uuid}/environment/{environment_uuid}')->group(function () {
Route::get('/', ResourceIndex::class)->name('project.resource.index'); Route::get('/', ResourceIndex::class)->name('project.resource.index');
Route::get('/clone', ProjectCloneMe::class)->name('project.clone-me'); Route::get('/clone', ProjectCloneMe::class)->name('project.clone-me')->middleware('can.create.resources');
Route::get('/new', ResourceCreate::class)->name('project.resource.create'); Route::get('/new', ResourceCreate::class)->name('project.resource.create')->middleware('can.create.resources');
Route::get('/edit', EnvironmentEdit::class)->name('project.environment.edit'); Route::get('/edit', EnvironmentEdit::class)->name('project.environment.edit');
}); });
Route::prefix('project/{project_uuid}/environment/{environment_uuid}/application/{application_uuid}')->group(function () { Route::prefix('project/{project_uuid}/environment/{environment_uuid}/application/{application_uuid}')->group(function () {