rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(auth): implement authorization checks for server updates across multiple components

Browse source 
- Added authorization checks using the `authorize` method in various Livewire components to ensure only authorized users can update server settings.
- Updated `ServerPolicy` to restrict update permissions to admin users and their respective teams.
- Enhanced security and access control for server management functionalities.
This commit is contained in:
Andras Bacsai 2025-08-22 13:02:11 +02:00
parent 0748ef3ee5
commit 3ffc751f1a
10 changed files with 47 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
app/Livewire/Server/Advanced.php
View file

@ -76,6 +76,7 @@ public function toggleTerminal($password)
public function syncData(bool $toModel = false)
{
if ($toModel) {
$this->authorize('update', $this->server);
$this->validate();
$this->server->settings->concurrent_builds = $this->concurrentBuilds;
$this->server->settings->dynamic_timeout = $this->dynamicTimeout;

6
app/Livewire/Server/CloudflareTunnel.php
View file

@ -4,11 +4,14 @@
use App\Actions\Server\ConfigureCloudflared;
use App\Models\Server;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Attributes\Validate;
use Livewire\Component;
class CloudflareTunnel extends Component
{
use AuthorizesRequests;
public Server $server;
#[Validate(['required', 'string'])]
@ -51,6 +54,7 @@ public function mount(string $server_uuid)
public function toggleCloudflareTunnels()
{
try {
$this->authorize('update', $this->server);
remote_process(['docker rm -f coolify-cloudflared'], $this->server, false, 10);
$this->isCloudflareTunnelsEnabled = false;
$this->server->settings->is_cloudflare_tunnel = false;
@ -68,6 +72,7 @@ public function toggleCloudflareTunnels()
public function manualCloudflareConfig()
{
$this->authorize('update', $this->server);
$this->isCloudflareTunnelsEnabled = true;
$this->server->settings->is_cloudflare_tunnel = true;
$this->server->settings->save();
@ -78,6 +83,7 @@ public function manualCloudflareConfig()
public function automatedCloudflareConfig()
{
try {
$this->authorize('update', $this->server);
if (str($this->ssh_domain)->contains('https://')) {
$this->ssh_domain = str($this->ssh_domain)->replace('https://', '')->replace('http://', '')->trim();
$this->ssh_domain = str($this->ssh_domain)->replace('/', '');

5
app/Livewire/Server/DockerCleanup.php
View file

@ -4,11 +4,14 @@
use App\Jobs\DockerCleanupJob;
use App\Models\Server;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Attributes\Validate;
use Livewire\Component;
class DockerCleanup extends Component
{
use AuthorizesRequests;
public Server $server;
public array $parameters = [];
@ -42,6 +45,7 @@ public function mount(string $server_uuid)
public function syncData(bool $toModel = false)
{
if ($toModel) {
$this->authorize('update', $this->server);
$this->validate();
$this->server->settings->force_docker_cleanup = $this->forceDockerCleanup;
$this->server->settings->docker_cleanup_frequency = $this->dockerCleanupFrequency;
@ -71,6 +75,7 @@ public function instantSave()
public function manualCleanup()
{
try {
$this->authorize('update', $this->server);
DockerCleanupJob::dispatch($this->server, true, $this->deleteUnusedVolumes, $this->deleteUnusedNetworks);
$this->dispatch('success', 'Manual cleanup job started. Depending on the amount of data, this might take a while.');
} catch (\Throwable $e) {

5
app/Livewire/Server/LogDrains.php
View file

@ -5,11 +5,14 @@
use App\Actions\Server\StartLogDrain;
use App\Actions\Server\StopLogDrain;
use App\Models\Server;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Attributes\Validate;
use Livewire\Component;
class LogDrains extends Component
{
use AuthorizesRequests;
public Server $server;
#[Validate(['boolean'])]
@ -160,6 +163,7 @@ public function customValidation()
public function instantSave()
{
try {
$this->authorize('update', $this->server);
$this->syncData(true);
if ($this->server->isLogDrainEnabled()) {
StartLogDrain::run($this->server);
@ -176,6 +180,7 @@ public function instantSave()
public function submit(string $type)
{
try {
$this->authorize('update', $this->server);
$this->syncData(true, $type);
$this->dispatch('success', 'Settings saved.');
} catch (\Throwable $e) {

4
app/Livewire/Server/New/ByIp.php
View file

@ -6,12 +6,15 @@
use App\Models\Server;
use App\Models\Team;
use App\Support\ValidationPatterns;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Support\Collection;
use Livewire\Attributes\Locked;
use Livewire\Component;
class ByIp extends Component
{
use AuthorizesRequests;
#[Locked]
public $private_keys;
@ -115,6 +118,7 @@ public function submit()
{
$this->validate();
try {
$this->authorize('create', Server::class);
if (Server::where('team_id', currentTeam()->id)
->where('ip', $this->ip)
->exists()) {

4
app/Livewire/Server/PrivateKey/Show.php
View file

@ -4,10 +4,13 @@
use App\Models\PrivateKey;
use App\Models\Server;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component;
class Show extends Component
{
use AuthorizesRequests;
public Server $server;
public $privateKeys = [];
@ -35,6 +38,7 @@ public function setPrivateKey($privateKeyId)
$originalPrivateKeyId = $this->server->getOriginal('private_key_id');
try {
$this->authorize('update', $this->server);
$this->server->update(['private_key_id' => $privateKeyId]);
['uptime' => $uptime, 'error' => $error] = $this->server->validateConnection(justCheckingNewKey: true);
if ($uptime) {

9
app/Livewire/Server/Proxy.php
View file

@ -5,10 +5,13 @@
use App\Actions\Proxy\CheckConfiguration;
use App\Actions\Proxy\SaveConfiguration;
use App\Models\Server;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component;
class Proxy extends Component
{
use AuthorizesRequests;
public Server $server;
public ?string $selectedProxy = null;
@ -47,6 +50,7 @@ public function mount()
public function changeProxy()
{
$this->authorize('update', $this->server);
$this->server->proxy = null;
$this->server->save();
@ -56,6 +60,7 @@ public function changeProxy()
public function selectProxy($proxy_type)
{
try {
$this->authorize('update', $this->server);
$this->server->changeProxy($proxy_type, async: false);
$this->selectedProxy = $this->server->proxy->type;
@ -68,6 +73,7 @@ public function selectProxy($proxy_type)
public function instantSave()
{
try {
$this->authorize('update', $this->server);
$this->validate();
$this->server->settings->save();
$this->dispatch('success', 'Settings saved.');
@ -79,6 +85,7 @@ public function instantSave()
public function instantSaveRedirect()
{
try {
$this->authorize('update', $this->server);
$this->server->proxy->redirect_enabled = $this->redirect_enabled;
$this->server->save();
$this->server->setupDefaultRedirect();
@ -91,6 +98,7 @@ public function instantSaveRedirect()
public function submit()
{
try {
$this->authorize('update', $this->server);
SaveConfiguration::run($this->server, $this->proxy_settings);
$this->server->proxy->redirect_url = $this->redirect_url;
$this->server->save();
@ -104,6 +112,7 @@ public function submit()
public function reset_proxy_configuration()
{
try {
$this->authorize('update', $this->server);
$this->proxy_settings = CheckConfiguration::run($this->server, true);
SaveConfiguration::run($this->server, $this->proxy_settings);
$this->server->save();

6
app/Livewire/Server/Show.php
View file

@ -7,12 +7,15 @@
use App\Events\ServerReachabilityChanged;
use App\Models\Server;
use App\Support\ValidationPatterns;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Attributes\Computed;
use Livewire\Attributes\Locked;
use Livewire\Component;
class Show extends Component
{
use AuthorizesRequests;
public Server $server;
public string $name;
@ -157,6 +160,8 @@ public function syncData(bool $toModel = false)
throw new \Exception('This IP/Domain is already in use by another server in your team.');
}
$this->authorize('update', $this->server);
$this->server->name = $this->name;
$this->server->description = $this->description;
$this->server->ip = $this->ip;
@ -220,6 +225,7 @@ public function refresh()
public function validateServer($install = true)
{
try {
$this->authorize('update', $this->server);
$this->validationLogs = $this->server->validation_logs = null;
$this->server->save();
$this->dispatch('init', $install);

4
app/Livewire/Server/ValidateAndInstall.php
View file

@ -5,10 +5,13 @@
use App\Actions\Proxy\CheckProxy;
use App\Actions\Proxy\StartProxy;
use App\Models\Server;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Livewire\Component;
class ValidateAndInstall extends Component
{
use AuthorizesRequests;
public Server $server;
public int $number_of_tries = 0;
@ -62,6 +65,7 @@ public function startValidatingAfterAsking()
public function validateConnection()
{
$this->authorize('update', $this->server);
['uptime' => $this->uptime, 'error' => $error] = $this->server->validateConnection();
if (! $this->uptime) {
$this->error = 'Server is not reachable. Please validate your configuration and connection.<br>Check this <a target="_blank" class="text-black underline dark:text-white" href="https://coolify.io/docs/knowledge-base/server/openssh">documentation</a> for further help. <br><br><div class="text-error">Error: '.$error.'</div>';

6
app/Policies/ServerPolicy.php
View file

@ -28,7 +28,7 @@ public function view(User $user, Server $server): bool
*/
public function create(User $user): bool
{
return true;
return $user->isAdmin();
}
/**
@ -36,7 +36,7 @@ public function create(User $user): bool
*/
public function update(User $user, Server $server): bool
{
return $user->teams()->get()->firstWhere('id', $server->team_id) !== null;
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $server->team_id) !== null;
}
/**
@ -44,7 +44,7 @@ public function update(User $user, Server $server): bool
*/
public function delete(User $user, Server $server): bool
{
return $user->teams()->get()->firstWhere('id', $server->team_id) !== null;
return $user->isAdmin() && $user->teams()->get()->firstWhere('id', $server->team_id) !== null;
}
/**