From 319ca683f849e9476a55eefab49321b18ce5deea Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Wed, 10 Apr 2024 17:38:09 -0600
Subject: [PATCH] api(remote): ensure requesting node is checked

---
 .../Remote/Backups/BackupRemoteUploadController.php   |  9 ++++++++-
 .../Api/Remote/Backups/BackupStatusController.php     | 11 +++++++++--
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
index 7d92e0b1a..c3bf72662 100644
--- a/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupRemoteUploadController.php
@@ -32,6 +32,10 @@ class BackupRemoteUploadController extends Controller
      */
     public function __invoke(Request $request, string $backup): JsonResponse
     {
+        // Get the node associated with the request.
+        /** @var \Pterodactyl\Models\Node $node */
+        $node = $request->attributes->get('node');
+
         // Get the size query parameter.
         $size = (int) $request->query('size');
         if (empty($size)) {
@@ -39,7 +43,10 @@ class BackupRemoteUploadController extends Controller
         }
 
         /** @var \Pterodactyl\Models\Backup $backup */
-        $backup = Backup::query()->where('uuid', $backup)->firstOrFail();
+        $backup = Backup::query()
+            ->where('node_id', $node->id)
+            ->where('uuid', $backup)
+            ->firstOrFail();
 
         // Prevent backups that have already been completed from trying to
         // be uploaded again.
diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
index f9c2a7932..042fbd050 100644
--- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
+++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php
@@ -30,8 +30,15 @@ class BackupStatusController extends Controller
      */
     public function index(ReportBackupCompleteRequest $request, string $backup): JsonResponse
     {
-        /** @var \Pterodactyl\Models\Backup $model */
-        $model = Backup::query()->where('uuid', $backup)->firstOrFail();
+        // Get the node associated with the request.
+        /** @var \Pterodactyl\Models\Node $node */
+        $node = $request->attributes->get('node');
+
+        /** @var \Pterodactyl\Models\Backup $backup */
+        $backup = Backup::query()
+            ->where('node_id', $node->id)
+            ->where('uuid', $backup)
+            ->firstOrFail();
 
         if ($model->is_successful) {
             throw new BadRequestHttpException('Cannot update the status of a backup that is already marked as completed.');