forked from pterodactyl/panel
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDeleteSubuserTest.php
More file actions
67 lines (53 loc) · 2.83 KB
/
DeleteSubuserTest.php
File metadata and controls
67 lines (53 loc) · 2.83 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
<?php
namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;
use Mockery;
use Ramsey\Uuid\Uuid;
use Pterodactyl\Models\User;
use Pterodactyl\Models\Subuser;
use Pterodactyl\Models\Permission;
use Pterodactyl\Repositories\Wings\DaemonServerRepository;
use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
class DeleteSubuserTest extends ClientApiIntegrationTestCase
{
/**
* Guards against PHP's exciting behavior where a string can be cast to an int and only
* the first numeric digits are returned. This causes UUIDs to be returned as an int when
* looking up users, thus returning the wrong subusers (or no subuser at all).
*
* For example, 12aaaaaa-bbbb-cccc-ddddeeeeffff would be cast to "12" if you tried to cast
* it to an integer. Then, in the deep API middlewares you would end up trying to load a user
* with an ID of 12, which may or may not exist and be wrongly assigned to the model object.
*
* @see https://github.com/pterodactyl/panel/issues/2359
*/
public function testCorrectSubuserIsDeletedFromServer()
{
$this->swap(DaemonServerRepository::class, $mock = Mockery::mock(DaemonServerRepository::class));
[$user, $server] = $this->generateTestAccount();
/** @var \Pterodactyl\Models\User $differentUser */
$differentUser = User::factory()->create();
// Generate a UUID that lines up with a user in the database if it were to be cast to an int.
$uuid = $differentUser->id . str_repeat('a', strlen((string) $differentUser->id)) . substr(Uuid::uuid4()->toString(), 8);
/** @var \Pterodactyl\Models\User $subuser */
$subuser = User::factory()->create(['uuid' => $uuid]);
Subuser::query()->forceCreate([
'user_id' => $subuser->id,
'server_id' => $server->id,
'permissions' => [Permission::ACTION_WEBSOCKET_CONNECT],
]);
$mock->expects('setServer->revokeUserJTI')->with($subuser->id)->andReturnUndefined();
$this->actingAs($user)->deleteJson($this->link($server) . "/users/{$subuser->uuid}")->assertNoContent();
// Try the same test, but this time with a UUID that if cast to an int (shouldn't) line up with
// anything in the database.
$uuid = '18180000' . substr(Uuid::uuid4()->toString(), 8);
/** @var \Pterodactyl\Models\User $subuser */
$subuser = User::factory()->create(['uuid' => $uuid]);
Subuser::query()->forceCreate([
'user_id' => $subuser->id,
'server_id' => $server->id,
'permissions' => [Permission::ACTION_WEBSOCKET_CONNECT],
]);
$mock->expects('setServer->revokeUserJTI')->with($subuser->id)->andReturnUndefined();
$this->actingAs($user)->deleteJson($this->link($server) . "/users/{$subuser->uuid}")->assertNoContent();
}
}