DRCIT/snipe-it
1
0
Fork 0
mirror of https://github.com/snipe/snipe-it.git synced 2025-02-02 08:21:09 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Check that the user has permission to create their own API keys

Browse source 
Signed-off-by: snipe <snipe@snipe.net>
This commit is contained in:
snipe 2022-06-28 22:09:18 -07:00
parent e7de7d1716
commit 9680b02bce
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
app/Http/Controllers/Api/ProfileController.php
View file

@ -10,6 +10,7 @@ use Illuminate\Support\Facades\Auth;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Laravel\Passport\TokenRepository; use Laravel\Passport\TokenRepository;
use Illuminate\Contracts\Validation\Factory as ValidationFactory; use Illuminate\Contracts\Validation\Factory as ValidationFactory;
use Gate;
class ProfileController extends Controller class ProfileController extends Controller
{ {
@ -79,6 +80,10 @@ class ProfileController extends Controller
*/ */
public function createApiToken(Request $request) { public function createApiToken(Request $request) {
if (!Gate::allows('self.api')) {
abort(403);
}
$accessTokenName = $request->input('name', 'Auth Token'); $accessTokenName = $request->input('name', 'Auth Token');
if ($accessToken = Auth::user()->createToken($accessTokenName)->accessToken) { if ($accessToken = Auth::user()->createToken($accessTokenName)->accessToken) {
@ -100,6 +105,10 @@ class ProfileController extends Controller
*/ */
public function deleteApiToken($tokenId) { public function deleteApiToken($tokenId) {
if (!Gate::allows('self.api')) {
abort(403);
}
$token = $this->tokenRepository->findForUser( $token = $this->tokenRepository->findForUser(
$tokenId, Auth::user()->getAuthIdentifier() $tokenId, Auth::user()->getAuthIdentifier()
); );
@ -125,6 +134,10 @@ class ProfileController extends Controller
*/ */
public function showApiTokens(Request $request) { public function showApiTokens(Request $request) {
if (!Gate::allows('self.api')) {
abort(403);
}
$tokens = $this->tokenRepository->forUser(Auth::user()->getAuthIdentifier()); $tokens = $this->tokenRepository->forUser(Auth::user()->getAuthIdentifier());
return $tokens->load('client')->filter(function ($token) { return $tokens->load('client')->filter(function ($token) {