feat(auth): implement comprehensive authorization checks across API controllers

2025-08-23 18:51:10 +02:00
parent b5fe5dd909
commit b1334a1bc6
5 changed files with 103 additions and 1 deletions
--- a/app/Http/Controllers/Api/DatabasesController.php
+++ b/app/Http/Controllers/Api/DatabasesController.php
@@ -12,6 +12,7 @@ use App\Http\Controllers\Controller;
 use App\Jobs\DeleteResourceJob;
 use App\Models\Project;
 use App\Models\Server;
+use App\Models\StandalonePostgresql;
 use Illuminate\Http\Request;
 use OpenApi\Attributes as OA;

@@ -143,6 +144,8 @@ class DatabasesController extends Controller
            return response()->json(['message' => 'Database not found.'], 404);
        }

+        $this->authorize('view', $database);
+
        return response()->json($this->removeSensitiveData($database));
    }

@@ -276,6 +279,9 @@ class DatabasesController extends Controller
        if (! $database) {
            return response()->json(['message' => 'Database not found.'], 404);
        }
+
+        $this->authorize('update', $database);
+
        if ($request->is_public && $request->public_port) {
            if (isPublicPortAlreadyUsed($database->destination->server, $request->public_port, $database->id)) {
                return response()->json(['message' => 'Public port already used by another database.'], 400);
@@ -1028,6 +1034,9 @@ class DatabasesController extends Controller
            return invalidTokenResponse();
        }

+        // Use a generic authorization for database creation - using PostgreSQL as representative model
+        $this->authorize('create', StandalonePostgresql::class);
+
        $return = validateIncomingRequest($request);
        if ($return instanceof \Illuminate\Http\JsonResponse) {
            return $return;
@@ -1606,6 +1615,8 @@ class DatabasesController extends Controller
            return response()->json(['message' => 'Database not found.'], 404);
        }

+        $this->authorize('delete', $database);
+
        DeleteResourceJob::dispatch(
            resource: $database,
            deleteVolumes: $request->query->get('delete_volumes', true),
@@ -1684,6 +1695,9 @@ class DatabasesController extends Controller
        if (! $database) {
            return response()->json(['message' => 'Database not found.'], 404);
        }
+
+        $this->authorize('manage', $database);
+
        if (str($database->status)->contains('running')) {
            return response()->json(['message' => 'Database is already running.'], 400);
        }
@@ -1762,6 +1776,9 @@ class DatabasesController extends Controller
        if (! $database) {
            return response()->json(['message' => 'Database not found.'], 404);
        }
+
+        $this->authorize('manage', $database);
+
        if (str($database->status)->contains('stopped') || str($database->status)->contains('exited')) {
            return response()->json(['message' => 'Database is already stopped.'], 400);
        }
@@ -1840,6 +1857,9 @@ class DatabasesController extends Controller
        if (! $database) {
            return response()->json(['message' => 'Database not found.'], 404);
        }
+
+        $this->authorize('manage', $database);
+
        RestartDatabase::dispatch($database);

        return response()->json(