From 75e0a862e7f2277cd4407e6c1c9c8b97d23ffb6e Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Sat, 7 Aug 2021 09:16:29 -0700
Subject: [PATCH] Add another sanity check for websocket permissions

---
 .../Api/Client/Server/WebsocketControllerTest.php   | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tests/Integration/Api/Client/Server/WebsocketControllerTest.php b/tests/Integration/Api/Client/Server/WebsocketControllerTest.php
index d6c2119b6..b3f312560 100644
--- a/tests/Integration/Api/Client/Server/WebsocketControllerTest.php
+++ b/tests/Integration/Api/Client/Server/WebsocketControllerTest.php
@@ -3,6 +3,7 @@
 namespace Pterodactyl\Tests\Integration\Api\Client\Server;
 
 use Carbon\CarbonImmutable;
+use Pterodactyl\Models\User;
 use Illuminate\Http\Response;
 use Lcobucci\JWT\Configuration;
 use Pterodactyl\Models\Permission;
@@ -27,6 +28,18 @@ class WebsocketControllerTest extends ClientApiIntegrationTestCase
             ->assertJsonPath('errors.0.detail', 'You do not have permission to connect to this server\'s websocket.');
     }
 
+    /**
+     * Confirm users cannot access the websocket for another user's server.
+     */
+    public function testUserWithoutPermissionForServerReceivesError()
+    {
+        [,$server] = $this->generateTestAccount([Permission::ACTION_WEBSOCKET_CONNECT]);
+        [$user,] = $this->generateTestAccount([Permission::ACTION_WEBSOCKET_CONNECT]);
+
+        $this->actingAs($user)->getJson("/api/client/servers/{$server->uuid}/websocket")
+            ->assertStatus(Response::HTTP_NOT_FOUND);
+    }
+
     /**
      * Test that the expected permissions are returned for the server owner and that the JWT is
      * configured correctly.