From 3830e54988cbd056c868750d28970c79ae0b79b5 Mon Sep 17 00:00:00 2001 From: BaileyCodes Date: Thu, 11 Jun 2026 22:08:08 -0500 Subject: [PATCH] fix: ServerRoleController accepts 'me' userId, AutocompleteController null id UUID fallback --- .../Client/AutocompleteController.php | 5 +++++ .../Controllers/Client/ServerRoleController.php | 16 +++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/app/Addons/AdvancedAdmin/Http/Controllers/Client/AutocompleteController.php b/app/Addons/AdvancedAdmin/Http/Controllers/Client/AutocompleteController.php index 4b5797e..ec21bba 100644 --- a/app/Addons/AdvancedAdmin/Http/Controllers/Client/AutocompleteController.php +++ b/app/Addons/AdvancedAdmin/Http/Controllers/Client/AutocompleteController.php @@ -23,6 +23,11 @@ class AutocompleteController extends Controller { $this->requireAccess($request, $server); + // Pterodactyl's route model binding resolves by UUID; ensure we have the integer PK + if ($server->id === null) { + $server = Server::where('uuid', $server->uuid)->firstOrFail(); + } + $query = (string) $request->get('q', ''); $suggestions = $this->engine->suggest( $server->id, diff --git a/app/Addons/AdvancedAdmin/Http/Controllers/Client/ServerRoleController.php b/app/Addons/AdvancedAdmin/Http/Controllers/Client/ServerRoleController.php index 70bcba1..9ed0180 100644 --- a/app/Addons/AdvancedAdmin/Http/Controllers/Client/ServerRoleController.php +++ b/app/Addons/AdvancedAdmin/Http/Controllers/Client/ServerRoleController.php @@ -85,12 +85,22 @@ class ServerRoleController extends Controller } /** GET /api/client/servers/{server}/addons/permissions/effective/{userId} */ - public function effectivePermissions(Request $request, Server $server, int $targetUserId): JsonResponse + public function effectivePermissions(Request $request, Server $server, string $targetUserId): JsonResponse { - $this->authorizeServerAdmin($request, $server); + // Allow callers to pass "me" to resolve to their own user ID + if ($targetUserId === 'me') { + $targetUserId = (string) $request->user()?->id; + } + + // Non-admins can only query their own permissions + $user = $request->user(); + $isAdmin = $user && ($user->root_admin || $server->owner_id === $user->id); + if (!$isAdmin && (string) $user?->id !== $targetUserId) { + abort(403, 'You may only query your own permissions.'); + } $effective = $this->resolver->resolveAll( - $targetUserId, + (int) $targetUserId, $server->id, RoleService::KNOWN_PERMISSIONS );