Validate resource existence before validating data sent

CHANGELOG.md

@@ -10,6 +10,9 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 * Fix validation error returned when no environment variables are passed, even if there are no variables required.
 * Fix improper permissions on `PATCH /api/servers/<id>/startup` endpoint which was preventing enditing any start variables.
 
+### Changed
+* Changes order that validation of resource existence occurs in API requests to not try and use a non-existent model when validating data.
+
 ### Added
 * Adds back client API for sending commands or power toggles to a server though the Panel API: `/api/client/servers/<identifier>`
 * Added proper transformer for Packs and re-enabled missing includes on server.

app/Http/Requests/Api/Application/ApplicationApiRequest.php

@@ -3,7 +3,6 @@
 namespace Pterodactyl\Http\Requests\Api\Application;
 
 use Pterodactyl\Models\ApiKey;
-use Illuminate\Database\Eloquent\Model;
 use Pterodactyl\Services\Acl\Api\AdminAcl;
 use Illuminate\Foundation\Http\FormRequest;
 use Pterodactyl\Exceptions\PterodactylException;
@@ -13,6 +12,14 @@ use Symfony\Component\Routing\Exception\InvalidParameterException;
 
 abstract class ApplicationApiRequest extends FormRequest
 {
+    /**
+     * Tracks if the request has been validated internally or not to avoid
+     * making duplicate validation calls.
+     *
+     * @var bool
+     */
+    private $hasValidated = false;
+
     /**
      * The resource that should be checked when performing the authorization
      * function for this request.
@@ -96,6 +103,21 @@ abstract class ApplicationApiRequest extends FormRequest
         return $this->route()->parameter($parameterKey);
     }
 
+    /**
+     * Validate that the resource exists and can be accessed prior to booting
+     * the validator and attempting to use the data.
+     *
+     * @throws \Illuminate\Auth\Access\AuthorizationException
+     */
+    protected function prepareForValidation()
+    {
+        if (! $this->passesAuthorization()) {
+            $this->failedAuthorization();
+        }
+
+        $this->hasValidated = true;
+    }
+
     /*
      * Determine if the request passes the authorization check as well
      * as the exists check.
@@ -110,6 +132,14 @@ abstract class ApplicationApiRequest extends FormRequest
      */
     protected function passesAuthorization()
     {
+        // If we have already validated we do not need to call this function
+        // again. This is needed to work around Laravel's normal auth validation
+        // that occurs after validating the request params since we are doing auth
+        // validation in the prepareForValidation() function.
+        if ($this->hasValidated) {
+            return true;
+        }
+
         if (! parent::passesAuthorization()) {
             return false;
         }

app/Http/Requests/Api/Application/Servers/ServerWriteRequest.php

@@ -2,7 +2,6 @@
 
 namespace Pterodactyl\Http\Requests\Api\Application\Servers;
 
-use Pterodactyl\Models\Server;
 use Pterodactyl\Services\Acl\Api\AdminAcl;
 use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
 
@@ -17,16 +16,4 @@ class ServerWriteRequest extends ApplicationApiRequest
      * @var int
      */
     protected $permission = AdminAcl::WRITE;
-
-    /**
-     * Determine if the requested server exists on the Panel.
-     *
-     * @return bool
-     */
-    public function resourceExists(): bool
-    {
-        $server = $this->route()->parameter('server');
-
-        return $server instanceof Server && $server->exists;
-    }
 }