Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
pterodactyl
GitHub Repository: pterodactyl/panel
 Path: blob/1.0-develop/tests/Integration/Api/Client/Server/Backup/BackupAuthorizationTest.php
7461 views
1
<?php

2


3
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Backup;

4


5
use Carbon\CarbonImmutable;

6
use Pterodactyl\Models\Backup;

7
use Pterodactyl\Models\Subuser;

8
use Pterodactyl\Services\Backups\DeleteBackupService;

9
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;

10


11
class BackupAuthorizationTest extends ClientApiIntegrationTestCase

12
{

13
    #[\PHPUnit\Framework\Attributes\DataProvider('methodDataProvider')]

14
    public function testAccessToAServersBackupIsRestrictedProperly(string $method, string $endpoint)

15
    {

16
        // The API $user is the owner of $server1.

17
        [$user, $server1] = $this->generateTestAccount();

18
        // Will be a subuser of $server2.

19
        $server2 = $this->createServerModel();

20
        // And as no access to $server3.

21
        $server3 = $this->createServerModel();

22


23
        // Set the API $user as a subuser of server 2, but with no permissions

24
        // to do anything with the backups for that server.

25
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);

26


27
        $backup1 = Backup::factory()->create(['server_id' => $server1->id, 'completed_at' => CarbonImmutable::now()]);

28
        $backup2 = Backup::factory()->create(['server_id' => $server2->id, 'completed_at' => CarbonImmutable::now()]);

29
        $backup3 = Backup::factory()->create(['server_id' => $server3->id, 'completed_at' => CarbonImmutable::now()]);

30


31
        $this->instance(DeleteBackupService::class, $mock = \Mockery::mock(DeleteBackupService::class));

32


33
        if ($method === 'DELETE') {

34
            $mock->expects('handle')->andReturnUndefined();

35
        }

36


37
        // This is the only valid call for this test, accessing the backup for the same

38
        // server that the API user is the owner of.

39
        $this->actingAs($user)->json($method, $this->link($server1, '/backups/' . $backup1->uuid . $endpoint))

40
            ->assertStatus($method === 'DELETE' ? 204 : 200);

41


42
        // This request fails because the backup is valid for that server but the user

43
        // making the request is not authorized to perform that action.

44
        $this->actingAs($user)->json($method, $this->link($server2, '/backups/' . $backup2->uuid . $endpoint))->assertForbidden();

45


46
        // Both of these should report a 404 error due to the backup being linked to

47
        // servers that are not the same as the server in the request, or are assigned

48
        // to a server for which the user making the request has no access to.

49
        $this->actingAs($user)->json($method, $this->link($server1, '/backups/' . $backup2->uuid . $endpoint))->assertNotFound();

50
        $this->actingAs($user)->json($method, $this->link($server1, '/backups/' . $backup3->uuid . $endpoint))->assertNotFound();

51
        $this->actingAs($user)->json($method, $this->link($server2, '/backups/' . $backup3->uuid . $endpoint))->assertNotFound();

52
        $this->actingAs($user)->json($method, $this->link($server3, '/backups/' . $backup3->uuid . $endpoint))->assertNotFound();

53
    }

54


55
    public static function methodDataProvider(): array

56
    {

57
        return [

58
            ['GET', ''],

59
            ['GET', '/download'],

60
            ['DELETE', ''],

61
        ];

62
    }

63
}

64


65