2020-09-27 17:39:18 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;
|
|
|
|
|
2020-11-07 06:33:39 +00:00
|
|
|
use Mockery;
|
2020-09-27 17:39:18 +00:00
|
|
|
use Ramsey\Uuid\Uuid;
|
|
|
|
use Pterodactyl\Models\User;
|
|
|
|
use Pterodactyl\Models\Subuser;
|
|
|
|
use Pterodactyl\Models\Permission;
|
2020-11-07 06:33:39 +00:00
|
|
|
use Pterodactyl\Repositories\Wings\DaemonServerRepository;
|
2020-09-27 17:39:18 +00:00
|
|
|
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
|
|
|
|
|
|
|
|
class DeleteSubuserTest extends ClientApiIntegrationTestCase
|
|
|
|
{
|
|
|
|
/**
|
|
|
|
* Guards against PHP's exciting behavior where a string can be cast to an int and only
|
|
|
|
* the first numeric digits are returned. This causes UUIDs to be returned as an int when
|
|
|
|
* looking up users, thus returning the wrong subusers (or no subuser at all).
|
|
|
|
*
|
|
|
|
* For example, 12aaaaaa-bbbb-cccc-ddddeeeeffff would be cast to "12" if you tried to cast
|
|
|
|
* it to an integer. Then, in the deep API middlewares you would end up trying to load a user
|
|
|
|
* with an ID of 12, which may or may not exist and be wrongly assigned to the model object.
|
|
|
|
*
|
|
|
|
* @see https://github.com/pterodactyl/panel/issues/2359
|
|
|
|
*/
|
|
|
|
public function testCorrectSubuserIsDeletedFromServer()
|
|
|
|
{
|
2020-11-07 06:33:39 +00:00
|
|
|
$this->swap(DaemonServerRepository::class, $mock = Mockery::mock(DaemonServerRepository::class));
|
|
|
|
|
2020-09-27 17:39:18 +00:00
|
|
|
[$user, $server] = $this->generateTestAccount();
|
|
|
|
|
|
|
|
/** @var \Pterodactyl\Models\User $differentUser */
|
2021-01-23 20:09:16 +00:00
|
|
|
$differentUser = User::factory()->create();
|
2020-09-27 17:39:18 +00:00
|
|
|
|
2022-05-29 21:52:14 +00:00
|
|
|
$real = Uuid::uuid4()->toString();
|
2020-09-27 17:39:18 +00:00
|
|
|
// Generate a UUID that lines up with a user in the database if it were to be cast to an int.
|
2022-05-29 21:52:14 +00:00
|
|
|
$uuid = $differentUser->id . substr($real, strlen((string) $differentUser->id));
|
2020-09-27 17:39:18 +00:00
|
|
|
|
|
|
|
/** @var \Pterodactyl\Models\User $subuser */
|
2021-01-23 20:09:16 +00:00
|
|
|
$subuser = User::factory()->create(['uuid' => $uuid]);
|
2020-09-27 17:39:18 +00:00
|
|
|
|
|
|
|
Subuser::query()->forceCreate([
|
|
|
|
'user_id' => $subuser->id,
|
|
|
|
'server_id' => $server->id,
|
2020-11-07 06:33:39 +00:00
|
|
|
'permissions' => [Permission::ACTION_WEBSOCKET_CONNECT],
|
2020-09-27 17:39:18 +00:00
|
|
|
]);
|
|
|
|
|
2020-12-06 23:26:20 +00:00
|
|
|
$mock->expects('setServer->revokeUserJTI')->with($subuser->id)->andReturnUndefined();
|
2020-11-07 06:33:39 +00:00
|
|
|
|
2020-09-27 17:39:18 +00:00
|
|
|
$this->actingAs($user)->deleteJson($this->link($server) . "/users/{$subuser->uuid}")->assertNoContent();
|
|
|
|
|
|
|
|
// Try the same test, but this time with a UUID that if cast to an int (shouldn't) line up with
|
|
|
|
// anything in the database.
|
|
|
|
$uuid = '18180000' . substr(Uuid::uuid4()->toString(), 8);
|
|
|
|
/** @var \Pterodactyl\Models\User $subuser */
|
2021-01-23 20:09:16 +00:00
|
|
|
$subuser = User::factory()->create(['uuid' => $uuid]);
|
2020-09-27 17:39:18 +00:00
|
|
|
|
|
|
|
Subuser::query()->forceCreate([
|
|
|
|
'user_id' => $subuser->id,
|
|
|
|
'server_id' => $server->id,
|
2020-11-07 06:33:39 +00:00
|
|
|
'permissions' => [Permission::ACTION_WEBSOCKET_CONNECT],
|
2020-09-27 17:39:18 +00:00
|
|
|
]);
|
|
|
|
|
2020-12-06 23:26:20 +00:00
|
|
|
$mock->expects('setServer->revokeUserJTI')->with($subuser->id)->andReturnUndefined();
|
2020-11-07 06:33:39 +00:00
|
|
|
|
2020-09-27 17:39:18 +00:00
|
|
|
$this->actingAs($user)->deleteJson($this->link($server) . "/users/{$subuser->uuid}")->assertNoContent();
|
|
|
|
}
|
|
|
|
}
|