Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
pterodactyl
GitHub Repository: pterodactyl/panel
 Path: blob/1.0-develop/tests/Integration/Api/Client/Server/Subuser/UpdateSubuserTest.php
14052 views
1
<?php

2


3
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;

4


5
use Pterodactyl\Models\User;

6
use Pterodactyl\Models\Subuser;

7
use Pterodactyl\Models\Permission;

8
use Illuminate\Support\Facades\Bus;

9
use Pterodactyl\Jobs\RevokeSftpAccessJob;

10
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;

11


12
class UpdateSubuserTest extends ClientApiIntegrationTestCase

13
{

14
    /**

15
     * Test that the correct permissions are applied to the account when making updates

16
     * to a subusers permissions.

17
     */

18
    public function testCorrectPermissionsAreRequiredForUpdating()

19
    {

20
        Bus::fake([RevokeSftpAccessJob::class]);

21


22
        [$user, $server] = $this->generateTestAccount(['user.read']);

23


24
        $subuser = Subuser::factory()

25
            ->for(User::factory()->create())

26
            ->for($server)

27
            ->create([

28
                'permissions' => ['control.start'],

29
            ]);

30


31
        $this->postJson(

32
            $endpoint = "/api/client/servers/$server->uuid/users/{$subuser->user->uuid}",

33
            $data = [

34
                'permissions' => [

35
                    'control.start',

36
                    'control.stop',

37
                ],

38
            ]

39
        )

40
            ->assertUnauthorized();

41


42
        $this->actingAs($subuser->user)->postJson($endpoint, $data)->assertForbidden();

43
        $this->actingAs($user)->postJson($endpoint, $data)->assertForbidden();

44


45
        $server->subusers()->where('user_id', $user->id)->update([

46
            'permissions' => [

47
                Permission::ACTION_USER_UPDATE,

48
                Permission::ACTION_CONTROL_START,

49
                Permission::ACTION_CONTROL_STOP,

50
            ],

51
        ]);

52


53
        $this->postJson($endpoint, $data)->assertOk();

54


55
        Bus::assertDispatchedTimes(function (RevokeSftpAccessJob $job) use ($server, $subuser) {

56
            return $job->user === $subuser->user->uuid && $job->target->is($server);

57
        });

58
    }

59


60
    /**

61
     * Tests that permissions for the account are updated and any extraneous values

62
     * we don't know about are removed.

63
     */

64
    public function testPermissionsAreSavedToAccount()

65
    {

66
        Bus::fake([RevokeSftpAccessJob::class]);

67


68
        [$user, $server] = $this->generateTestAccount();

69


70
        /** @var Subuser $subuser */

71
        $subuser = Subuser::factory()

72
            ->for(User::factory()->create())

73
            ->for($server)

74
            ->create([

75
                'permissions' => ['control.restart', 'websocket.connect', 'foo.bar'],

76
            ]);

77


78
        $this->actingAs($user)

79
            ->postJson("/api/client/servers/$server->uuid/users/{$subuser->user->uuid}", [

80
                'permissions' => [

81
                    'control.start',

82
                    'control.stop',

83
                    'control.stop',

84
                    'foo.bar',

85
                    'power.fake',

86
                ],

87
            ])

88
            ->assertOk();

89


90
        $subuser->refresh();

91
        $this->assertEqualsCanonicalizing(

92
            ['control.start', 'control.stop', 'websocket.connect'],

93
            $subuser->permissions

94
        );

95


96
        Bus::assertDispatchedTimes(function (RevokeSftpAccessJob $job) use ($server, $subuser) {

97
            return $job->user === $subuser->user->uuid && $job->target->is($server);

98
        });

99
    }

100


101
    /**

102
     * Ensure a subuser cannot assign permissions to an account that they do not have

103
     * themselves.

104
     */

105
    public function testUserCannotAssignPermissionsTheyDoNotHave()

106
    {

107
        Bus::fake([RevokeSftpAccessJob::class]);

108


109
        [$user, $server] = $this->generateTestAccount([Permission::ACTION_USER_READ, Permission::ACTION_USER_UPDATE]);

110


111
        $subuser = Subuser::factory()

112
            ->for(User::factory()->create())

113
            ->for($server)

114
            ->create(['permissions' => ['foo.bar']]);

115


116
        $this->actingAs($user)

117
            ->postJson("/api/client/servers/$server->uuid/users/{$subuser->user->uuid}", [

118
                'permissions' => [Permission::ACTION_USER_READ, Permission::ACTION_CONTROL_CONSOLE],

119
            ])

120
            ->assertForbidden();

121


122
        $this->assertEqualsCanonicalizing(['foo.bar'], $subuser->refresh()->permissions);

123


124
        Bus::assertNothingDispatched();

125
    }

126


127
    /**

128
     * Test that a user cannot update thyself.

129
     */

130
    public function testUserCannotUpdateSelf()

131
    {

132
        [$user, $server] = $this->generateTestAccount([Permission::ACTION_USER_READ, Permission::ACTION_USER_UPDATE]);

133


134
        $this->actingAs($user)

135
            ->postJson("/api/client/servers/$server->uuid/users/$user->uuid", [])

136
            ->assertForbidden();

137
    }

138


139
    /**

140
     * Test that an error is returned if you attempt to update a subuser on a different account.

141
     */

142
    public function testCannotUpdateSubuserForDifferentServer()

143
    {

144
        [$user, $server] = $this->generateTestAccount();

145
        [$user2] = $this->generateTestAccount(['foo.bar']);

146


147
        $this->actingAs($user)

148
            ->postJson("/api/client/servers/$server->uuid/users/$user2->uuid", [])

149
            ->assertNotFound();

150
    }

151
}

152


153