feat(auth): implement comprehensive authorization checks across API controllers
This commit is contained in:
Andras Bacsai
@@ -740,6 +740,8 @@ class ApplicationsController extends Controller
|
||||
return invalidTokenResponse();
|
||||
}
|
||||
|
||||
$this->authorize('create', Application::class);
|
||||
|
||||
$return = validateIncomingRequest($request);
|
||||
if ($return instanceof \Illuminate\Http\JsonResponse) {
|
||||
return $return;
|
||||
@@ -1521,6 +1523,8 @@ class ApplicationsController extends Controller
|
||||
return response()->json(['message' => 'Application not found.'], 404);
|
||||
}
|
||||
|
||||
$this->authorize('view', $application);
|
||||
|
||||
return response()->json($this->removeSensitiveData($application));
|
||||
}
|
||||
|
||||
@@ -1699,6 +1703,8 @@ class ApplicationsController extends Controller
|
||||
], 404);
|
||||
}
|
||||
|
||||
$this->authorize('delete', $application);
|
||||
|
||||
DeleteResourceJob::dispatch(
|
||||
resource: $application,
|
||||
deleteVolumes: $request->query->get('delete_volumes', true),
|
||||
@@ -1856,6 +1862,9 @@ class ApplicationsController extends Controller
|
||||
'message' => 'Application not found',
|
||||
], 404);
|
||||
}
|
||||
|
||||
$this->authorize('update', $application);
|
||||
|
||||
$server = $application->destination->server;
|
||||
$allowedFields = ['name', 'description', 'is_static', 'domains', 'git_repository', 'git_branch', 'git_commit_sha', 'docker_registry_image_name', 'docker_registry_image_tag', 'build_pack', 'static_image', 'install_command', 'build_command', 'start_command', 'ports_exposes', 'ports_mappings', 'base_directory', 'publish_directory', 'health_check_enabled', 'health_check_path', 'health_check_port', 'health_check_host', 'health_check_method', 'health_check_return_code', 'health_check_scheme', 'health_check_response_text', 'health_check_interval', 'health_check_timeout', 'health_check_retries', 'health_check_start_period', 'limits_memory', 'limits_memory_swap', 'limits_memory_swappiness', 'limits_memory_reservation', 'limits_cpus', 'limits_cpuset', 'limits_cpu_shares', 'custom_labels', 'custom_docker_run_options', 'post_deployment_command', 'post_deployment_command_container', 'pre_deployment_command', 'pre_deployment_command_container', 'watch_paths', 'manual_webhook_secret_github', 'manual_webhook_secret_gitlab', 'manual_webhook_secret_bitbucket', 'manual_webhook_secret_gitea', 'docker_compose_location', 'docker_compose_raw', 'docker_compose_custom_start_command', 'docker_compose_custom_build_command', 'docker_compose_domains', 'redirect', 'instant_deploy', 'use_build_server', 'custom_nginx_configuration', 'is_http_basic_auth_enabled', 'http_basic_auth_username', 'http_basic_auth_password', 'connect_to_docker_network'];
|
||||
|
||||
@@ -2140,6 +2149,9 @@ class ApplicationsController extends Controller
|
||||
'message' => 'Application not found',
|
||||
], 404);
|
||||
}
|
||||
|
||||
$this->authorize('view', $application);
|
||||
|
||||
$envs = $application->environment_variables->sortBy('id')->merge($application->environment_variables_preview->sortBy('id'));
|
||||
|
||||
$envs = $envs->map(function ($env) {
|
||||
@@ -2254,6 +2266,9 @@ class ApplicationsController extends Controller
|
||||
'message' => 'Application not found',
|
||||
], 404);
|
||||
}
|
||||
|
||||
$this->authorize('manageEnvironment', $application);
|
||||
|
||||
$validator = customApiValidator($request->all(), [
|
||||
'key' => 'string|required',
|
||||
'value' => 'string|nullable',
|
||||
@@ -2444,6 +2459,8 @@ class ApplicationsController extends Controller
|
||||
], 404);
|
||||
}
|
||||
|
||||
$this->authorize('manageEnvironment', $application);
|
||||
|
||||
$bulk_data = $request->get('data');
|
||||
if (! $bulk_data) {
|
||||
return response()->json([
|
||||
@@ -2628,6 +2645,9 @@ class ApplicationsController extends Controller
|
||||
'message' => 'Application not found',
|
||||
], 404);
|
||||
}
|
||||
|
||||
$this->authorize('manageEnvironment', $application);
|
||||
|
||||
$validator = customApiValidator($request->all(), [
|
||||
'key' => 'string|required',
|
||||
'value' => 'string|nullable',
|
||||
@@ -2778,6 +2798,9 @@ class ApplicationsController extends Controller
|
||||
'message' => 'Application not found.',
|
||||
], 404);
|
||||
}
|
||||
|
||||
$this->authorize('manageEnvironment', $application);
|
||||
|
||||
$found_env = EnvironmentVariable::where('uuid', $request->env_uuid)
|
||||
->where('resourceable_type', Application::class)
|
||||
->where('resourceable_id', $application->id)
|
||||
@@ -2881,6 +2904,8 @@ class ApplicationsController extends Controller
|
||||
return response()->json(['message' => 'Application not found.'], 404);
|
||||
}
|
||||
|
||||
$this->authorize('deploy', $application);
|
||||
|
||||
$deployment_uuid = new Cuid2;
|
||||
|
||||
$result = queue_application_deployment(
|
||||
@@ -2973,6 +2998,9 @@ class ApplicationsController extends Controller
|
||||
if (! $application) {
|
||||
return response()->json(['message' => 'Application not found.'], 404);
|
||||
}
|
||||
|
||||
$this->authorize('deploy', $application);
|
||||
|
||||
StopApplication::dispatch($application);
|
||||
|
||||
return response()->json(
|
||||
@@ -3050,6 +3078,8 @@ class ApplicationsController extends Controller
|
||||
return response()->json(['message' => 'Application not found.'], 404);
|
||||
}
|
||||
|
||||
$this->authorize('deploy', $application);
|
||||
|
||||
$deployment_uuid = new Cuid2;
|
||||
|
||||
$result = queue_application_deployment(
|
||||
|
||||
Reference in New Issue
Block a user