Merge branch 'next' into separate-success-and-failure-notifications
This commit is contained in:
🏔️ Peak
@@ -25,26 +25,24 @@ class ApplicationsController extends Controller
|
||||
{
|
||||
private function removeSensitiveData($application)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
$application->makeHidden([
|
||||
'id',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
return serializeApiResponse($application);
|
||||
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||
$application->makeHidden([
|
||||
'custom_labels',
|
||||
'dockerfile',
|
||||
'docker_compose',
|
||||
'docker_compose_raw',
|
||||
'manual_webhook_secret_bitbucket',
|
||||
'manual_webhook_secret_gitea',
|
||||
'manual_webhook_secret_github',
|
||||
'manual_webhook_secret_gitlab',
|
||||
'private_key_id',
|
||||
'value',
|
||||
'real_value',
|
||||
]);
|
||||
}
|
||||
$application->makeHidden([
|
||||
'custom_labels',
|
||||
'dockerfile',
|
||||
'docker_compose',
|
||||
'docker_compose_raw',
|
||||
'manual_webhook_secret_bitbucket',
|
||||
'manual_webhook_secret_gitea',
|
||||
'manual_webhook_secret_github',
|
||||
'manual_webhook_secret_gitlab',
|
||||
'private_key_id',
|
||||
'value',
|
||||
'real_value',
|
||||
]);
|
||||
|
||||
return serializeApiResponse($application);
|
||||
}
|
||||
|
||||
@@ -19,26 +19,23 @@ class DatabasesController extends Controller
|
||||
{
|
||||
private function removeSensitiveData($database)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
$database->makeHidden([
|
||||
'id',
|
||||
'laravel_through_key',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
return serializeApiResponse($database);
|
||||
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||
$database->makeHidden([
|
||||
'internal_db_url',
|
||||
'external_db_url',
|
||||
'postgres_password',
|
||||
'dragonfly_password',
|
||||
'redis_password',
|
||||
'mongo_initdb_root_password',
|
||||
'keydb_password',
|
||||
'clickhouse_admin_password',
|
||||
]);
|
||||
}
|
||||
|
||||
$database->makeHidden([
|
||||
'internal_db_url',
|
||||
'external_db_url',
|
||||
'postgres_password',
|
||||
'dragonfly_password',
|
||||
'redis_password',
|
||||
'mongo_initdb_root_password',
|
||||
'keydb_password',
|
||||
'clickhouse_admin_password',
|
||||
]);
|
||||
|
||||
return serializeApiResponse($database);
|
||||
}
|
||||
|
||||
|
||||
@@ -16,15 +16,12 @@ class DeployController extends Controller
|
||||
{
|
||||
private function removeSensitiveData($deployment)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('view:sensitive')) {
|
||||
return serializeApiResponse($deployment);
|
||||
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||
$deployment->makeHidden([
|
||||
'logs',
|
||||
]);
|
||||
}
|
||||
|
||||
$deployment->makeHidden([
|
||||
'logs',
|
||||
]);
|
||||
|
||||
return serializeApiResponse($deployment);
|
||||
}
|
||||
|
||||
|
||||
@@ -11,13 +11,11 @@ class SecurityController extends Controller
|
||||
{
|
||||
private function removeSensitiveData($team)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('view:sensitive')) {
|
||||
return serializeApiResponse($team);
|
||||
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||
$team->makeHidden([
|
||||
'private_key',
|
||||
]);
|
||||
}
|
||||
$team->makeHidden([
|
||||
'private_key',
|
||||
]);
|
||||
|
||||
return serializeApiResponse($team);
|
||||
}
|
||||
|
||||
@@ -19,25 +19,22 @@ class ServersController extends Controller
|
||||
{
|
||||
private function removeSensitiveDataFromSettings($settings)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('view:sensitive')) {
|
||||
return serializeApiResponse($settings);
|
||||
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||
$settings = $settings->makeHidden([
|
||||
'sentinel_token',
|
||||
]);
|
||||
}
|
||||
$settings = $settings->makeHidden([
|
||||
'sentinel_token',
|
||||
]);
|
||||
|
||||
return serializeApiResponse($settings);
|
||||
}
|
||||
|
||||
private function removeSensitiveData($server)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
$server->makeHidden([
|
||||
'id',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
return serializeApiResponse($server);
|
||||
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||
// Do nothing
|
||||
}
|
||||
|
||||
return serializeApiResponse($server);
|
||||
|
||||
@@ -18,19 +18,16 @@ class ServicesController extends Controller
|
||||
{
|
||||
private function removeSensitiveData($service)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
$service->makeHidden([
|
||||
'id',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
return serializeApiResponse($service);
|
||||
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||
$service->makeHidden([
|
||||
'docker_compose_raw',
|
||||
'docker_compose',
|
||||
]);
|
||||
}
|
||||
|
||||
$service->makeHidden([
|
||||
'docker_compose_raw',
|
||||
'docker_compose',
|
||||
]);
|
||||
|
||||
return serializeApiResponse($service);
|
||||
}
|
||||
|
||||
|
||||
@@ -10,20 +10,18 @@ class TeamController extends Controller
|
||||
{
|
||||
private function removeSensitiveData($team)
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
$team->makeHidden([
|
||||
'custom_server_limit',
|
||||
'pivot',
|
||||
]);
|
||||
if ($token->can('view:sensitive')) {
|
||||
return serializeApiResponse($team);
|
||||
if (request()->attributes->get('can_read_sensitive', false) === false) {
|
||||
$team->makeHidden([
|
||||
'smtp_username',
|
||||
'smtp_password',
|
||||
'resend_api_key',
|
||||
'telegram_token',
|
||||
]);
|
||||
}
|
||||
$team->makeHidden([
|
||||
'smtp_username',
|
||||
'smtp_password',
|
||||
'resend_api_key',
|
||||
'telegram_token',
|
||||
]);
|
||||
|
||||
return serializeApiResponse($team);
|
||||
}
|
||||
|
||||
@@ -69,5 +69,7 @@ class Kernel extends HttpKernel
|
||||
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
|
||||
'abilities' => \Laravel\Sanctum\Http\Middleware\CheckAbilities::class,
|
||||
'ability' => \Laravel\Sanctum\Http\Middleware\CheckForAnyAbility::class,
|
||||
'api.ability' => \App\Http\Middleware\ApiAbility::class,
|
||||
'api.sensitive' => \App\Http\Middleware\ApiSensitiveData::class,
|
||||
];
|
||||
}
|
||||
|
||||
27
app/Http/Middleware/ApiAbility.php
Normal file
27
app/Http/Middleware/ApiAbility.php
Normal file
@@ -0,0 +1,27 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility;
|
||||
|
||||
class ApiAbility extends CheckForAnyAbility
|
||||
{
|
||||
public function handle($request, $next, ...$abilities)
|
||||
{
|
||||
try {
|
||||
if ($request->user()->tokenCan('root')) {
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
return parent::handle($request, $next, ...$abilities);
|
||||
} catch (\Illuminate\Auth\AuthenticationException $e) {
|
||||
return response()->json([
|
||||
'message' => 'Unauthenticated.',
|
||||
], 401);
|
||||
} catch (\Exception $e) {
|
||||
return response()->json([
|
||||
'message' => 'Missing required permissions: '.implode(', ', $abilities),
|
||||
], 403);
|
||||
}
|
||||
}
|
||||
}
|
||||
21
app/Http/Middleware/ApiSensitiveData.php
Normal file
21
app/Http/Middleware/ApiSensitiveData.php
Normal file
@@ -0,0 +1,21 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
|
||||
class ApiSensitiveData
|
||||
{
|
||||
public function handle(Request $request, Closure $next)
|
||||
{
|
||||
$token = $request->user()->currentAccessToken();
|
||||
|
||||
// Allow access to sensitive data if token has root or read:sensitive permission
|
||||
$request->attributes->add([
|
||||
'can_read_sensitive' => $token->can('root') || $token->can('read:sensitive'),
|
||||
]);
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -1,28 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class IgnoreReadOnlyApiToken
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
||||
*/
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('*')) {
|
||||
return $next($request);
|
||||
}
|
||||
if ($token->can('read-only')) {
|
||||
return response()->json(['message' => 'You are not allowed to perform this action.'], 403);
|
||||
}
|
||||
|
||||
return $next($request);
|
||||
}
|
||||
}
|
||||
@@ -1,25 +0,0 @@
|
||||
<?php
|
||||
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
use Illuminate\Http\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
|
||||
class OnlyRootApiToken
|
||||
{
|
||||
/**
|
||||
* Handle an incoming request.
|
||||
*
|
||||
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
|
||||
*/
|
||||
public function handle(Request $request, Closure $next): Response
|
||||
{
|
||||
$token = auth()->user()->currentAccessToken();
|
||||
if ($token->can('*')) {
|
||||
return $next($request);
|
||||
}
|
||||
|
||||
return response()->json(['message' => 'You are not allowed to perform this action.'], 403);
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user