dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

feat(auth): implement authorization checks for application management

Browse Source
This commit is contained in:
Andras Bacsai
2025-08-22 16:47:59 +02:00
parent 37ee6717e9
commit 40f108d6e1
14 changed files with 449 additions and 144 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
app/Livewire/Project/Application/Advanced.php
View File

@@ -3,11 +3,14 @@
namespace App\Livewire\Project\Application; namespace App\Livewire\Project\Application;
use App\Models\Application; use App\Models\Application;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Attributes\Validate; use Livewire\Attributes\Validate;
use Livewire\Component; use Livewire\Component;
class Advanced extends Component class Advanced extends Component
{ {
use AuthorizesRequests;
public Application $application; public Application $application;
#[Validate(['boolean'])] #[Validate(['boolean'])]
@@ -142,6 +145,7 @@ class Advanced extends Component
public function instantSave() public function instantSave()
{ {
try { try {
$this->authorize('update', $this->application);
$reset = false; $reset = false;
if ($this->isLogDrainEnabled) { if ($this->isLogDrainEnabled) {
if (! $this->application->destination->server->isLogDrainEnabled()) { if (! $this->application->destination->server->isLogDrainEnabled()) {
@@ -180,6 +184,7 @@ class Advanced extends Component
public function submit() public function submit()
{ {
try { try {
$this->authorize('update', $this->application);
if ($this->gpuCount && $this->gpuDeviceIds) { if ($this->gpuCount && $this->gpuDeviceIds) {
$this->dispatch('error', 'You cannot set both GPU count and GPU device IDs.'); $this->dispatch('error', 'You cannot set both GPU count and GPU device IDs.');
$this->gpuCount = null; $this->gpuCount = null;
@@ -197,33 +202,39 @@ class Advanced extends Component
public function saveCustomName() public function saveCustomName()
{ {
if (str($this->customInternalName)->isNotEmpty()) { try {
$this->customInternalName = str($this->customInternalName)->slug()->value(); $this->authorize('update', $this->application);
} else {
$this->customInternalName = null; if (str($this->customInternalName)->isNotEmpty()) {
} $this->customInternalName = str($this->customInternalName)->slug()->value();
if (is_null($this->customInternalName)) { } else {
$this->customInternalName = null;
}
if (is_null($this->customInternalName)) {
$this->syncData(true);
$this->dispatch('success', 'Custom name saved.');
return;
}
$customInternalName = $this->customInternalName;
$server = $this->application->destination->server;
$allApplications = $server->applications();
$foundSameInternalName = $allApplications->filter(function ($application) {
return $application->id !== $this->application->id && $application->settings->custom_internal_name === $this->customInternalName;
});
if ($foundSameInternalName->isNotEmpty()) {
$this->dispatch('error', 'This custom container name is already in use by another application on this server.');
$this->customInternalName = $customInternalName;
$this->syncData(true);
return;
}
$this->syncData(true); $this->syncData(true);
$this->dispatch('success', 'Custom name saved.'); $this->dispatch('success', 'Custom name saved.');
} catch (\Throwable $e) {
return; return handleError($e, $this);
} }
$customInternalName = $this->customInternalName;
$server = $this->application->destination->server;
$allApplications = $server->applications();
$foundSameInternalName = $allApplications->filter(function ($application) {
return $application->id !== $this->application->id && $application->settings->custom_internal_name === $this->customInternalName;
});
if ($foundSameInternalName->isNotEmpty()) {
$this->dispatch('error', 'This custom container name is already in use by another application on this server.');
$this->customInternalName = $customInternalName;
$this->syncData(true);
return;
}
$this->syncData(true);
$this->dispatch('success', 'Custom name saved.');
} }
public function render() public function render()

143
app/Livewire/Project/Application/General.php
View File

@@ -5,6 +5,7 @@ namespace App\Livewire\Project\Application;
use App\Actions\Application\GenerateConfig; use App\Actions\Application\GenerateConfig;
use App\Models\Application; use App\Models\Application;
use App\Support\ValidationPatterns; use App\Support\ValidationPatterns;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Support\Collection; use Illuminate\Support\Collection;
use Livewire\Component; use Livewire\Component;
use Spatie\Url\Url; use Spatie\Url\Url;
@@ -12,6 +13,8 @@ use Visus\Cuid2\Cuid2;
class General extends Component class General extends Component
{ {
use AuthorizesRequests;
public string $applicationId; public string $applicationId;
public Application $application; public Application $application;
@@ -224,37 +227,44 @@ class General extends Component
public function instantSave() public function instantSave()
{ {
if ($this->application->settings->isDirty('is_spa')) { try {
$this->generateNginxConfiguration($this->application->settings->is_spa ? 'spa' : 'static'); $this->authorize('update', $this->application);
}
if ($this->application->isDirty('is_http_basic_auth_enabled')) {
$this->application->save();
}
$this->application->settings->save();
$this->dispatch('success', 'Settings saved.');
$this->application->refresh();
// If port_exposes changed, reset default labels if ($this->application->settings->isDirty('is_spa')) {
if ($this->ports_exposes !== $this->application->ports_exposes || $this->is_container_label_escape_enabled !== $this->application->settings->is_container_label_escape_enabled) { $this->generateNginxConfiguration($this->application->settings->is_spa ? 'spa' : 'static');
$this->resetDefaultLabels(false);
}
if ($this->is_preserve_repository_enabled !== $this->application->settings->is_preserve_repository_enabled) {
if ($this->application->settings->is_preserve_repository_enabled === false) {
$this->application->fileStorages->each(function ($storage) {
$storage->is_based_on_git = $this->application->settings->is_preserve_repository_enabled;
$storage->save();
});
} }
} if ($this->application->isDirty('is_http_basic_auth_enabled')) {
if ($this->application->settings->is_container_label_readonly_enabled) { $this->application->save();
$this->resetDefaultLabels(false); }
} $this->application->settings->save();
$this->dispatch('success', 'Settings saved.');
$this->application->refresh();
// If port_exposes changed, reset default labels
if ($this->ports_exposes !== $this->application->ports_exposes || $this->is_container_label_escape_enabled !== $this->application->settings->is_container_label_escape_enabled) {
$this->resetDefaultLabels(false);
}
if ($this->is_preserve_repository_enabled !== $this->application->settings->is_preserve_repository_enabled) {
if ($this->application->settings->is_preserve_repository_enabled === false) {
$this->application->fileStorages->each(function ($storage) {
$storage->is_based_on_git = $this->application->settings->is_preserve_repository_enabled;
$storage->save();
});
}
}
if ($this->application->settings->is_container_label_readonly_enabled) {
$this->resetDefaultLabels(false);
}
} catch (\Throwable $e) {
return handleError($e, $this);
}
} }
public function loadComposeFile($isInit = false, $showToast = true) public function loadComposeFile($isInit = false, $showToast = true)
{ {
try { try {
$this->authorize('update', $this->application);
if ($isInit && $this->application->docker_compose_raw) { if ($isInit && $this->application->docker_compose_raw) {
return; return;
} }
@@ -293,35 +303,41 @@ class General extends Component
public function generateDomain(string $serviceName) public function generateDomain(string $serviceName)
{ {
$uuid = new Cuid2; try {
$domain = generateUrl(server: $this->application->destination->server, random: $uuid); $this->authorize('update', $this->application);
$sanitizedKey = str($serviceName)->slug('_')->toString();
$this->parsedServiceDomains[$sanitizedKey]['domain'] = $domain;
// Convert back to original service names for storage $uuid = new Cuid2;
$originalDomains = []; $domain = generateUrl(server: $this->application->destination->server, random: $uuid);
foreach ($this->parsedServiceDomains as $key => $value) { $sanitizedKey = str($serviceName)->slug('_')->toString();
// Find the original service name by checking parsed services $this->parsedServiceDomains[$sanitizedKey]['domain'] = $domain;
$originalServiceName = $key;
if (isset($this->parsedServices['services'])) { // Convert back to original service names for storage
foreach ($this->parsedServices['services'] as $originalName => $service) { $originalDomains = [];
if (str($originalName)->slug('_')->toString() === $key) { foreach ($this->parsedServiceDomains as $key => $value) {
$originalServiceName = $originalName; // Find the original service name by checking parsed services
break; $originalServiceName = $key;
if (isset($this->parsedServices['services'])) {
foreach ($this->parsedServices['services'] as $originalName => $service) {
if (str($originalName)->slug('_')->toString() === $key) {
$originalServiceName = $originalName;
break;
}
} }
} }
$originalDomains[$originalServiceName] = $value;
} }
$originalDomains[$originalServiceName] = $value;
}
$this->application->docker_compose_domains = json_encode($originalDomains); $this->application->docker_compose_domains = json_encode($originalDomains);
$this->application->save(); $this->application->save();
$this->dispatch('success', 'Domain generated.'); $this->dispatch('success', 'Domain generated.');
if ($this->application->build_pack === 'dockercompose') { if ($this->application->build_pack === 'dockercompose') {
$this->loadComposeFile(showToast: false); $this->loadComposeFile(showToast: false);
} }
return $domain; return $domain;
} catch (\Throwable $e) {
return handleError($e, $this);
}
} }
public function updatedApplicationBaseDirectory() public function updatedApplicationBaseDirectory()
@@ -374,21 +390,33 @@ class General extends Component
public function getWildcardDomain() public function getWildcardDomain()
{ {
$server = data_get($this->application, 'destination.server'); try {
if ($server) { $this->authorize('update', $this->application);
$fqdn = generateFqdn(server: $server, random: $this->application->uuid, parserVersion: $this->application->compose_parsing_version);
$this->application->fqdn = $fqdn; $server = data_get($this->application, 'destination.server');
$this->application->save(); if ($server) {
$this->resetDefaultLabels(); $fqdn = generateFqdn(server: $server, random: $this->application->uuid, parserVersion: $this->application->compose_parsing_version);
$this->dispatch('success', 'Wildcard domain generated.'); $this->application->fqdn = $fqdn;
$this->application->save();
$this->resetDefaultLabels();
$this->dispatch('success', 'Wildcard domain generated.');
}
} catch (\Throwable $e) {
return handleError($e, $this);
} }
} }
public function generateNginxConfiguration($type = 'static') public function generateNginxConfiguration($type = 'static')
{ {
$this->application->custom_nginx_configuration = defaultNginxConfiguration($type); try {
$this->application->save(); $this->authorize('update', $this->application);
$this->dispatch('success', 'Nginx configuration generated.');
$this->application->custom_nginx_configuration = defaultNginxConfiguration($type);
$this->application->save();
$this->dispatch('success', 'Nginx configuration generated.');
} catch (\Throwable $e) {
return handleError($e, $this);
}
} }
public function resetDefaultLabels($manualReset = false) public function resetDefaultLabels($manualReset = false)
@@ -430,6 +458,8 @@ class General extends Component
public function setRedirect() public function setRedirect()
{ {
$this->authorize('update', $this->application);
try { try {
$has_www = collect($this->application->fqdns)->filter(fn ($fqdn) => str($fqdn)->contains('www.'))->count(); $has_www = collect($this->application->fqdns)->filter(fn ($fqdn) => str($fqdn)->contains('www.'))->count();
if ($has_www === 0 && $this->application->redirect === 'www') { if ($has_www === 0 && $this->application->redirect === 'www') {
@@ -448,6 +478,7 @@ class General extends Component
public function submit($showToaster = true) public function submit($showToaster = true)
{ {
try { try {
$this->authorize('update', $this->application);
$this->application->fqdn = str($this->application->fqdn)->replaceEnd(',', '')->trim(); $this->application->fqdn = str($this->application->fqdn)->replaceEnd(',', '')->trim();
$this->application->fqdn = str($this->application->fqdn)->replaceStart(',', '')->trim(); $this->application->fqdn = str($this->application->fqdn)->replaceStart(',', '')->trim();
$this->application->fqdn = str($this->application->fqdn)->trim()->explode(',')->map(function ($domain) { $this->application->fqdn = str($this->application->fqdn)->trim()->explode(',')->map(function ($domain) {

11
app/Livewire/Project/Application/Heading.php
View File

@@ -5,11 +5,14 @@ namespace App\Livewire\Project\Application;
use App\Actions\Application\StopApplication; use App\Actions\Application\StopApplication;
use App\Actions\Docker\GetContainersStatus; use App\Actions\Docker\GetContainersStatus;
use App\Models\Application; use App\Models\Application;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component; use Livewire\Component;
use Visus\Cuid2\Cuid2; use Visus\Cuid2\Cuid2;
class Heading extends Component class Heading extends Component
{ {
use AuthorizesRequests;
public Application $application; public Application $application;
public ?string $lastDeploymentInfo = null; public ?string $lastDeploymentInfo = null;
@@ -57,11 +60,15 @@ class Heading extends Component
public function force_deploy_without_cache() public function force_deploy_without_cache()
{ {
$this->authorize('deploy', $this->application);
$this->deploy(force_rebuild: true); $this->deploy(force_rebuild: true);
} }
public function deploy(bool $force_rebuild = false) public function deploy(bool $force_rebuild = false)
{ {
$this->authorize('deploy', $this->application);
if ($this->application->build_pack === 'dockercompose' && is_null($this->application->docker_compose_raw)) { if ($this->application->build_pack === 'dockercompose' && is_null($this->application->docker_compose_raw)) {
$this->dispatch('error', 'Failed to deploy', 'Please load a Compose file first.'); $this->dispatch('error', 'Failed to deploy', 'Please load a Compose file first.');
@@ -110,12 +117,16 @@ class Heading extends Component
public function stop() public function stop()
{ {
$this->authorize('deploy', $this->application);
$this->dispatch('info', 'Gracefully stopping application.<br/>It could take a while depending on the application.'); $this->dispatch('info', 'Gracefully stopping application.<br/>It could take a while depending on the application.');
StopApplication::dispatch($this->application, false, $this->docker_cleanup); StopApplication::dispatch($this->application, false, $this->docker_cleanup);
} }
public function restart() public function restart()
{ {
$this->authorize('deploy', $this->application);
if ($this->application->additional_servers->count() > 0 && str($this->application->docker_registry_image_name)->isEmpty()) { if ($this->application->additional_servers->count() > 0 && str($this->application->docker_registry_image_name)->isEmpty()) {
$this->dispatch('error', 'Failed to deploy', 'Before deploying to multiple servers, you must first set a Docker image in the General tab.<br>More information here: <a target="_blank" class="underline" href="https://coolify.io/docs/knowledge-base/server/multiple-servers">documentation</a>'); $this->dispatch('error', 'Failed to deploy', 'Before deploying to multiple servers, you must first set a Docker image in the General tab.<br>More information here: <a target="_blank" class="underline" href="https://coolify.io/docs/knowledge-base/server/multiple-servers">documentation</a>');

48
app/Livewire/Project/Application/Previews.php
View File

@@ -6,12 +6,15 @@ use App\Actions\Docker\GetContainersStatus;
use App\Jobs\DeleteResourceJob; use App\Jobs\DeleteResourceJob;
use App\Models\Application; use App\Models\Application;
use App\Models\ApplicationPreview; use App\Models\ApplicationPreview;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Support\Collection; use Illuminate\Support\Collection;
use Livewire\Component; use Livewire\Component;
use Visus\Cuid2\Cuid2; use Visus\Cuid2\Cuid2;
class Previews extends Component class Previews extends Component
{ {
use AuthorizesRequests;
public Application $application; public Application $application;
public string $deployment_uuid; public string $deployment_uuid;
@@ -48,6 +51,7 @@ class Previews extends Component
public function save_preview($preview_id) public function save_preview($preview_id)
{ {
try { try {
$this->authorize('update', $this->application);
$success = true; $success = true;
$preview = $this->application->previews->find($preview_id); $preview = $this->application->previews->find($preview_id);
if (data_get_str($preview, 'fqdn')->isNotEmpty()) { if (data_get_str($preview, 'fqdn')->isNotEmpty()) {
@@ -73,29 +77,36 @@ class Previews extends Component
public function generate_preview($preview_id) public function generate_preview($preview_id)
{ {
$preview = $this->application->previews->find($preview_id); try {
if (! $preview) { $this->authorize('update', $this->application);
$this->dispatch('error', 'Preview not found.');
return; $preview = $this->application->previews->find($preview_id);
} if (! $preview) {
if ($this->application->build_pack === 'dockercompose') { $this->dispatch('error', 'Preview not found.');
$preview->generate_preview_fqdn_compose();
return;
}
if ($this->application->build_pack === 'dockercompose') {
$preview->generate_preview_fqdn_compose();
$this->application->refresh();
$this->dispatch('success', 'Domain generated.');
return;
}
$preview->generate_preview_fqdn();
$this->application->refresh(); $this->application->refresh();
$this->dispatch('update_links');
$this->dispatch('success', 'Domain generated.'); $this->dispatch('success', 'Domain generated.');
} catch (\Throwable $e) {
return; return handleError($e, $this);
} }
$preview->generate_preview_fqdn();
$this->application->refresh();
$this->dispatch('update_links');
$this->dispatch('success', 'Domain generated.');
} }
public function add(int $pull_request_id, ?string $pull_request_html_url = null) public function add(int $pull_request_id, ?string $pull_request_html_url = null)
{ {
try { try {
$this->authorize('update', $this->application);
if ($this->application->build_pack === 'dockercompose') { if ($this->application->build_pack === 'dockercompose') {
$this->setDeploymentUuid(); $this->setDeploymentUuid();
$found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first(); $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
@@ -131,17 +142,23 @@ class Previews extends Component
public function force_deploy_without_cache(int $pull_request_id, ?string $pull_request_html_url = null) public function force_deploy_without_cache(int $pull_request_id, ?string $pull_request_html_url = null)
{ {
$this->authorize('deploy', $this->application);
$this->deploy($pull_request_id, $pull_request_html_url, force_rebuild: true); $this->deploy($pull_request_id, $pull_request_html_url, force_rebuild: true);
} }
public function add_and_deploy(int $pull_request_id, ?string $pull_request_html_url = null) public function add_and_deploy(int $pull_request_id, ?string $pull_request_html_url = null)
{ {
$this->authorize('deploy', $this->application);
$this->add($pull_request_id, $pull_request_html_url); $this->add($pull_request_id, $pull_request_html_url);
$this->deploy($pull_request_id, $pull_request_html_url); $this->deploy($pull_request_id, $pull_request_html_url);
} }
public function deploy(int $pull_request_id, ?string $pull_request_html_url = null, bool $force_rebuild = false) public function deploy(int $pull_request_id, ?string $pull_request_html_url = null, bool $force_rebuild = false)
{ {
$this->authorize('deploy', $this->application);
try { try {
$this->setDeploymentUuid(); $this->setDeploymentUuid();
$found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first(); $found = ApplicationPreview::where('application_id', $this->application->id)->where('pull_request_id', $pull_request_id)->first();
@@ -184,6 +201,8 @@ class Previews extends Component
public function stop(int $pull_request_id) public function stop(int $pull_request_id)
{ {
$this->authorize('deploy', $this->application);
try { try {
$server = $this->application->destination->server; $server = $this->application->destination->server;
@@ -206,6 +225,7 @@ class Previews extends Component
public function delete(int $pull_request_id) public function delete(int $pull_request_id)
{ {
try { try {
$this->authorize('delete', $this->application);
$preview = ApplicationPreview::where('application_id', $this->application->id) $preview = ApplicationPreview::where('application_id', $this->application->id)
->where('pull_request_id', $pull_request_id) ->where('pull_request_id', $pull_request_id)
->first(); ->first();

105
app/Livewire/Project/Application/PreviewsCompose.php
View File

@@ -3,12 +3,15 @@
namespace App\Livewire\Project\Application; namespace App\Livewire\Project\Application;
use App\Models\ApplicationPreview; use App\Models\ApplicationPreview;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component; use Livewire\Component;
use Spatie\Url\Url; use Spatie\Url\Url;
use Visus\Cuid2\Cuid2; use Visus\Cuid2\Cuid2;
class PreviewsCompose extends Component class PreviewsCompose extends Component
{ {
use AuthorizesRequests;
public $service; public $service;
public $serviceName; public $serviceName;
@@ -22,59 +25,71 @@ class PreviewsCompose extends Component
public function save() public function save()
{ {
$domain = data_get($this->service, 'domain'); try {
$docker_compose_domains = data_get($this->preview, 'docker_compose_domains'); $this->authorize('update', $this->preview->application);
$docker_compose_domains = json_decode($docker_compose_domains, true);
$docker_compose_domains[$this->serviceName]['domain'] = $domain; $domain = data_get($this->service, 'domain');
$this->preview->docker_compose_domains = json_encode($docker_compose_domains); $docker_compose_domains = data_get($this->preview, 'docker_compose_domains');
$this->preview->save(); $docker_compose_domains = json_decode($docker_compose_domains, true);
$this->dispatch('update_links'); $docker_compose_domains[$this->serviceName]['domain'] = $domain;
$this->dispatch('success', 'Domain saved.'); $this->preview->docker_compose_domains = json_encode($docker_compose_domains);
$this->preview->save();
$this->dispatch('update_links');
$this->dispatch('success', 'Domain saved.');
} catch (\Throwable $e) {
return handleError($e, $this);
}
} }
public function generate() public function generate()
{ {
$domains = collect(json_decode($this->preview->application->docker_compose_domains)) ?? collect(); try {
$domain = $domains->first(function ($_, $key) { $this->authorize('update', $this->preview->application);
return $key === $this->serviceName;
});
$domain_string = data_get($domain, 'domain'); $domains = collect(json_decode($this->preview->application->docker_compose_domains)) ?? collect();
$domain = $domains->first(function ($_, $key) {
return $key === $this->serviceName;
});
// If no domain is set in the main application, generate a default domain $domain_string = data_get($domain, 'domain');
if (empty($domain_string)) {
$server = $this->preview->application->destination->server;
$template = $this->preview->application->preview_url_template;
$random = new Cuid2;
// Generate a unique domain like main app services do // If no domain is set in the main application, generate a default domain
$generated_fqdn = generateFqdn(server: $server, random: $random, parserVersion: $this->preview->application->compose_parsing_version); if (empty($domain_string)) {
$server = $this->preview->application->destination->server;
$template = $this->preview->application->preview_url_template;
$random = new Cuid2;
$preview_fqdn = str_replace('{{random}}', $random, $template); // Generate a unique domain like main app services do
$preview_fqdn = str_replace('{{domain}}', str($generated_fqdn)->after('://'), $preview_fqdn); $generated_fqdn = generateFqdn(server: $server, random: $random, parserVersion: $this->preview->application->compose_parsing_version);
$preview_fqdn = str_replace('{{pr_id}}', $this->preview->pull_request_id, $preview_fqdn);
$preview_fqdn = str($generated_fqdn)->before('://').'://'.$preview_fqdn; $preview_fqdn = str_replace('{{random}}', $random, $template);
} else { $preview_fqdn = str_replace('{{domain}}', str($generated_fqdn)->after('://'), $preview_fqdn);
// Use the existing domain from the main application $preview_fqdn = str_replace('{{pr_id}}', $this->preview->pull_request_id, $preview_fqdn);
$url = Url::fromString($domain_string); $preview_fqdn = str($generated_fqdn)->before('://').'://'.$preview_fqdn;
$template = $this->preview->application->preview_url_template; } else {
$host = $url->getHost(); // Use the existing domain from the main application
$schema = $url->getScheme(); $url = Url::fromString($domain_string);
$random = new Cuid2; $template = $this->preview->application->preview_url_template;
$preview_fqdn = str_replace('{{random}}', $random, $template); $host = $url->getHost();
$preview_fqdn = str_replace('{{domain}}', $host, $preview_fqdn); $schema = $url->getScheme();
$preview_fqdn = str_replace('{{pr_id}}', $this->preview->pull_request_id, $preview_fqdn); $random = new Cuid2;
$preview_fqdn = "$schema://$preview_fqdn"; $preview_fqdn = str_replace('{{random}}', $random, $template);
$preview_fqdn = str_replace('{{domain}}', $host, $preview_fqdn);
$preview_fqdn = str_replace('{{pr_id}}', $this->preview->pull_request_id, $preview_fqdn);
$preview_fqdn = "$schema://$preview_fqdn";
}
// Save the generated domain
$docker_compose_domains = data_get($this->preview, 'docker_compose_domains');
$docker_compose_domains = json_decode($docker_compose_domains, true);
$docker_compose_domains[$this->serviceName]['domain'] = $this->service->domain = $preview_fqdn;
$this->preview->docker_compose_domains = json_encode($docker_compose_domains);
$this->preview->save();
$this->dispatch('update_links');
$this->dispatch('success', 'Domain generated.');
} catch (\Throwable $e) {
return handleError($e, $this);
} }
// Save the generated domain
$docker_compose_domains = data_get($this->preview, 'docker_compose_domains');
$docker_compose_domains = json_decode($docker_compose_domains, true);
$docker_compose_domains[$this->serviceName]['domain'] = $this->service->domain = $preview_fqdn;
$this->preview->docker_compose_domains = json_encode($docker_compose_domains);
$this->preview->save();
$this->dispatch('update_links');
$this->dispatch('success', 'Domain generated.');
} }
} }

7
app/Livewire/Project/Application/Rollback.php
View File

@@ -3,11 +3,14 @@
namespace App\Livewire\Project\Application; namespace App\Livewire\Project\Application;
use App\Models\Application; use App\Models\Application;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component; use Livewire\Component;
use Visus\Cuid2\Cuid2; use Visus\Cuid2\Cuid2;
class Rollback extends Component class Rollback extends Component
{ {
use AuthorizesRequests;
public Application $application; public Application $application;
public $images = []; public $images = [];
@@ -23,6 +26,8 @@ class Rollback extends Component
public function rollbackImage($commit) public function rollbackImage($commit)
{ {
$this->authorize('deploy', $this->application);
$deployment_uuid = new Cuid2; $deployment_uuid = new Cuid2;
queue_application_deployment( queue_application_deployment(
@@ -43,6 +48,8 @@ class Rollback extends Component
public function loadImages($showToast = false) public function loadImages($showToast = false)
{ {
$this->authorize('view', $this->application);
try { try {
$image = $this->application->docker_registry_image_name ?? $this->application->uuid; $image = $this->application->docker_registry_image_name ?? $this->application->uuid;
if ($this->application->destination->server->isFunctional()) { if ($this->application->destination->server->isFunctional()) {

8
app/Livewire/Project/Application/Source.php
View File

@@ -4,12 +4,15 @@ namespace App\Livewire\Project\Application;
use App\Models\Application; use App\Models\Application;
use App\Models\PrivateKey; use App\Models\PrivateKey;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Attributes\Locked; use Livewire\Attributes\Locked;
use Livewire\Attributes\Validate; use Livewire\Attributes\Validate;
use Livewire\Component; use Livewire\Component;
class Source extends Component class Source extends Component
{ {
use AuthorizesRequests;
public Application $application; public Application $application;
#[Locked] #[Locked]
@@ -81,6 +84,7 @@ class Source extends Component
public function setPrivateKey(int $privateKeyId) public function setPrivateKey(int $privateKeyId)
{ {
try { try {
$this->authorize('update', $this->application);
$this->privateKeyId = $privateKeyId; $this->privateKeyId = $privateKeyId;
$this->syncData(true); $this->syncData(true);
$this->getPrivateKeys(); $this->getPrivateKeys();
@@ -94,7 +98,9 @@ class Source extends Component
public function submit() public function submit()
{ {
try { try {
$this->authorize('update', $this->application);
if (str($this->gitCommitSha)->isEmpty()) { if (str($this->gitCommitSha)->isEmpty()) {
$this->gitCommitSha = 'HEAD'; $this->gitCommitSha = 'HEAD';
} }
@@ -107,7 +113,9 @@ class Source extends Component
public function changeSource($sourceId, $sourceType) public function changeSource($sourceId, $sourceType)
{ {
try { try {
$this->authorize('update', $this->application);
$this->application->update([ $this->application->update([
'source_id' => $sourceId, 'source_id' => $sourceId,
'source_type' => $sourceType, 'source_type' => $sourceType,

4
app/Livewire/Project/Shared/Danger.php
View File

@@ -7,6 +7,7 @@ use App\Models\InstanceSettings;
use App\Models\Service; use App\Models\Service;
use App\Models\ServiceApplication; use App\Models\ServiceApplication;
use App\Models\ServiceDatabase; use App\Models\ServiceDatabase;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash; use Illuminate\Support\Facades\Hash;
use Livewire\Component; use Livewire\Component;
@@ -14,6 +15,8 @@ use Visus\Cuid2\Cuid2;
class Danger extends Component class Danger extends Component
{ {
use AuthorizesRequests;
public $resource; public $resource;
public $resourceName; public $resourceName;
@@ -96,6 +99,7 @@ class Danger extends Component
} }
try { try {
$this->authorize('delete', $this->resource);
$this->resource->delete(); $this->resource->delete();
DeleteResourceJob::dispatch( DeleteResourceJob::dispatch(
$this->resource, $this->resource,

7
app/Livewire/Project/Shared/EnvironmentVariable/All.php
View File

@@ -4,11 +4,12 @@ namespace App\Livewire\Project\Shared\EnvironmentVariable;
use App\Models\EnvironmentVariable; use App\Models\EnvironmentVariable;
use App\Traits\EnvironmentVariableProtection; use App\Traits\EnvironmentVariableProtection;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component; use Livewire\Component;
class All extends Component class All extends Component
{ {
use EnvironmentVariableProtection; use AuthorizesRequests, EnvironmentVariableProtection;
public $resource; public $resource;
@@ -44,6 +45,8 @@ class All extends Component
public function instantSave() public function instantSave()
{ {
$this->authorize('manageEnvironment', $this->resource);
$this->resource->settings->is_env_sorting_enabled = $this->is_env_sorting_enabled; $this->resource->settings->is_env_sorting_enabled = $this->is_env_sorting_enabled;
$this->resource->settings->save(); $this->resource->settings->save();
$this->sortEnvironmentVariables(); $this->sortEnvironmentVariables();
@@ -95,6 +98,8 @@ class All extends Component
public function submit($data = null) public function submit($data = null)
{ {
$this->authorize('manageEnvironment', $this->resource);
try { try {
if ($data === null) { if ($data === null) {
$this->handleBulkSubmit(); $this->handleBulkSubmit();

6
app/Livewire/Project/Shared/ResourceOperations.php
View File

@@ -12,11 +12,14 @@ use App\Models\Environment;
use App\Models\Project; use App\Models\Project;
use App\Models\StandaloneDocker; use App\Models\StandaloneDocker;
use App\Models\SwarmDocker; use App\Models\SwarmDocker;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component; use Livewire\Component;
use Visus\Cuid2\Cuid2; use Visus\Cuid2\Cuid2;
class ResourceOperations extends Component class ResourceOperations extends Component
{ {
use AuthorizesRequests;
public $resource; public $resource;
public $projectUuid; public $projectUuid;
@@ -45,6 +48,8 @@ class ResourceOperations extends Component
public function cloneTo($destination_id) public function cloneTo($destination_id)
{ {
$this->authorize('update', $this->resource);
$new_destination = StandaloneDocker::find($destination_id); $new_destination = StandaloneDocker::find($destination_id);
if (! $new_destination) { if (! $new_destination) {
$new_destination = SwarmDocker::find($destination_id); $new_destination = SwarmDocker::find($destination_id);
@@ -485,6 +490,7 @@ class ResourceOperations extends Component
public function moveTo($environment_id) public function moveTo($environment_id)
{ {
try { try {
$this->authorize('update', $this->resource);
$new_environment = Environment::findOrFail($environment_id); $new_environment = Environment::findOrFail($environment_id);
$this->resource->update([ $this->resource->update([
'environment_id' => $environment_id, 'environment_id' => $environment_id,

41
app/Policies/ApplicationPolicy.php
View File

@@ -4,6 +4,7 @@ namespace App\Policies;
use App\Models\Application; use App\Models\Application;
use App\Models\User; use App\Models\User;
use Illuminate\Auth\Access\Response;
class ApplicationPolicy class ApplicationPolicy
{ {
@@ -28,15 +29,23 @@ class ApplicationPolicy
*/ */
public function create(User $user): bool public function create(User $user): bool
{ {
return true; if ($user->isAdmin()) {
return true;
}
return false;
} }
/** /**
* Determine whether the user can update the model. * Determine whether the user can update the model.
*/ */
public function update(User $user, Application $application): bool public function update(User $user, Application $application): Response
{ {
return true; if ($user->isAdmin()) {
return Response::allow();
}
return Response::deny('As a member, you cannot update this application.<br/><br/>You need at least admin or owner permissions.');
} }
/** /**
@@ -64,6 +73,30 @@ class ApplicationPolicy
*/ */
public function forceDelete(User $user, Application $application): bool public function forceDelete(User $user, Application $application): bool
{ {
return true; return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $application->team()->first()->id) !== null;
}
/**
* Determine whether the user can deploy the application.
*/
public function deploy(User $user, Application $application): bool
{
return $user->teams()->get()->firstWhere('id', $application->team()->first()->id) !== null;
}
/**
* Determine whether the user can manage deployments.
*/
public function manageDeployments(User $user, Application $application): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $application->team()->first()->id) !== null;
}
/**
* Determine whether the user can manage environment variables.
*/
public function manageEnvironment(User $user, Application $application): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $application->team()->first()->id) !== null;
} }
} }

86
app/Policies/ApplicationPreviewPolicy.php Normal file
View File

@@ -0,0 +1,86 @@
<?php
namespace App\Policies;
use App\Models\ApplicationPreview;
use App\Models\User;
use Illuminate\Auth\Access\Response;
class ApplicationPreviewPolicy
{
/**
* Determine whether the user can view any models.
*/
public function viewAny(User $user): bool
{
return true;
}
/**
* Determine whether the user can view the model.
*/
public function view(User $user, ApplicationPreview $applicationPreview): bool
{
return $user->teams()->get()->firstWhere('id', $applicationPreview->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can create models.
*/
public function create(User $user): bool
{
return $user->isAdmin();
}
/**
* Determine whether the user can update the model.
*/
public function update(User $user, ApplicationPreview $applicationPreview): Response
{
if ($user->isAdmin()) {
return Response::allow();
}
return Response::deny('As a member, you cannot update this preview.<br/><br/>You need at least admin or owner permissions.');
}
/**
* Determine whether the user can delete the model.
*/
public function delete(User $user, ApplicationPreview $applicationPreview): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $applicationPreview->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can restore the model.
*/
public function restore(User $user, ApplicationPreview $applicationPreview): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $applicationPreview->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can permanently delete the model.
*/
public function forceDelete(User $user, ApplicationPreview $applicationPreview): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $applicationPreview->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can deploy the preview.
*/
public function deploy(User $user, ApplicationPreview $applicationPreview): bool
{
return $user->teams()->get()->firstWhere('id', $applicationPreview->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can manage preview deployments.
*/
public function manageDeployments(User $user, ApplicationPreview $applicationPreview): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $applicationPreview->application->team()->first()->id) !== null;
}
}

65
app/Policies/ApplicationSettingPolicy.php Normal file
View File

@@ -0,0 +1,65 @@
<?php
namespace App\Policies;
use App\Models\ApplicationSetting;
use App\Models\User;
class ApplicationSettingPolicy
{
/**
* Determine whether the user can view any models.
*/
public function viewAny(User $user): bool
{
return true;
}
/**
* Determine whether the user can view the model.
*/
public function view(User $user, ApplicationSetting $applicationSetting): bool
{
return $user->teams()->get()->firstWhere('id', $applicationSetting->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can create models.
*/
public function create(User $user): bool
{
return $user->isAdmin();
}
/**
* Determine whether the user can update the model.
*/
public function update(User $user, ApplicationSetting $applicationSetting): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $applicationSetting->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can delete the model.
*/
public function delete(User $user, ApplicationSetting $applicationSetting): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $applicationSetting->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can restore the model.
*/
public function restore(User $user, ApplicationSetting $applicationSetting): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $applicationSetting->application->team()->first()->id) !== null;
}
/**
* Determine whether the user can permanently delete the model.
*/
public function forceDelete(User $user, ApplicationSetting $applicationSetting): bool
{
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $applicationSetting->application->team()->first()->id) !== null;
}
}

3
app/Providers/AuthServiceProvider.php
View File

@@ -17,6 +17,9 @@ class AuthServiceProvider extends ServiceProvider
\App\Models\PrivateKey::class => \App\Policies\PrivateKeyPolicy::class, \App\Models\PrivateKey::class => \App\Policies\PrivateKeyPolicy::class,
\App\Models\StandaloneDocker::class => \App\Policies\StandaloneDockerPolicy::class, \App\Models\StandaloneDocker::class => \App\Policies\StandaloneDockerPolicy::class,
\App\Models\SwarmDocker::class => \App\Policies\SwarmDockerPolicy::class, \App\Models\SwarmDocker::class => \App\Policies\SwarmDockerPolicy::class,
\App\Models\Application::class => \App\Policies\ApplicationPolicy::class,
\App\Models\ApplicationPreview::class => \App\Policies\ApplicationPreviewPolicy::class,
\App\Models\ApplicationSetting::class => \App\Policies\ApplicationSettingPolicy::class,
]; ];
/** /**