Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
pterodactyl
GitHub Repository: pterodactyl/panel
 Path: blob/1.0-develop/tests/Integration/Api/Client/Server/Schedule/ScheduleAuthorizationTest.php
7461 views
1
<?php

2


3
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Schedule;

4


5
use Pterodactyl\Models\Subuser;

6
use Pterodactyl\Models\Schedule;

7
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;

8


9
class ScheduleAuthorizationTest extends ClientApiIntegrationTestCase

10
{

11
    /**

12
     * Tests that a subuser with access to two servers cannot improperly access a resource

13
     * on Server A when providing a URL that points to Server B. This prevents a regression

14
     * in the code where controllers didn't properly validate that a resource was assigned

15
     * to the server that was also present in the URL.

16
     *

17
     * The comments within the test code itself are better at explaining exactly what is

18
     * being tested and protected against.

19
     */

20
    #[\PHPUnit\Framework\Attributes\DataProvider('methodDataProvider')]

21
    public function testAccessToAServersSchedulesIsRestrictedProperly(string $method, string $endpoint)

22
    {

23
        // The API $user is the owner of $server1.

24
        [$user, $server1] = $this->generateTestAccount();

25
        // Will be a subuser of $server2.

26
        $server2 = $this->createServerModel();

27
        // And as no access to $server3.

28
        $server3 = $this->createServerModel();

29


30
        // Set the API $user as a subuser of server 2, but with no permissions

31
        // to do anything with the schedules for that server.

32
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);

33


34
        $schedule1 = Schedule::factory()->create(['server_id' => $server1->id]);

35
        $schedule2 = Schedule::factory()->create(['server_id' => $server2->id]);

36
        $schedule3 = Schedule::factory()->create(['server_id' => $server3->id]);

37


38
        // This is the only valid call for this test, accessing the schedule for the same

39
        // server that the API user is the owner of.

40
        $response = $this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule1->id . $endpoint));

41
        $this->assertTrue($response->status() <= 204 || $response->status() === 400 || $response->status() === 422);

42


43
        // This request fails because the schedule is valid for that server but the user

44
        // making the request is not authorized to perform that action.

45
        $this->actingAs($user)->json($method, $this->link($server2, '/schedules/' . $schedule2->id . $endpoint))->assertForbidden();

46


47
        // Both of these should report a 404 error due to the schedules being linked to

48
        // servers that are not the same as the server in the request, or are assigned

49
        // to a server for which the user making the request has no access to.

50
        $this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule2->id . $endpoint))->assertNotFound();

51
        $this->actingAs($user)->json($method, $this->link($server1, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();

52
        $this->actingAs($user)->json($method, $this->link($server2, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();

53
        $this->actingAs($user)->json($method, $this->link($server3, '/schedules/' . $schedule3->id . $endpoint))->assertNotFound();

54
    }

55


56
    public static function methodDataProvider(): array

57
    {

58
        return [

59
            ['GET', ''],

60
            ['POST', ''],

61
            ['DELETE', ''],

62
            ['POST', '/execute'],

63
            ['POST', '/tasks'],

64
        ];

65
    }

66
}

67


68