Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
pterodactyl
GitHub Repository: pterodactyl/panel
 Path: blob/1.0-develop/tests/Integration/Api/Client/Server/Allocation/AllocationAuthorizationTest.php
7461 views
1
<?php

2


3
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Allocation;

4


5
use Pterodactyl\Models\Subuser;

6
use Pterodactyl\Models\Allocation;

7
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;

8


9
class AllocationAuthorizationTest extends ClientApiIntegrationTestCase

10
{

11
    #[\PHPUnit\Framework\Attributes\DataProvider('methodDataProvider')]

12
    public function testAccessToAServersAllocationsIsRestrictedProperly(string $method, string $endpoint)

13
    {

14
        // The API $user is the owner of $server1.

15
        [$user, $server1] = $this->generateTestAccount();

16
        // Will be a subuser of $server2.

17
        $server2 = $this->createServerModel();

18
        // And as no access to $server3.

19
        $server3 = $this->createServerModel();

20


21
        // Set the API $user as a subuser of server 2, but with no permissions

22
        // to do anything with the allocations for that server.

23
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);

24


25
        $allocation1 = Allocation::factory()->create(['server_id' => $server1->id, 'node_id' => $server1->node_id]);

26
        $allocation2 = Allocation::factory()->create(['server_id' => $server2->id, 'node_id' => $server2->node_id]);

27
        $allocation3 = Allocation::factory()->create(['server_id' => $server3->id, 'node_id' => $server3->node_id]);

28


29
        // This is the only valid call for this test, accessing the allocation for the same

30
        // server that the API user is the owner of.

31
        $response = $this->actingAs($user)->json($method, $this->link($server1, '/network/allocations/' . $allocation1->id . $endpoint));

32
        $this->assertTrue($response->status() <= 204 || $response->status() === 400 || $response->status() === 422);

33


34
        // This request fails because the allocation is valid for that server but the user

35
        // making the request is not authorized to perform that action.

36
        $this->actingAs($user)->json($method, $this->link($server2, '/network/allocations/' . $allocation2->id . $endpoint))->assertForbidden();

37


38
        // Both of these should report a 404 error due to the allocations being linked to

39
        // servers that are not the same as the server in the request, or are assigned

40
        // to a server for which the user making the request has no access to.

41
        $this->actingAs($user)->json($method, $this->link($server1, '/network/allocations/' . $allocation2->id . $endpoint))->assertNotFound();

42
        $this->actingAs($user)->json($method, $this->link($server1, '/network/allocations/' . $allocation3->id . $endpoint))->assertNotFound();

43
        $this->actingAs($user)->json($method, $this->link($server2, '/network/allocations/' . $allocation3->id . $endpoint))->assertNotFound();

44
        $this->actingAs($user)->json($method, $this->link($server3, '/network/allocations/' . $allocation3->id . $endpoint))->assertNotFound();

45
    }

46


47
    public static function methodDataProvider(): array

48
    {

49
        return [

50
            ['POST', ''],

51
            ['DELETE', ''],

52
            ['POST', '/primary'],

53
        ];

54
    }

55
}

56


57