fix: root + read:sensive could read senstive data with a middlewarew

2024-12-09 11:10:35 +01:00
parent ff74fb7385
commit 3fa7d03db7
10 changed files with 74 additions and 70 deletions
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -19,26 +19,23 @@ class DatabasesController extends Controller
 {
    private function removeSensitiveData($database)
    {
-        $token = auth()->user()->currentAccessToken();
        $database->makeHidden([
            'id',
            'laravel_through_key',
        ]);
-        if ($token->can('read:sensitive')) {
-            return serializeApiResponse($database);
+        if (request()->attributes->get('can_read_sensitive', false) === false) {
+            $database->makeHidden([
+                'internal_db_url',
+                'external_db_url',
+                'postgres_password',
+                'dragonfly_password',
+                'redis_password',
+                'mongo_initdb_root_password',
+                'keydb_password',
+                'clickhouse_admin_password',
+            ]);
        }

-        $database->makeHidden([
-            'internal_db_url',
-            'external_db_url',
-            'postgres_password',
-            'dragonfly_password',
-            'redis_password',
-            'mongo_initdb_root_password',
-            'keydb_password',
-            'clickhouse_admin_password',
-        ]);
-
        return serializeApiResponse($database);
    }