fix: ServerRoleController accepts 'me' userId, AutocompleteController null id UUID fallback
This commit is contained in:
@@ -23,6 +23,11 @@ class AutocompleteController extends Controller
|
|||||||
{
|
{
|
||||||
$this->requireAccess($request, $server);
|
$this->requireAccess($request, $server);
|
||||||
|
|
||||||
|
// Pterodactyl's route model binding resolves by UUID; ensure we have the integer PK
|
||||||
|
if ($server->id === null) {
|
||||||
|
$server = Server::where('uuid', $server->uuid)->firstOrFail();
|
||||||
|
}
|
||||||
|
|
||||||
$query = (string) $request->get('q', '');
|
$query = (string) $request->get('q', '');
|
||||||
$suggestions = $this->engine->suggest(
|
$suggestions = $this->engine->suggest(
|
||||||
$server->id,
|
$server->id,
|
||||||
|
|||||||
@@ -85,12 +85,22 @@ class ServerRoleController extends Controller
|
|||||||
}
|
}
|
||||||
|
|
||||||
/** GET /api/client/servers/{server}/addons/permissions/effective/{userId} */
|
/** GET /api/client/servers/{server}/addons/permissions/effective/{userId} */
|
||||||
public function effectivePermissions(Request $request, Server $server, int $targetUserId): JsonResponse
|
public function effectivePermissions(Request $request, Server $server, string $targetUserId): JsonResponse
|
||||||
{
|
{
|
||||||
$this->authorizeServerAdmin($request, $server);
|
// Allow callers to pass "me" to resolve to their own user ID
|
||||||
|
if ($targetUserId === 'me') {
|
||||||
|
$targetUserId = (string) $request->user()?->id;
|
||||||
|
}
|
||||||
|
|
||||||
|
// Non-admins can only query their own permissions
|
||||||
|
$user = $request->user();
|
||||||
|
$isAdmin = $user && ($user->root_admin || $server->owner_id === $user->id);
|
||||||
|
if (!$isAdmin && (string) $user?->id !== $targetUserId) {
|
||||||
|
abort(403, 'You may only query your own permissions.');
|
||||||
|
}
|
||||||
|
|
||||||
$effective = $this->resolver->resolveAll(
|
$effective = $this->resolver->resolveAll(
|
||||||
$targetUserId,
|
(int) $targetUserId,
|
||||||
$server->id,
|
$server->id,
|
||||||
RoleService::KNOWN_PERMISSIONS
|
RoleService::KNOWN_PERMISSIONS
|
||||||
);
|
);
|
||||||
|
|||||||
Reference in New Issue
Block a user