mirror of
https://github.com/coollabsio/coolify.git
synced 2026-03-11 08:55:47 +00:00
Restrict sensitive operations to admins/owners and hide sensitive data from team members: - Add authorization checks to Livewire components and API endpoints - Restrict team members from accessing sensitive permissions and data - Hide environment variable values from non-admin team members - Update policies to enforce team-level admin status requirement - Add useSensitivePermissions policy for read:sensitive tokens - Improve disabled button UX with auth-specific tooltips - Add authorization checks in middleware for API tokens Closes authorization gaps in project management, server management, and settings components.
52 lines
1.7 KiB
PHP
52 lines
1.7 KiB
PHP
<?php
|
|
|
|
namespace App\Http\Middleware;
|
|
|
|
use Laravel\Sanctum\Http\Middleware\CheckForAnyAbility;
|
|
|
|
class ApiAbility extends CheckForAnyAbility
|
|
{
|
|
/**
|
|
* Permissions that only admins/owners may use.
|
|
*/
|
|
private const MEMBER_DISALLOWED_ABILITIES = [
|
|
'root',
|
|
'write',
|
|
'write:sensitive',
|
|
'deploy',
|
|
'read:sensitive',
|
|
];
|
|
|
|
public function handle($request, $next, ...$abilities)
|
|
{
|
|
try {
|
|
$token = $request->user()->currentAccessToken();
|
|
$teamId = (int) data_get($token, 'team_id');
|
|
|
|
if ($teamId && ! $request->user()->isAdminOfTeam($teamId)) {
|
|
$tokenAbilities = $token->abilities ?? [];
|
|
$disallowed = array_intersect($tokenAbilities, self::MEMBER_DISALLOWED_ABILITIES);
|
|
|
|
if (! empty($disallowed)) {
|
|
return response()->json([
|
|
'message' => 'This API token has permissions ('.implode(', ', $disallowed).') that exceed your current role as a team member. Members are restricted to read-only API access. Please revoke this token and create a new one with only read permissions.',
|
|
], 403);
|
|
}
|
|
}
|
|
|
|
if ($request->user()->tokenCan('root')) {
|
|
return $next($request);
|
|
}
|
|
|
|
return parent::handle($request, $next, ...$abilities);
|
|
} catch (\Illuminate\Auth\AuthenticationException $e) {
|
|
return response()->json([
|
|
'message' => 'Unauthenticated.',
|
|
], 401);
|
|
} catch (\Exception $e) {
|
|
return response()->json([
|
|
'message' => 'Missing required permissions: '.implode(', ', $abilities),
|
|
], 403);
|
|
}
|
|
}
|
|
}
|