feat(auth): implement authorization checks for server updates across multiple components
- Added authorization checks using the `authorize` method in various Livewire components to ensure only authorized users can update server settings. - Updated `ServerPolicy` to restrict update permissions to admin users and their respective teams. - Enhanced security and access control for server management functionalities.
This commit is contained in:
Andras Bacsai
@@ -76,6 +76,7 @@ class Advanced extends Component
|
||||
public function syncData(bool $toModel = false)
|
||||
{
|
||||
if ($toModel) {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->validate();
|
||||
$this->server->settings->concurrent_builds = $this->concurrentBuilds;
|
||||
$this->server->settings->dynamic_timeout = $this->dynamicTimeout;
|
||||
|
||||
@@ -4,11 +4,14 @@ namespace App\Livewire\Server;
|
||||
|
||||
use App\Actions\Server\ConfigureCloudflared;
|
||||
use App\Models\Server;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Livewire\Attributes\Validate;
|
||||
use Livewire\Component;
|
||||
|
||||
class CloudflareTunnel extends Component
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
public Server $server;
|
||||
|
||||
#[Validate(['required', 'string'])]
|
||||
@@ -51,6 +54,7 @@ class CloudflareTunnel extends Component
|
||||
public function toggleCloudflareTunnels()
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
remote_process(['docker rm -f coolify-cloudflared'], $this->server, false, 10);
|
||||
$this->isCloudflareTunnelsEnabled = false;
|
||||
$this->server->settings->is_cloudflare_tunnel = false;
|
||||
@@ -68,6 +72,7 @@ class CloudflareTunnel extends Component
|
||||
|
||||
public function manualCloudflareConfig()
|
||||
{
|
||||
$this->authorize('update', $this->server);
|
||||
$this->isCloudflareTunnelsEnabled = true;
|
||||
$this->server->settings->is_cloudflare_tunnel = true;
|
||||
$this->server->settings->save();
|
||||
@@ -78,6 +83,7 @@ class CloudflareTunnel extends Component
|
||||
public function automatedCloudflareConfig()
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
if (str($this->ssh_domain)->contains('https://')) {
|
||||
$this->ssh_domain = str($this->ssh_domain)->replace('https://', '')->replace('http://', '')->trim();
|
||||
$this->ssh_domain = str($this->ssh_domain)->replace('/', '');
|
||||
|
||||
@@ -4,11 +4,14 @@ namespace App\Livewire\Server;
|
||||
|
||||
use App\Jobs\DockerCleanupJob;
|
||||
use App\Models\Server;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Livewire\Attributes\Validate;
|
||||
use Livewire\Component;
|
||||
|
||||
class DockerCleanup extends Component
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
public Server $server;
|
||||
|
||||
public array $parameters = [];
|
||||
@@ -42,6 +45,7 @@ class DockerCleanup extends Component
|
||||
public function syncData(bool $toModel = false)
|
||||
{
|
||||
if ($toModel) {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->validate();
|
||||
$this->server->settings->force_docker_cleanup = $this->forceDockerCleanup;
|
||||
$this->server->settings->docker_cleanup_frequency = $this->dockerCleanupFrequency;
|
||||
@@ -71,6 +75,7 @@ class DockerCleanup extends Component
|
||||
public function manualCleanup()
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
DockerCleanupJob::dispatch($this->server, true, $this->deleteUnusedVolumes, $this->deleteUnusedNetworks);
|
||||
$this->dispatch('success', 'Manual cleanup job started. Depending on the amount of data, this might take a while.');
|
||||
} catch (\Throwable $e) {
|
||||
|
||||
@@ -5,11 +5,14 @@ namespace App\Livewire\Server;
|
||||
use App\Actions\Server\StartLogDrain;
|
||||
use App\Actions\Server\StopLogDrain;
|
||||
use App\Models\Server;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Livewire\Attributes\Validate;
|
||||
use Livewire\Component;
|
||||
|
||||
class LogDrains extends Component
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
public Server $server;
|
||||
|
||||
#[Validate(['boolean'])]
|
||||
@@ -160,6 +163,7 @@ class LogDrains extends Component
|
||||
public function instantSave()
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->syncData(true);
|
||||
if ($this->server->isLogDrainEnabled()) {
|
||||
StartLogDrain::run($this->server);
|
||||
@@ -176,6 +180,7 @@ class LogDrains extends Component
|
||||
public function submit(string $type)
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->syncData(true, $type);
|
||||
$this->dispatch('success', 'Settings saved.');
|
||||
} catch (\Throwable $e) {
|
||||
|
||||
@@ -6,12 +6,15 @@ use App\Enums\ProxyTypes;
|
||||
use App\Models\Server;
|
||||
use App\Models\Team;
|
||||
use App\Support\ValidationPatterns;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Illuminate\Support\Collection;
|
||||
use Livewire\Attributes\Locked;
|
||||
use Livewire\Component;
|
||||
|
||||
class ByIp extends Component
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
#[Locked]
|
||||
public $private_keys;
|
||||
|
||||
@@ -115,6 +118,7 @@ class ByIp extends Component
|
||||
{
|
||||
$this->validate();
|
||||
try {
|
||||
$this->authorize('create', Server::class);
|
||||
if (Server::where('team_id', currentTeam()->id)
|
||||
->where('ip', $this->ip)
|
||||
->exists()) {
|
||||
|
||||
@@ -4,10 +4,13 @@ namespace App\Livewire\Server\PrivateKey;
|
||||
|
||||
use App\Models\PrivateKey;
|
||||
use App\Models\Server;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Livewire\Component;
|
||||
|
||||
class Show extends Component
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
public Server $server;
|
||||
|
||||
public $privateKeys = [];
|
||||
@@ -35,6 +38,7 @@ class Show extends Component
|
||||
|
||||
$originalPrivateKeyId = $this->server->getOriginal('private_key_id');
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->server->update(['private_key_id' => $privateKeyId]);
|
||||
['uptime' => $uptime, 'error' => $error] = $this->server->validateConnection(justCheckingNewKey: true);
|
||||
if ($uptime) {
|
||||
|
||||
@@ -5,10 +5,13 @@ namespace App\Livewire\Server;
|
||||
use App\Actions\Proxy\CheckConfiguration;
|
||||
use App\Actions\Proxy\SaveConfiguration;
|
||||
use App\Models\Server;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Livewire\Component;
|
||||
|
||||
class Proxy extends Component
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
public Server $server;
|
||||
|
||||
public ?string $selectedProxy = null;
|
||||
@@ -47,6 +50,7 @@ class Proxy extends Component
|
||||
|
||||
public function changeProxy()
|
||||
{
|
||||
$this->authorize('update', $this->server);
|
||||
$this->server->proxy = null;
|
||||
$this->server->save();
|
||||
|
||||
@@ -56,6 +60,7 @@ class Proxy extends Component
|
||||
public function selectProxy($proxy_type)
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->server->changeProxy($proxy_type, async: false);
|
||||
$this->selectedProxy = $this->server->proxy->type;
|
||||
|
||||
@@ -68,6 +73,7 @@ class Proxy extends Component
|
||||
public function instantSave()
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->validate();
|
||||
$this->server->settings->save();
|
||||
$this->dispatch('success', 'Settings saved.');
|
||||
@@ -79,6 +85,7 @@ class Proxy extends Component
|
||||
public function instantSaveRedirect()
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->server->proxy->redirect_enabled = $this->redirect_enabled;
|
||||
$this->server->save();
|
||||
$this->server->setupDefaultRedirect();
|
||||
@@ -91,6 +98,7 @@ class Proxy extends Component
|
||||
public function submit()
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
SaveConfiguration::run($this->server, $this->proxy_settings);
|
||||
$this->server->proxy->redirect_url = $this->redirect_url;
|
||||
$this->server->save();
|
||||
@@ -104,6 +112,7 @@ class Proxy extends Component
|
||||
public function reset_proxy_configuration()
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->proxy_settings = CheckConfiguration::run($this->server, true);
|
||||
SaveConfiguration::run($this->server, $this->proxy_settings);
|
||||
$this->server->save();
|
||||
|
||||
@@ -7,12 +7,15 @@ use App\Actions\Server\StopSentinel;
|
||||
use App\Events\ServerReachabilityChanged;
|
||||
use App\Models\Server;
|
||||
use App\Support\ValidationPatterns;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Livewire\Attributes\Computed;
|
||||
use Livewire\Attributes\Locked;
|
||||
use Livewire\Component;
|
||||
|
||||
class Show extends Component
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
public Server $server;
|
||||
|
||||
public string $name;
|
||||
@@ -157,6 +160,8 @@ class Show extends Component
|
||||
throw new \Exception('This IP/Domain is already in use by another server in your team.');
|
||||
}
|
||||
|
||||
$this->authorize('update', $this->server);
|
||||
|
||||
$this->server->name = $this->name;
|
||||
$this->server->description = $this->description;
|
||||
$this->server->ip = $this->ip;
|
||||
@@ -220,6 +225,7 @@ class Show extends Component
|
||||
public function validateServer($install = true)
|
||||
{
|
||||
try {
|
||||
$this->authorize('update', $this->server);
|
||||
$this->validationLogs = $this->server->validation_logs = null;
|
||||
$this->server->save();
|
||||
$this->dispatch('init', $install);
|
||||
|
||||
@@ -5,10 +5,13 @@ namespace App\Livewire\Server;
|
||||
use App\Actions\Proxy\CheckProxy;
|
||||
use App\Actions\Proxy\StartProxy;
|
||||
use App\Models\Server;
|
||||
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
|
||||
use Livewire\Component;
|
||||
|
||||
class ValidateAndInstall extends Component
|
||||
{
|
||||
use AuthorizesRequests;
|
||||
|
||||
public Server $server;
|
||||
|
||||
public int $number_of_tries = 0;
|
||||
@@ -62,6 +65,7 @@ class ValidateAndInstall extends Component
|
||||
|
||||
public function validateConnection()
|
||||
{
|
||||
$this->authorize('update', $this->server);
|
||||
['uptime' => $this->uptime, 'error' => $error] = $this->server->validateConnection();
|
||||
if (! $this->uptime) {
|
||||
$this->error = 'Server is not reachable. Please validate your configuration and connection.<br>Check this <a target="_blank" class="text-black underline dark:text-white" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help. <br><br><div class="text-error">Error: '.$error.'</div>';
|
||||
|
||||
@@ -28,7 +28,7 @@ class ServerPolicy
|
||||
*/
|
||||
public function create(User $user): bool
|
||||
{
|
||||
return true;
|
||||
return $user->isAdmin();
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -36,7 +36,7 @@ class ServerPolicy
|
||||
*/
|
||||
public function update(User $user, Server $server): bool
|
||||
{
|
||||
return $user->teams()->get()->firstWhere('id', $server->team_id) !== null;
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $server->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -44,7 +44,7 @@ class ServerPolicy
|
||||
*/
|
||||
public function delete(User $user, Server $server): bool
|
||||
{
|
||||
return $user->teams()->get()->firstWhere('id', $server->team_id) !== null;
|
||||
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $server->team_id) !== null;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user