fix: ServerRoleController accepts 'me' userId, AutocompleteController null id UUID fallback
This commit is contained in:
@@ -85,12 +85,22 @@ class ServerRoleController extends Controller
|
||||
}
|
||||
|
||||
/** GET /api/client/servers/{server}/addons/permissions/effective/{userId} */
|
||||
public function effectivePermissions(Request $request, Server $server, int $targetUserId): JsonResponse
|
||||
public function effectivePermissions(Request $request, Server $server, string $targetUserId): JsonResponse
|
||||
{
|
||||
$this->authorizeServerAdmin($request, $server);
|
||||
// Allow callers to pass "me" to resolve to their own user ID
|
||||
if ($targetUserId === 'me') {
|
||||
$targetUserId = (string) $request->user()?->id;
|
||||
}
|
||||
|
||||
// Non-admins can only query their own permissions
|
||||
$user = $request->user();
|
||||
$isAdmin = $user && ($user->root_admin || $server->owner_id === $user->id);
|
||||
if (!$isAdmin && (string) $user?->id !== $targetUserId) {
|
||||
abort(403, 'You may only query your own permissions.');
|
||||
}
|
||||
|
||||
$effective = $this->resolver->resolveAll(
|
||||
$targetUserId,
|
||||
(int) $targetUserId,
|
||||
$server->id,
|
||||
RoleService::KNOWN_PERMISSIONS
|
||||
);
|
||||
|
||||
Reference in New Issue
Block a user