diff --git a/app/Http/Controllers/Api/ApplicationsController.php b/app/Http/Controllers/Api/ApplicationsController.php index 46dd8120e..0a088d1c3 100644 --- a/app/Http/Controllers/Api/ApplicationsController.php +++ b/app/Http/Controllers/Api/ApplicationsController.php @@ -29,7 +29,7 @@ class ApplicationsController extends Controller $application->makeHidden([ 'id', ]); - if ($token->can('view:sensitive')) { + if ($token->can('read:sensitive')) { return serializeApiResponse($application); } $application->makeHidden([ diff --git a/app/Http/Controllers/Api/DatabasesController.php b/app/Http/Controllers/Api/DatabasesController.php index 65873f818..e30388ec8 100644 --- a/app/Http/Controllers/Api/DatabasesController.php +++ b/app/Http/Controllers/Api/DatabasesController.php @@ -24,7 +24,7 @@ class DatabasesController extends Controller 'id', 'laravel_through_key', ]); - if ($token->can('view:sensitive')) { + if ($token->can('read:sensitive')) { return serializeApiResponse($database); } diff --git a/app/Http/Controllers/Api/DeployController.php b/app/Http/Controllers/Api/DeployController.php index 666dc55a5..1d162c7ee 100644 --- a/app/Http/Controllers/Api/DeployController.php +++ b/app/Http/Controllers/Api/DeployController.php @@ -17,7 +17,7 @@ class DeployController extends Controller private function removeSensitiveData($deployment) { $token = auth()->user()->currentAccessToken(); - if ($token->can('view:sensitive')) { + if ($token->can('read:sensitive')) { return serializeApiResponse($deployment); } diff --git a/app/Http/Controllers/Api/SecurityController.php b/app/Http/Controllers/Api/SecurityController.php index bb474aed3..aa636983f 100644 --- a/app/Http/Controllers/Api/SecurityController.php +++ b/app/Http/Controllers/Api/SecurityController.php @@ -12,7 +12,7 @@ class SecurityController extends Controller private function removeSensitiveData($team) { $token = auth()->user()->currentAccessToken(); - if ($token->can('view:sensitive')) { + if ($token->can('read:sensitive')) { return serializeApiResponse($team); } $team->makeHidden([ diff --git a/app/Http/Controllers/Api/ServersController.php b/app/Http/Controllers/Api/ServersController.php index af4e008ef..34498bbb6 100644 --- a/app/Http/Controllers/Api/ServersController.php +++ b/app/Http/Controllers/Api/ServersController.php @@ -20,7 +20,7 @@ class ServersController extends Controller private function removeSensitiveDataFromSettings($settings) { $token = auth()->user()->currentAccessToken(); - if ($token->can('view:sensitive')) { + if ($token->can('read:sensitive')) { return serializeApiResponse($settings); } $settings = $settings->makeHidden([ @@ -36,7 +36,7 @@ class ServersController extends Controller $server->makeHidden([ 'id', ]); - if ($token->can('view:sensitive')) { + if ($token->can('read:sensitive')) { return serializeApiResponse($server); } diff --git a/app/Http/Controllers/Api/ServicesController.php b/app/Http/Controllers/Api/ServicesController.php index 89418517b..8ba2a938c 100644 --- a/app/Http/Controllers/Api/ServicesController.php +++ b/app/Http/Controllers/Api/ServicesController.php @@ -22,7 +22,7 @@ class ServicesController extends Controller $service->makeHidden([ 'id', ]); - if ($token->can('view:sensitive')) { + if ($token->can('read:sensitive')) { return serializeApiResponse($service); } diff --git a/app/Http/Controllers/Api/TeamController.php b/app/Http/Controllers/Api/TeamController.php index 3f951c6f7..239c950c0 100644 --- a/app/Http/Controllers/Api/TeamController.php +++ b/app/Http/Controllers/Api/TeamController.php @@ -15,7 +15,7 @@ class TeamController extends Controller 'custom_server_limit', 'pivot', ]); - if ($token->can('view:sensitive')) { + if ($token->can('read:sensitive')) { return serializeApiResponse($team); } $team->makeHidden([ diff --git a/app/Http/Middleware/IgnoreReadOnlyApiToken.php b/app/Http/Middleware/IgnoreReadOnlyApiToken.php deleted file mode 100644 index bd6cd1f8a..000000000 --- a/app/Http/Middleware/IgnoreReadOnlyApiToken.php +++ /dev/null @@ -1,28 +0,0 @@ -user()->currentAccessToken(); - if ($token->can('*')) { - return $next($request); - } - if ($token->can('read-only')) { - return response()->json(['message' => 'You are not allowed to perform this action.'], 403); - } - - return $next($request); - } -} diff --git a/app/Http/Middleware/OnlyRootApiToken.php b/app/Http/Middleware/OnlyRootApiToken.php deleted file mode 100644 index 8ff1fa0e5..000000000 --- a/app/Http/Middleware/OnlyRootApiToken.php +++ /dev/null @@ -1,25 +0,0 @@ -user()->currentAccessToken(); - if ($token->can('*')) { - return $next($request); - } - - return response()->json(['message' => 'You are not allowed to perform this action.'], 403); - } -} diff --git a/app/Livewire/Security/ApiTokens.php b/app/Livewire/Security/ApiTokens.php index 9add0b0ca..6e58df0f0 100644 --- a/app/Livewire/Security/ApiTokens.php +++ b/app/Livewire/Security/ApiTokens.php @@ -11,12 +11,7 @@ class ApiTokens extends Component public $tokens = []; - public bool $viewSensitiveData = false; - public bool $readOnly = true; - public bool $rootAccess = false; - public bool $triggerDeploy = false; - - public array $permissions = ['read-only']; + public array $permissions = ['read']; public $isApiEnabled; @@ -31,60 +26,13 @@ class ApiTokens extends Component $this->tokens = auth()->user()->tokens->sortByDesc('created_at'); } - public function updatedViewSensitiveData() - { - if ($this->viewSensitiveData) { - $this->permissions[] = 'view:sensitive'; - $this->permissions = array_diff($this->permissions, ['*']); - $this->rootAccess = false; - } else { - $this->permissions = array_diff($this->permissions, ['view:sensitive']); - } - $this->makeSureOneIsSelected(); - } - - public function updatedReadOnly() - { - if ($this->readOnly) { - $this->permissions[] = 'read-only'; - $this->permissions = array_diff($this->permissions, ['*']); - $this->rootAccess = false; - } else { - $this->permissions = array_diff($this->permissions, ['read-only']); - } - $this->makeSureOneIsSelected(); - } - - public function updatedRootAccess() - { - if ($this->rootAccess) { - $this->permissions = ['*']; - $this->readOnly = false; - $this->viewSensitiveData = false; - $this->triggerDeploy = false; - } else { - $this->readOnly = true; - $this->permissions = ['read-only']; - } - } - - public function updatedTriggerDeploy() - { - if ($this->triggerDeploy) { - $this->permissions[] = 'trigger-deploy'; - $this->permissions = array_diff($this->permissions, ['*']); - $this->rootAccess = false; - } else { - $this->permissions = array_diff($this->permissions, ['trigger-deploy']); - } - $this->makeSureOneIsSelected(); - } - - public function makeSureOneIsSelected() + public function updated() { if (count($this->permissions) == 0) { - $this->permissions = ['read-only']; - $this->readOnly = true; + $this->permissions = ['read']; + } + if (in_array('read:sensitive', $this->permissions) && !in_array('read', $this->permissions)) { + $this->permissions[] = 'read'; } } @@ -94,7 +42,7 @@ class ApiTokens extends Component $this->validate([ 'description' => 'required|min:3|max:255', ]); - $token = auth()->user()->createToken($this->description, $this->permissions); + $token = auth()->user()->createToken($this->description, array_values($this->permissions)); $this->tokens = auth()->user()->tokens; session()->flash('token', $token->plainTextToken); } catch (\Exception $e) { diff --git a/app/View/Components/Forms/Checkbox.php b/app/View/Components/Forms/Checkbox.php index 414dbf2ae..8abe96c1b 100644 --- a/app/View/Components/Forms/Checkbox.php +++ b/app/View/Components/Forms/Checkbox.php @@ -15,6 +15,7 @@ class Checkbox extends Component public ?string $id = null, public ?string $name = null, public ?string $value = null, + public ?string $domValue = null, public ?string $label = null, public ?string $helper = null, public string|bool $instantSave = false, diff --git a/database/migrations/2024_10_30_074601_rename_token_permissions.php b/database/migrations/2024_10_30_074601_rename_token_permissions.php new file mode 100644 index 000000000..d35d75481 --- /dev/null +++ b/database/migrations/2024_10_30_074601_rename_token_permissions.php @@ -0,0 +1,44 @@ +abilities)) $abilities->push('write', 'read', 'read:sensitive'); + if (in_array('read-only', $token->abilities)) $abilities->push('read'); + if (in_array('view:sensitive', $token->abilities)) $abilities->push('read', 'read:sensitive'); + $token->abilities = $abilities->unique()->values()->all(); + $token->save(); + } + } + + /** + * Reverse the migrations. + */ + public function down(): void + { + $tokens = PersonalAccessToken::all(); + foreach ($tokens as $token) { + $abilities = collect(); + if (in_array('write', $token->abilities)) { + $abilities->push('*'); + } else { + if (in_array('read', $token->abilities)) $abilities->push('read-only'); + if (in_array('read:sensitive', $token->abilities)) $abilities->push('view:sensitive'); + } + $token->abilities = $abilities->unique()->values()->all(); + $token->save(); + } + } +}; diff --git a/resources/views/components/forms/checkbox.blade.php b/resources/views/components/forms/checkbox.blade.php index fed6ad77f..3f01a70c5 100644 --- a/resources/views/components/forms/checkbox.blade.php +++ b/resources/views/components/forms/checkbox.blade.php @@ -5,6 +5,7 @@ 'disabled' => false, 'instantSave' => false, 'value' => null, + 'domValue' => null, 'hideLabel' => false, 'fullWidth' => false, ]) @@ -33,5 +34,7 @@ merge(['class' => $defaultClass]) }} @if ($instantSave) wire:loading.attr="disabled" wire:click='{{ $instantSave === 'instantSave' || $instantSave == '1' ? 'instantSave' : $instantSave }}' - wire:model={{ $id }} @else wire:model={{ $value ?? $id }} @endif /> + wire:model="{{ $id }}" @else wire:model="{{ $value ?? $id }}" @endif + @if ($domValue) value="{{ $domValue }}" @endif + /> diff --git a/resources/views/livewire/security/api-tokens.blade.php b/resources/views/livewire/security/api-tokens.blade.php index a360d4a3b..3ff52417f 100644 --- a/resources/views/livewire/security/api-tokens.blade.php +++ b/resources/views/livewire/security/api-tokens.blade.php @@ -25,21 +25,20 @@
@if ($permissions) @foreach ($permissions as $permission) - @if ($permission === '*') -
Root access, be careful!
- @else -
{{ $permission }}
- @endif +
{{ $permission }}
@endforeach @endif
+ @if (in_array('write', $permissions)) +
Root access, be careful!
+ @endif

Token Permissions

- - - - + + + +
@if (session()->has('token')) diff --git a/routes/api.php b/routes/api.php index 05fe4f5e8..230290d57 100644 --- a/routes/api.php +++ b/routes/api.php @@ -11,8 +11,6 @@ use App\Http\Controllers\Api\ServersController; use App\Http\Controllers\Api\ServicesController; use App\Http\Controllers\Api\TeamController; use App\Http\Middleware\ApiAllowed; -use App\Http\Middleware\IgnoreReadOnlyApiToken; -use App\Http\Middleware\OnlyRootApiToken; use App\Jobs\PushServerUpdateJob; use App\Models\Server; use Illuminate\Support\Facades\Route; @@ -21,7 +19,7 @@ Route::get('/health', [OtherController::class, 'healthcheck']); Route::post('/feedback', [OtherController::class, 'feedback']); Route::group([ - 'middleware' => ['auth:sanctum', OnlyRootApiToken::class], + 'middleware' => ['auth:sanctum', 'ability:write'], 'prefix' => 'v1', ], function () { Route::get('/enable', [OtherController::class, 'enable_api']); @@ -31,105 +29,103 @@ Route::group([ 'middleware' => ['auth:sanctum', ApiAllowed::class], 'prefix' => 'v1', ], function () { - Route::get('/version', [OtherController::class, 'version']); + Route::get('/version', [OtherController::class, 'version'])->middleware(['ability:read']); - Route::get('/teams', [TeamController::class, 'teams']); - Route::get('/teams/current', [TeamController::class, 'current_team']); - Route::get('/teams/current/members', [TeamController::class, 'current_team_members']); - Route::get('/teams/{id}', [TeamController::class, 'team_by_id']); - Route::get('/teams/{id}/members', [TeamController::class, 'members_by_id']); + Route::get('/teams', [TeamController::class, 'teams'])->middleware(['ability:read']); + Route::get('/teams/current', [TeamController::class, 'current_team'])->middleware(['ability:read']); + Route::get('/teams/current/members', [TeamController::class, 'current_team_members'])->middleware(['ability:read']); + Route::get('/teams/{id}', [TeamController::class, 'team_by_id'])->middleware(['ability:read']); + Route::get('/teams/{id}/members', [TeamController::class, 'members_by_id'])->middleware(['ability:read']); - Route::get('/projects', [ProjectController::class, 'projects']); - Route::get('/projects/{uuid}', [ProjectController::class, 'project_by_uuid']); - Route::get('/projects/{uuid}/{environment_name}', [ProjectController::class, 'environment_details']); + Route::get('/projects', [ProjectController::class, 'projects'])->middleware(['ability:read']); + Route::get('/projects/{uuid}', [ProjectController::class, 'project_by_uuid'])->middleware(['ability:read']); + Route::get('/projects/{uuid}/{environment_name}', [ProjectController::class, 'environment_details'])->middleware(['ability:read']); - Route::post('/projects', [ProjectController::class, 'create_project']); - Route::patch('/projects/{uuid}', [ProjectController::class, 'update_project']); - Route::delete('/projects/{uuid}', [ProjectController::class, 'delete_project']); + Route::post('/projects', [ProjectController::class, 'create_project'])->middleware(['ability:read']); + Route::patch('/projects/{uuid}', [ProjectController::class, 'update_project'])->middleware(['ability:write']); + Route::delete('/projects/{uuid}', [ProjectController::class, 'delete_project'])->middleware(['ability:write']); - Route::get('/security/keys', [SecurityController::class, 'keys']); - Route::post('/security/keys', [SecurityController::class, 'create_key'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/security/keys', [SecurityController::class, 'keys'])->middleware(['ability:read']); + Route::post('/security/keys', [SecurityController::class, 'create_key'])->middleware(['ability:write']); - Route::get('/security/keys/{uuid}', [SecurityController::class, 'key_by_uuid']); - Route::patch('/security/keys/{uuid}', [SecurityController::class, 'update_key'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::delete('/security/keys/{uuid}', [SecurityController::class, 'delete_key'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/security/keys/{uuid}', [SecurityController::class, 'key_by_uuid'])->middleware(['ability:read']); + Route::patch('/security/keys/{uuid}', [SecurityController::class, 'update_key'])->middleware(['ability:write']); + Route::delete('/security/keys/{uuid}', [SecurityController::class, 'delete_key'])->middleware(['ability:write']); - Route::match(['get', 'post'], '/deploy', [DeployController::class, 'deploy']) - ->middleware([IgnoreReadOnlyApiToken::class, 'auth:sanctum', 'ability:trigger-deploy']); - Route::get('/deployments', [DeployController::class, 'deployments']); - Route::get('/deployments/{uuid}', [DeployController::class, 'deployment_by_uuid']); + Route::match(['get', 'post'], '/deploy', [DeployController::class, 'deploy'])->middleware(['ability:write,deploy']); + Route::get('/deployments', [DeployController::class, 'deployments'])->middleware(['ability:read']); + Route::get('/deployments/{uuid}', [DeployController::class, 'deployment_by_uuid'])->middleware(['ability:read']); - Route::get('/servers', [ServersController::class, 'servers']); - Route::get('/servers/{uuid}', [ServersController::class, 'server_by_uuid']); - Route::get('/servers/{uuid}/domains', [ServersController::class, 'domains_by_server']); - Route::get('/servers/{uuid}/resources', [ServersController::class, 'resources_by_server']); + Route::get('/servers', [ServersController::class, 'servers'])->middleware(['ability:read']); + Route::get('/servers/{uuid}', [ServersController::class, 'server_by_uuid'])->middleware(['ability:read']); + Route::get('/servers/{uuid}/domains', [ServersController::class, 'domains_by_server'])->middleware(['ability:read']); + Route::get('/servers/{uuid}/resources', [ServersController::class, 'resources_by_server'])->middleware(['ability:read']); - Route::get('/servers/{uuid}/validate', [ServersController::class, 'validate_server']); + Route::get('/servers/{uuid}/validate', [ServersController::class, 'validate_server'])->middleware(['ability:read']); - Route::post('/servers', [ServersController::class, 'create_server']); - Route::patch('/servers/{uuid}', [ServersController::class, 'update_server']); - Route::delete('/servers/{uuid}', [ServersController::class, 'delete_server']); + Route::post('/servers', [ServersController::class, 'create_server'])->middleware(['ability:read']); + Route::patch('/servers/{uuid}', [ServersController::class, 'update_server'])->middleware(['ability:write']); + Route::delete('/servers/{uuid}', [ServersController::class, 'delete_server'])->middleware(['ability:write']); - Route::get('/resources', [ResourcesController::class, 'resources']); + Route::get('/resources', [ResourcesController::class, 'resources'])->middleware(['ability:read']); - Route::get('/applications', [ApplicationsController::class, 'applications']); - Route::post('/applications/public', [ApplicationsController::class, 'create_public_application'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/applications/private-github-app', [ApplicationsController::class, 'create_private_gh_app_application'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/applications/private-deploy-key', [ApplicationsController::class, 'create_private_deploy_key_application'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/applications/dockerfile', [ApplicationsController::class, 'create_dockerfile_application'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/applications/dockerimage', [ApplicationsController::class, 'create_dockerimage_application'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/applications/dockercompose', [ApplicationsController::class, 'create_dockercompose_application'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/applications', [ApplicationsController::class, 'applications'])->middleware(['ability:read']); + Route::post('/applications/public', [ApplicationsController::class, 'create_public_application'])->middleware(['ability:write']); + Route::post('/applications/private-github-app', [ApplicationsController::class, 'create_private_gh_app_application'])->middleware(['ability:write']); + Route::post('/applications/private-deploy-key', [ApplicationsController::class, 'create_private_deploy_key_application'])->middleware(['ability:write']); + Route::post('/applications/dockerfile', [ApplicationsController::class, 'create_dockerfile_application'])->middleware(['ability:write']); + Route::post('/applications/dockerimage', [ApplicationsController::class, 'create_dockerimage_application'])->middleware(['ability:write']); + Route::post('/applications/dockercompose', [ApplicationsController::class, 'create_dockercompose_application'])->middleware(['ability:write']); - Route::get('/applications/{uuid}', [ApplicationsController::class, 'application_by_uuid']); - Route::patch('/applications/{uuid}', [ApplicationsController::class, 'update_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::delete('/applications/{uuid}', [ApplicationsController::class, 'delete_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/applications/{uuid}', [ApplicationsController::class, 'application_by_uuid'])->middleware(['ability:read']); + Route::patch('/applications/{uuid}', [ApplicationsController::class, 'update_by_uuid'])->middleware(['ability:write']); + Route::delete('/applications/{uuid}', [ApplicationsController::class, 'delete_by_uuid'])->middleware(['ability:write']); - Route::get('/applications/{uuid}/envs', [ApplicationsController::class, 'envs']); - Route::post('/applications/{uuid}/envs', [ApplicationsController::class, 'create_env'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::patch('/applications/{uuid}/envs/bulk', [ApplicationsController::class, 'create_bulk_envs'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::patch('/applications/{uuid}/envs', [ApplicationsController::class, 'update_env_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::delete('/applications/{uuid}/envs/{env_uuid}', [ApplicationsController::class, 'delete_env_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); - // Route::post('/applications/{uuid}/execute', [ApplicationsController::class, 'execute_command_by_uuid'])->middleware([OnlyRootApiToken::class]); + Route::get('/applications/{uuid}/envs', [ApplicationsController::class, 'envs'])->middleware(['ability:read']); + Route::post('/applications/{uuid}/envs', [ApplicationsController::class, 'create_env'])->middleware(['ability:write']); + Route::patch('/applications/{uuid}/envs/bulk', [ApplicationsController::class, 'create_bulk_envs'])->middleware(['ability:write']); + Route::patch('/applications/{uuid}/envs', [ApplicationsController::class, 'update_env_by_uuid'])->middleware(['ability:write']); + Route::delete('/applications/{uuid}/envs/{env_uuid}', [ApplicationsController::class, 'delete_env_by_uuid'])->middleware(['ability:write']); + // Route::post('/applications/{uuid}/execute', [ApplicationsController::class, 'execute_command_by_uuid'])->middleware(['ability:write']); - Route::match(['get', 'post'], '/applications/{uuid}/start', [ApplicationsController::class, 'action_deploy'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::match(['get', 'post'], '/applications/{uuid}/restart', [ApplicationsController::class, 'action_restart'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::match(['get', 'post'], '/applications/{uuid}/stop', [ApplicationsController::class, 'action_stop'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::match(['get', 'post'], '/applications/{uuid}/start', [ApplicationsController::class, 'action_deploy'])->middleware(['ability:write']); + Route::match(['get', 'post'], '/applications/{uuid}/restart', [ApplicationsController::class, 'action_restart'])->middleware(['ability:write']); + Route::match(['get', 'post'], '/applications/{uuid}/stop', [ApplicationsController::class, 'action_stop'])->middleware(['ability:write']); - Route::get('/databases', [DatabasesController::class, 'databases']); - Route::post('/databases/postgresql', [DatabasesController::class, 'create_database_postgresql'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/databases/mysql', [DatabasesController::class, 'create_database_mysql'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/databases/mariadb', [DatabasesController::class, 'create_database_mariadb'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/databases/mongodb', [DatabasesController::class, 'create_database_mongodb'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/databases/redis', [DatabasesController::class, 'create_database_redis'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/databases/clickhouse', [DatabasesController::class, 'create_database_clickhouse'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/databases/dragonfly', [DatabasesController::class, 'create_database_dragonfly'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::post('/databases/keydb', [DatabasesController::class, 'create_database_keydb'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/databases', [DatabasesController::class, 'databases'])->middleware(['ability:read']); + Route::post('/databases/postgresql', [DatabasesController::class, 'create_database_postgresql'])->middleware(['ability:write']); + Route::post('/databases/mysql', [DatabasesController::class, 'create_database_mysql'])->middleware(['ability:write']); + Route::post('/databases/mariadb', [DatabasesController::class, 'create_database_mariadb'])->middleware(['ability:write']); + Route::post('/databases/mongodb', [DatabasesController::class, 'create_database_mongodb'])->middleware(['ability:write']); + Route::post('/databases/redis', [DatabasesController::class, 'create_database_redis'])->middleware(['ability:write']); + Route::post('/databases/clickhouse', [DatabasesController::class, 'create_database_clickhouse'])->middleware(['ability:write']); + Route::post('/databases/dragonfly', [DatabasesController::class, 'create_database_dragonfly'])->middleware(['ability:write']); + Route::post('/databases/keydb', [DatabasesController::class, 'create_database_keydb'])->middleware(['ability:write']); - Route::get('/databases/{uuid}', [DatabasesController::class, 'database_by_uuid']); - Route::patch('/databases/{uuid}', [DatabasesController::class, 'update_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::delete('/databases/{uuid}', [DatabasesController::class, 'delete_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/databases/{uuid}', [DatabasesController::class, 'database_by_uuid'])->middleware(['ability:read']); + Route::patch('/databases/{uuid}', [DatabasesController::class, 'update_by_uuid'])->middleware(['ability:write']); + Route::delete('/databases/{uuid}', [DatabasesController::class, 'delete_by_uuid'])->middleware(['ability:write']); - Route::match(['get', 'post'], '/databases/{uuid}/start', [DatabasesController::class, 'action_deploy'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::match(['get', 'post'], '/databases/{uuid}/restart', [DatabasesController::class, 'action_restart'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::match(['get', 'post'], '/databases/{uuid}/stop', [DatabasesController::class, 'action_stop'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::match(['get', 'post'], '/databases/{uuid}/start', [DatabasesController::class, 'action_deploy'])->middleware(['ability:write']); + Route::match(['get', 'post'], '/databases/{uuid}/restart', [DatabasesController::class, 'action_restart'])->middleware(['ability:write']); + Route::match(['get', 'post'], '/databases/{uuid}/stop', [DatabasesController::class, 'action_stop'])->middleware(['ability:write']); - Route::get('/services', [ServicesController::class, 'services']); - Route::post('/services', [ServicesController::class, 'create_service'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/services', [ServicesController::class, 'services'])->middleware(['ability:read']); + Route::post('/services', [ServicesController::class, 'create_service'])->middleware(['ability:write']); - Route::get('/services/{uuid}', [ServicesController::class, 'service_by_uuid']); - // Route::patch('/services/{uuid}', [ServicesController::class, 'update_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::delete('/services/{uuid}', [ServicesController::class, 'delete_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/services/{uuid}', [ServicesController::class, 'service_by_uuid'])->middleware(['ability:read']); + // Route::patch('/services/{uuid}', [ServicesController::class, 'update_by_uuid'])->middleware(['ability:write']); + Route::delete('/services/{uuid}', [ServicesController::class, 'delete_by_uuid'])->middleware(['ability:write']); - Route::get('/services/{uuid}/envs', [ServicesController::class, 'envs']); - Route::post('/services/{uuid}/envs', [ServicesController::class, 'create_env'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::patch('/services/{uuid}/envs/bulk', [ServicesController::class, 'create_bulk_envs'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::patch('/services/{uuid}/envs', [ServicesController::class, 'update_env_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::delete('/services/{uuid}/envs/{env_uuid}', [ServicesController::class, 'delete_env_by_uuid'])->middleware([IgnoreReadOnlyApiToken::class]); - - Route::match(['get', 'post'], '/services/{uuid}/start', [ServicesController::class, 'action_deploy'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::match(['get', 'post'], '/services/{uuid}/restart', [ServicesController::class, 'action_restart'])->middleware([IgnoreReadOnlyApiToken::class]); - Route::match(['get', 'post'], '/services/{uuid}/stop', [ServicesController::class, 'action_stop'])->middleware([IgnoreReadOnlyApiToken::class]); + Route::get('/services/{uuid}/envs', [ServicesController::class, 'envs'])->middleware(['ability:read']); + Route::post('/services/{uuid}/envs', [ServicesController::class, 'create_env'])->middleware(['ability:write']); + Route::patch('/services/{uuid}/envs/bulk', [ServicesController::class, 'create_bulk_envs'])->middleware(['ability:write']); + Route::patch('/services/{uuid}/envs', [ServicesController::class, 'update_env_by_uuid'])->middleware(['ability:write']); + Route::delete('/services/{uuid}/envs/{env_uuid}', [ServicesController::class, 'delete_env_by_uuid'])->middleware(['ability:write']); + Route::match(['get', 'post'], '/services/{uuid}/start', [ServicesController::class, 'action_deploy'])->middleware(['ability:write']); + Route::match(['get', 'post'], '/services/{uuid}/restart', [ServicesController::class, 'action_restart'])->middleware(['ability:write']); + Route::match(['get', 'post'], '/services/{uuid}/stop', [ServicesController::class, 'action_stop'])->middleware(['ability:write']); }); Route::group([