middleware should allow, not deny
This commit is contained in:
Kael
@@ -29,7 +29,7 @@ class ApplicationsController extends Controller
|
||||
$application->makeHidden([
|
||||
'id',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
if ($token->can('read:sensitive')) {
|
||||
return serializeApiResponse($application);
|
||||
}
|
||||
$application->makeHidden([
|
||||
|
||||
@@ -24,7 +24,7 @@ class DatabasesController extends Controller
|
||||
'id',
|
||||
'laravel_through_key',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
if ($token->can('read:sensitive')) {
|
||||
return serializeApiResponse($database);
|
||||
}
|
||||
|
||||
|
||||
@@ -17,7 +17,7 @@ class DeployController extends Controller
|
||||
private function removeSensitiveData($deployment)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('view:sensitive')) {
|
||||
if ($token->can('read:sensitive')) {
|
||||
return serializeApiResponse($deployment);
|
||||
}
|
||||
|
||||
|
||||
@@ -12,7 +12,7 @@ class SecurityController extends Controller
|
||||
private function removeSensitiveData($team)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('view:sensitive')) {
|
||||
if ($token->can('read:sensitive')) {
|
||||
return serializeApiResponse($team);
|
||||
}
|
||||
$team->makeHidden([
|
||||
|
||||
@@ -20,7 +20,7 @@ class ServersController extends Controller
|
||||
private function removeSensitiveDataFromSettings($settings)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('view:sensitive')) {
|
||||
if ($token->can('read:sensitive')) {
|
||||
return serializeApiResponse($settings);
|
||||
}
|
||||
$settings = $settings->makeHidden([
|
||||
@@ -36,7 +36,7 @@ class ServersController extends Controller
|
||||
$server->makeHidden([
|
||||
'id',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
if ($token->can('read:sensitive')) {
|
||||
return serializeApiResponse($server);
|
||||
}
|
||||
|
||||
|
||||
@@ -22,7 +22,7 @@ class ServicesController extends Controller
|
||||
$service->makeHidden([
|
||||
'id',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
if ($token->can('read:sensitive')) {
|
||||
return serializeApiResponse($service);
|
||||
}
|
||||
|
||||
|
||||
@@ -15,7 +15,7 @@ class TeamController extends Controller
|
||||
'custom_server_limit',
|
||||
'pivot',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
if ($token->can('read:sensitive')) {
|
||||
return serializeApiResponse($team);
|
||||
}
|
||||
$team->makeHidden([
|
||||
|
||||
@@ -1,28 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class IgnoreReadOnlyApiToken
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
||||
*/
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('*')) {
|
||||
return $next($request);
|
||||
}
|
||||
if ($token->can('read-only')) {
|
||||
return response()->json(['message' => 'You are not allowed to perform this action.'], 403);
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -1,25 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class OnlyRootApiToken
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
||||
*/
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('*')) {
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
return response()->json(['message' => 'You are not allowed to perform this action.'], 403);
|
||||
}
|
||||
}
|
||||
@@ -11,12 +11,7 @@ class ApiTokens extends Component
|
||||
|
||||
public $tokens = [];
|
||||
|
||||
public bool $viewSensitiveData = false;
|
||||
public bool $readOnly = true;
|
||||
public bool $rootAccess = false;
|
||||
public bool $triggerDeploy = false;
|
||||
|
||||
public array $permissions = ['read-only'];
|
||||
public array $permissions = ['read'];
|
||||
|
||||
public $isApiEnabled;
|
||||
|
||||
@@ -31,60 +26,13 @@ class ApiTokens extends Component
|
||||
$this->tokens = auth()->user()->tokens->sortByDesc('created_at');
|
||||
}
|
||||
|
||||
public function updatedViewSensitiveData()
|
||||
{
|
||||
if ($this->viewSensitiveData) {
|
||||
$this->permissions[] = 'view:sensitive';
|
||||
$this->permissions = array_diff($this->permissions, ['*']);
|
||||
$this->rootAccess = false;
|
||||
} else {
|
||||
$this->permissions = array_diff($this->permissions, ['view:sensitive']);
|
||||
}
|
||||
$this->makeSureOneIsSelected();
|
||||
}
|
||||
|
||||
public function updatedReadOnly()
|
||||
{
|
||||
if ($this->readOnly) {
|
||||
$this->permissions[] = 'read-only';
|
||||
$this->permissions = array_diff($this->permissions, ['*']);
|
||||
$this->rootAccess = false;
|
||||
} else {
|
||||
$this->permissions = array_diff($this->permissions, ['read-only']);
|
||||
}
|
||||
$this->makeSureOneIsSelected();
|
||||
}
|
||||
|
||||
public function updatedRootAccess()
|
||||
{
|
||||
if ($this->rootAccess) {
|
||||
$this->permissions = ['*'];
|
||||
$this->readOnly = false;
|
||||
$this->viewSensitiveData = false;
|
||||
$this->triggerDeploy = false;
|
||||
} else {
|
||||
$this->readOnly = true;
|
||||
$this->permissions = ['read-only'];
|
||||
}
|
||||
}
|
||||
|
||||
public function updatedTriggerDeploy()
|
||||
{
|
||||
if ($this->triggerDeploy) {
|
||||
$this->permissions[] = 'trigger-deploy';
|
||||
$this->permissions = array_diff($this->permissions, ['*']);
|
||||
$this->rootAccess = false;
|
||||
} else {
|
||||
$this->permissions = array_diff($this->permissions, ['trigger-deploy']);
|
||||
}
|
||||
$this->makeSureOneIsSelected();
|
||||
}
|
||||
|
||||
public function makeSureOneIsSelected()
|
||||
public function updated()
|
||||
{
|
||||
if (count($this->permissions) == 0) {
|
||||
$this->permissions = ['read-only'];
|
||||
$this->readOnly = true;
|
||||
$this->permissions = ['read'];
|
||||
}
|
||||
if (in_array('read:sensitive', $this->permissions) && !in_array('read', $this->permissions)) {
|
||||
$this->permissions[] = 'read';
|
||||
}
|
||||
}
|
||||
|
||||
@@ -94,7 +42,7 @@ class ApiTokens extends Component
|
||||
$this->validate([
|
||||
'description' => 'required|min:3|max:255',
|
||||
]);
|
||||
$token = auth()->user()->createToken($this->description, $this->permissions);
|
||||
$token = auth()->user()->createToken($this->description, array_values($this->permissions));
|
||||
$this->tokens = auth()->user()->tokens;
|
||||
session()->flash('token', $token->plainTextToken);
|
||||
} catch (\Exception $e) {
|
||||
|
||||
@@ -15,6 +15,7 @@ class Checkbox extends Component
|
||||
public ?string $id = null,
|
||||
public ?string $name = null,
|
||||
public ?string $value = null,
|
||||
public ?string $domValue = null,
|
||||
public ?string $label = null,
|
||||
public ?string $helper = null,
|
||||
public string|bool $instantSave = false,
|
||||
|
||||
Reference in New Issue
Block a user