Path: blob/1.0-develop/tests/Integration/Api/Client/Server/Subuser/UpdateSubuserTest.php
7461 views
<?php12namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;34use Pterodactyl\Models\User;5use Pterodactyl\Models\Subuser;6use Pterodactyl\Models\Permission;7use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;89class UpdateSubuserTest extends ClientApiIntegrationTestCase10{11/**12* Test that the correct permissions are applied to the account when making updates13* to a subusers permissions.14*/15public function testCorrectPermissionsAreRequiredForUpdating()16{17[$user, $server] = $this->generateTestAccount(['user.read']);1819$subuser = Subuser::factory()20->for(User::factory()->create())21->for($server)22->create([23'permissions' => ['control.start'],24]);2526$this->postJson(27$endpoint = "/api/client/servers/$server->uuid/users/{$subuser->user->uuid}",28$data = [29'permissions' => [30'control.start',31'control.stop',32],33]34)35->assertUnauthorized();3637$this->actingAs($subuser->user)->postJson($endpoint, $data)->assertForbidden();38$this->actingAs($user)->postJson($endpoint, $data)->assertForbidden();3940$server->subusers()->where('user_id', $user->id)->update([41'permissions' => [42Permission::ACTION_USER_UPDATE,43Permission::ACTION_CONTROL_START,44Permission::ACTION_CONTROL_STOP,45],46]);4748$this->postJson($endpoint, $data)->assertOk();49}5051/**52* Tests that permissions for the account are updated and any extraneous values53* we don't know about are removed.54*/55public function testPermissionsAreSavedToAccount()56{57[$user, $server] = $this->generateTestAccount();5859/** @var Subuser $subuser */60$subuser = Subuser::factory()61->for(User::factory()->create())62->for($server)63->create([64'permissions' => ['control.restart', 'websocket.connect', 'foo.bar'],65]);6667$this->actingAs($user)68->postJson("/api/client/servers/$server->uuid/users/{$subuser->user->uuid}", [69'permissions' => [70'control.start',71'control.stop',72'control.stop',73'foo.bar',74'power.fake',75],76])77->assertOk();7879$subuser->refresh();80$this->assertEqualsCanonicalizing(81['control.start', 'control.stop', 'websocket.connect'],82$subuser->permissions83);84}8586/**87* Ensure a subuser cannot assign permissions to an account that they do not have88* themselves.89*/90public function testUserCannotAssignPermissionsTheyDoNotHave()91{92[$user, $server] = $this->generateTestAccount([Permission::ACTION_USER_READ, Permission::ACTION_USER_UPDATE]);9394$subuser = Subuser::factory()95->for(User::factory()->create())96->for($server)97->create(['permissions' => ['foo.bar']]);9899$this->actingAs($user)100->postJson("/api/client/servers/$server->uuid/users/{$subuser->user->uuid}", [101'permissions' => [Permission::ACTION_USER_READ, Permission::ACTION_CONTROL_CONSOLE],102])103->assertForbidden();104105$this->assertEqualsCanonicalizing(['foo.bar'], $subuser->refresh()->permissions);106}107108/**109* Test that a user cannot update thyself.110*/111public function testUserCannotUpdateSelf()112{113[$user, $server] = $this->generateTestAccount([Permission::ACTION_USER_READ, Permission::ACTION_USER_UPDATE]);114115$this->actingAs($user)116->postJson("/api/client/servers/$server->uuid/users/$user->uuid", [])117->assertForbidden();118}119120/**121* Test that an error is returned if you attempt to update a subuser on a different account.122*/123public function testCannotUpdateSubuserForDifferentServer()124{125[$user, $server] = $this->generateTestAccount();126[$user2] = $this->generateTestAccount(['foo.bar']);127128$this->actingAs($user)129->postJson("/api/client/servers/$server->uuid/users/$user2->uuid", [])130->assertNotFound();131}132}133134135