Fix parameter bindings for client API routes; closes pterodactyl#2359

Author: DaneEveritt

app/Http/Middleware/Api/Client/SubstituteClientApiBindings.php

@@ -49,11 +49,11 @@ public function handle($request, Closure $next)
             return Database::query()->where('id', $id)->firstOrFail();
         });
 
-        $this->router->model('backup', Backup::class, function ($value) {
+        $this->router->bind('backup', function ($value) {
             return Backup::query()->where('uuid', $value)->firstOrFail();
         });
 
-        $this->router->model('user', User::class, function ($value) {
+        $this->router->bind('user', function ($value) {
             return User::query()->where('uuid', $value)->firstOrFail();
         });
 

tests/Integration/Api/Client/Server/Subuser/CreateServerSubuserTest.php

@@ -1,6 +1,6 @@
 <?php
 
-namespace Pterodactyl\Tests\Integration\Api\Client\Server\Schedule;
+namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;
 
 use Illuminate\Support\Str;
 use Pterodactyl\Models\User;

tests/Integration/Api/Client/Server/Subuser/DeleteSubuserTest.php

@@ -0,0 +1,59 @@
+<?php
+
+namespace Pterodactyl\Tests\Integration\Api\Client\Server\Subuser;
+
+use Ramsey\Uuid\Uuid;
+use Pterodactyl\Models\User;
+use Pterodactyl\Models\Subuser;
+use Pterodactyl\Models\Permission;
+use Pterodactyl\Tests\Integration\Api\Client\ClientApiIntegrationTestCase;
+
+class DeleteSubuserTest extends ClientApiIntegrationTestCase
+{
+    /**
+     * Guards against PHP's exciting behavior where a string can be cast to an int and only
+     * the first numeric digits are returned. This causes UUIDs to be returned as an int when
+     * looking up users, thus returning the wrong subusers (or no subuser at all).
+     *
+     * For example, 12aaaaaa-bbbb-cccc-ddddeeeeffff would be cast to "12" if you tried to cast
+     * it to an integer. Then, in the deep API middlewares you would end up trying to load a user
+     * with an ID of 12, which may or may not exist and be wrongly assigned to the model object.
+     *
+     * @see https://github.com/pterodactyl/panel/issues/2359
+     */
+    public function testCorrectSubuserIsDeletedFromServer()
+    {
+        [$user, $server] = $this->generateTestAccount();
+
+        /** @var \Pterodactyl\Models\User $differentUser */
+        $differentUser = factory(User::class)->create();
+
+        // Generate a UUID that lines up with a user in the database if it were to be cast to an int.
+        $uuid = $differentUser->id . str_repeat('a', strlen((string)$differentUser->id)) . substr(Uuid::uuid4()->toString(), 8);
+
+        /** @var \Pterodactyl\Models\User $subuser */
+        $subuser = factory(User::class)->create(['uuid' => $uuid]);
+
+        Subuser::query()->forceCreate([
+            'user_id' => $subuser->id,
+            'server_id' => $server->id,
+            'permissions' => [ Permission::ACTION_WEBSOCKET_CONNECT ],
+        ]);
+
+        $this->actingAs($user)->deleteJson($this->link($server) . "/users/{$subuser->uuid}")->assertNoContent();
+
+        // Try the same test, but this time with a UUID that if cast to an int (shouldn't) line up with
+        // anything in the database.
+        $uuid = '18180000' . substr(Uuid::uuid4()->toString(), 8);
+        /** @var \Pterodactyl\Models\User $subuser */
+        $subuser = factory(User::class)->create(['uuid' => $uuid]);
+
+        Subuser::query()->forceCreate([
+            'user_id' => $subuser->id,
+            'server_id' => $server->id,
+            'permissions' => [ Permission::ACTION_WEBSOCKET_CONNECT ],
+        ]);
+
+        $this->actingAs($user)->deleteJson($this->link($server) . "/users/{$subuser->uuid}")->assertNoContent();
+    }
+}