Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
pterodactyl
GitHub Repository: pterodactyl/panel
 Path: blob/1.0-develop/tests/Integration/Api/Client/Server/Subuser/SubuserAuthorizationTest.php
14052 views
1
<?php

2


3
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;

4


5
use Pterodactyl\Models\User;

6
use Pterodactyl\Models\Subuser;

7
use Illuminate\Support\Facades\Bus;

8
use Pterodactyl\Jobs\RevokeSftpAccessJob;

9
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;

10


11
class SubuserAuthorizationTest extends ClientApiIntegrationTestCase

12
{

13
    /**

14
     * Test that mismatched subusers are not accessible to a server.

15
     */

16
    #[\PHPUnit\Framework\Attributes\DataProvider('methodDataProvider')]

17
    public function testUserCannotAccessResourceBelongingToOtherServers(string $method)

18
    {

19
        Bus::fake([RevokeSftpAccessJob::class]);

20


21
        // Generic subuser, the specific resource we're trying to access.

22
        /** @var User $internal */

23
        $internal = User::factory()->create();

24


25
        // The API $user is the owner of $server1.

26
        [$user, $server1] = $this->generateTestAccount();

27
        // Will be a subuser of $server2.

28
        $server2 = $this->createServerModel();

29
        // And as no access to $server3.

30
        $server3 = $this->createServerModel();

31


32
        // Set the API $user as a subuser of server 2, but with no permissions

33
        // to do anything with the subusers for that server.

34
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $user->id]);

35


36
        Subuser::factory()->create(['server_id' => $server1->id, 'user_id' => $internal->id]);

37
        Subuser::factory()->create(['server_id' => $server2->id, 'user_id' => $internal->id]);

38
        Subuser::factory()->create(['server_id' => $server3->id, 'user_id' => $internal->id]);

39


40
        // This route is acceptable since they're accessing a subuser on their own server.

41
        $this->actingAs($user)->json($method, $this->link($server1, '/users/' . $internal->uuid))->assertStatus($method === 'POST' ? 422 : ($method === 'DELETE' ? 204 : 200));

42


43
        // This route can be revealed since the subuser belongs to the correct server, but

44
        // errors out with a 403 since $user does not have the right permissions for this.

45
        $this->actingAs($user)->json($method, $this->link($server2, '/users/' . $internal->uuid))->assertForbidden();

46
        $this->actingAs($user)->json($method, $this->link($server3, '/users/' . $internal->uuid))->assertNotFound();

47


48
        if ($method === 'DELETE') {

49
            Bus::assertDispatchedTimes(function (RevokeSftpAccessJob $job) use ($server1, $internal) {

50
                return $job->user === $internal->uuid && $job->target->is($server1);

51
            });

52
        } else {

53
            Bus::assertNotDispatched(RevokeSftpAccessJob::class);

54
        }

55
    }

56


57
    public static function methodDataProvider(): array

58
    {

59
        return [['GET'], ['POST'], ['DELETE']];

60
    }

61
}

62


63