fix: ServerRoleController accepts 'me' userId, AutocompleteController null id UUID fallback
This commit is contained in:
@@ -23,6 +23,11 @@ class AutocompleteController extends Controller
|
||||
{
|
||||
$this->requireAccess($request, $server);
|
||||
|
||||
// Pterodactyl's route model binding resolves by UUID; ensure we have the integer PK
|
||||
if ($server->id === null) {
|
||||
$server = Server::where('uuid', $server->uuid)->firstOrFail();
|
||||
}
|
||||
|
||||
$query = (string) $request->get('q', '');
|
||||
$suggestions = $this->engine->suggest(
|
||||
$server->id,
|
||||
|
||||
@@ -85,12 +85,22 @@ class ServerRoleController extends Controller
|
||||
}
|
||||
|
||||
/** GET /api/client/servers/{server}/addons/permissions/effective/{userId} */
|
||||
public function effectivePermissions(Request $request, Server $server, int $targetUserId): JsonResponse
|
||||
public function effectivePermissions(Request $request, Server $server, string $targetUserId): JsonResponse
|
||||
{
|
||||
$this->authorizeServerAdmin($request, $server);
|
||||
// Allow callers to pass "me" to resolve to their own user ID
|
||||
if ($targetUserId === 'me') {
|
||||
$targetUserId = (string) $request->user()?->id;
|
||||
}
|
||||
|
||||
// Non-admins can only query their own permissions
|
||||
$user = $request->user();
|
||||
$isAdmin = $user && ($user->root_admin || $server->owner_id === $user->id);
|
||||
if (!$isAdmin && (string) $user?->id !== $targetUserId) {
|
||||
abort(403, 'You may only query your own permissions.');
|
||||
}
|
||||
|
||||
$effective = $this->resolver->resolveAll(
|
||||
$targetUserId,
|
||||
(int) $targetUserId,
|
||||
$server->id,
|
||||
RoleService::KNOWN_PERMISSIONS
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user