From fbc4041bf7b499b74c627b0e075b026e432002a6 Mon Sep 17 00:00:00 2001
From: James Brooks <jbrooksuk@me.com>
Date: Wed, 4 Nov 2015 14:59:11 +0000
Subject: [PATCH] Hide disabled components from public API. Closes #1095

---
 .../Controllers/Api/ComponentController.php   | 12 +++-
 app/Http/Kernel.php                           | 27 ++++----
 .../Middleware/ApiOptionalAuthenticate.php    | 67 +++++++++++++++++++
 app/Http/Routes/ApiRoutes.php                 |  2 +-
 4 files changed, 91 insertions(+), 17 deletions(-)
 create mode 100644 app/Http/Middleware/ApiOptionalAuthenticate.php

diff --git a/app/Http/Controllers/Api/ComponentController.php b/app/Http/Controllers/Api/ComponentController.php
index 71720a5a..8c78f25e 100644
--- a/app/Http/Controllers/Api/ComponentController.php
+++ b/app/Http/Controllers/Api/ComponentController.php
@@ -18,6 +18,7 @@ use CachetHQ\Cachet\Models\Component;
 use CachetHQ\Cachet\Models\Tag;
 use Exception;
 use GrahamCampbell\Binput\Facades\Binput;
+use Illuminate\Contracts\Auth\Guard;
 use Illuminate\Foundation\Bus\DispatchesJobs;
 use Illuminate\Http\Request;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
@@ -30,14 +31,19 @@ class ComponentController extends AbstractApiController
      * Get all components.
      *
      * @param \Symfony\Component\HttpFoundation\Request $request
+     * @param \Illuminate\Contracts\Auth\Guard          $auth
      *
      * @return \Illuminate\Http\JsonResponse
      */
-    public function getComponents(Request $request)
+    public function getComponents(Request $request, Guard $auth)
     {
-        $components = Component::paginate(Binput::get('per_page', 20));
+        if ($auth->check()) {
+            $components = Component::whereRaw('1 = 1');
+        } else {
+            $components = Component::enabled();
+        }
 
-        return $this->paginator($components, $request);
+        return $this->paginator($components->paginate(Binput::get('per_page', 20)), $request);
     }
 
     /**
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 462a193b..5ec954d5 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -35,18 +35,19 @@ class Kernel extends HttpKernel
      * @var array
      */
     protected $routeMiddleware = [
-        'accept'          => 'CachetHQ\Cachet\Http\Middleware\Acceptable',
-        'admin'           => 'CachetHQ\Cachet\Http\Middleware\Admin',
-        'app.hasSetting'  => 'CachetHQ\Cachet\Http\Middleware\HasSetting',
-        'app.isSetup'     => 'CachetHQ\Cachet\Http\Middleware\AppIsSetup',
-        'app.subscribers' => 'CachetHQ\Cachet\Http\Middleware\SubscribersConfigured',
-        'auth'            => 'CachetHQ\Cachet\Http\Middleware\Authenticate',
-        'auth.api'        => 'CachetHQ\Cachet\Http\Middleware\ApiAuthenticate',
-        'auth.basic'      => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
-        'csrf'            => 'Illuminate\Foundation\Http\Middleware\VerifyCsrfToken',
-        'guest'           => 'CachetHQ\Cachet\Http\Middleware\RedirectIfAuthenticated',
-        'localize'        => 'CachetHQ\Cachet\Http\Middleware\Localize',
-        'timezone'        => 'CachetHQ\Cachet\Http\Middleware\Timezone',
-        'throttling'      => 'GrahamCampbell\Throttle\Http\Middleware\ThrottleMiddleware',
+        'accept'            => 'CachetHQ\Cachet\Http\Middleware\Acceptable',
+        'admin'             => 'CachetHQ\Cachet\Http\Middleware\Admin',
+        'app.hasSetting'    => 'CachetHQ\Cachet\Http\Middleware\HasSetting',
+        'app.isSetup'       => 'CachetHQ\Cachet\Http\Middleware\AppIsSetup',
+        'app.subscribers'   => 'CachetHQ\Cachet\Http\Middleware\SubscribersConfigured',
+        'auth'              => 'CachetHQ\Cachet\Http\Middleware\Authenticate',
+        'auth.api'          => 'CachetHQ\Cachet\Http\Middleware\ApiAuthenticate',
+        'auth.basic'        => 'Illuminate\Auth\Middleware\AuthenticateWithBasicAuth',
+        'auth.api.optional' => 'CachetHQ\Cachet\Http\Middleware\ApiOptionalAuthenticate',
+        'csrf'              => 'Illuminate\Foundation\Http\Middleware\VerifyCsrfToken',
+        'guest'             => 'CachetHQ\Cachet\Http\Middleware\RedirectIfAuthenticated',
+        'localize'          => 'CachetHQ\Cachet\Http\Middleware\Localize',
+        'timezone'          => 'CachetHQ\Cachet\Http\Middleware\Timezone',
+        'throttling'        => 'GrahamCampbell\Throttle\Http\Middleware\ThrottleMiddleware',
     ];
 }
diff --git a/app/Http/Middleware/ApiOptionalAuthenticate.php b/app/Http/Middleware/ApiOptionalAuthenticate.php
new file mode 100644
index 00000000..2258f126
--- /dev/null
+++ b/app/Http/Middleware/ApiOptionalAuthenticate.php
@@ -0,0 +1,67 @@
+<?php
+
+/*
+ * This file is part of Cachet.
+ *
+ * (c) Alt Three Services Limited
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace CachetHQ\Cachet\Http\Middleware;
+
+use CachetHQ\Cachet\Models\User;
+use Closure;
+use Illuminate\Contracts\Auth\Guard;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+
+class ApiOptionalAuthenticate
+{
+    /**
+     * The authentication guard instance.
+     *
+     * @var \Illuminate\Contracts\Auth\Guard
+     */
+    protected $auth;
+
+    /**
+     * Create a new api authenticate middleware instance.
+     *
+     * @param \Illuminate\Contracts\Auth\Guard $auth
+     *
+     * @return void
+     */
+    public function __construct(Guard $auth)
+    {
+        $this->auth = $auth;
+    }
+
+    /**
+     * Handle an incoming request.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     *
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        if ($this->auth->guest()) {
+            if ($apiToken = $request->header('X-Cachet-Token')) {
+                try {
+                    $this->auth->onceUsingId(User::findByApiToken($apiToken)->id);
+                } catch (ModelNotFoundException $e) {
+                    //
+                }
+            } elseif ($request->getUser()) {
+                if ($this->auth->onceBasic() !== null) {
+                    //
+                }
+            }
+        }
+
+        return $next($request);
+    }
+}
diff --git a/app/Http/Routes/ApiRoutes.php b/app/Http/Routes/ApiRoutes.php
index fd924244..e0c8c55c 100644
--- a/app/Http/Routes/ApiRoutes.php
+++ b/app/Http/Routes/ApiRoutes.php
@@ -30,7 +30,7 @@ class ApiRoutes
         $router->group([
             'namespace'  => 'Api',
             'prefix'     => 'api/v1',
-            'middleware' => ['accept:application/json', 'timezone'],
+            'middleware' => ['accept:application/json', 'timezone', 'auth.api.optional'],
         ], function ($router) {
             // General
             $router->get('ping', 'GeneralController@ping');