From bc1db626e7cdf11ab3106cc827ac3d216aef202f Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sat, 7 Aug 2021 11:15:44 -0700 Subject: [PATCH] Fix up subuser controller to use better binding checks --- .../Api/Client/Servers/SubuserController.php | 15 ++++----------- .../Api/Client/SubstituteClientApiBindings.php | 10 +++------- app/Models/Subuser.php | 10 ---------- routes/api-client.php | 6 +++--- 4 files changed, 10 insertions(+), 31 deletions(-) diff --git a/app/Http/Controllers/Api/Client/Servers/SubuserController.php b/app/Http/Controllers/Api/Client/Servers/SubuserController.php index d20efd2b..d85468f0 100644 --- a/app/Http/Controllers/Api/Client/Servers/SubuserController.php +++ b/app/Http/Controllers/Api/Client/Servers/SubuserController.php @@ -5,6 +5,7 @@ namespace Pterodactyl\Http\Controllers\Api\Client\Servers; use Illuminate\Http\Request; use Illuminate\Http\Response; use Pterodactyl\Models\Server; +use Pterodactyl\Models\Subuser; use Pterodactyl\Models\Permission; use Illuminate\Support\Facades\Log; use Pterodactyl\Repositories\Eloquent\SubuserRepository; @@ -56,10 +57,8 @@ class SubuserController extends ClientApiController * * @throws \Illuminate\Contracts\Container\BindingResolutionException */ - public function view(GetSubuserRequest $request): array + public function view(GetSubuserRequest $request, Server $server, Subuser $subuser): array { - $subuser = $request->attributes->get('subuser'); - return $this->fractal->item($subuser) ->transformWith($this->getTransformer(SubuserTransformer::class)) ->toArray(); @@ -93,11 +92,8 @@ class SubuserController extends ClientApiController * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException * @throws \Illuminate\Contracts\Container\BindingResolutionException */ - public function update(UpdateSubuserRequest $request, Server $server): array + public function update(UpdateSubuserRequest $request, Server $server, Subuser $subuser): array { - /** @var \Pterodactyl\Models\Subuser $subuser */ - $subuser = $request->attributes->get('subuser'); - $permissions = $this->getDefaultPermissions($request); $current = $subuser->permissions; @@ -128,11 +124,8 @@ class SubuserController extends ClientApiController /** * Removes a subusers from a server's assignment. */ - public function delete(DeleteSubuserRequest $request, Server $server): Response + public function delete(DeleteSubuserRequest $request, Server $server, Subuser $subuser): Response { - /** @var \Pterodactyl\Models\Subuser $subuser */ - $subuser = $request->attributes->get('subuser'); - $this->repository->delete($subuser->id); try { diff --git a/app/Http/Middleware/Api/Client/SubstituteClientApiBindings.php b/app/Http/Middleware/Api/Client/SubstituteClientApiBindings.php index a5ea1c78..49f9dfc7 100644 --- a/app/Http/Middleware/Api/Client/SubstituteClientApiBindings.php +++ b/app/Http/Middleware/Api/Client/SubstituteClientApiBindings.php @@ -7,7 +7,6 @@ use Illuminate\Support\Str; use Illuminate\Routing\Route; use Pterodactyl\Models\Server; use Illuminate\Container\Container; -use Illuminate\Database\Query\JoinClause; use Illuminate\Contracts\Routing\Registrar; use Pterodactyl\Contracts\Extensions\HashidsInterface; use Illuminate\Database\Eloquent\ModelNotFoundException; @@ -52,13 +51,10 @@ class SubstituteClientApiBindings return $this->server($route)->backups()->where('uuid', $value)->firstOrFail(); }); - $this->router->bind('user', function ($value, $route) { - // TODO: is this actually a valid binding for users on the server? + $this->router->bind('subuser', function ($value, $route) { return $this->server($route)->subusers() - ->join('users', function (JoinClause $join) { - $join->on('subusers.user_id', 'users.id') - ->where('subusers.server_id', 'servers.id'); - }) + ->select('subusers.*') + ->join('users', 'subusers.user_id', '=', 'users.id') ->where('users.uuid', $value) ->firstOrFail(); }); diff --git a/app/Models/Subuser.php b/app/Models/Subuser.php index f69c4c6d..5312a715 100644 --- a/app/Models/Subuser.php +++ b/app/Models/Subuser.php @@ -4,16 +4,6 @@ namespace Pterodactyl\Models; use Illuminate\Notifications\Notifiable; -/** - * @property int $id - * @property int $user_id - * @property int $server_id - * @property array $permissions - * @property \Carbon\Carbon $created_at - * @property \Carbon\Carbon $updated_at - * @property \Pterodactyl\Models\User $user - * @property \Pterodactyl\Models\Server $server - */ class Subuser extends Model { use Notifiable; diff --git a/routes/api-client.php b/routes/api-client.php index 03bf88c5..44cef316 100644 --- a/routes/api-client.php +++ b/routes/api-client.php @@ -106,9 +106,9 @@ Route::group([ Route::group(['prefix' => '/users'], function () { Route::get('/', 'Servers\SubuserController@index'); Route::post('/', 'Servers\SubuserController@store'); - Route::get('/{user}', 'Servers\SubuserController@view'); - Route::post('/{user}', 'Servers\SubuserController@update'); - Route::delete('/{user}', 'Servers\SubuserController@delete'); + Route::get('/{subuser}', [Client\Servers\SubuserController::class, 'view']); + Route::post('/{subuser}', [Client\Servers\SubuserController::class, 'update']); + Route::delete('/{subuser}', [Client\Servers\SubuserController::class, 'delete']); }); Route::group(['prefix' => '/backups'], function () {