Attach user to cache to prevent showing servers they can't access.

Author: DaneEveritt

CHANGELOG.md

@@ -3,6 +3,10 @@ This file is a running track of new features and fixes to each version of the pa
 
 This project follows [Semantic Versioning](http://semver.org) guidelines.
 
+## v0.6.0-pre.4 (Courageous Carniadactylus)
+### Fixed
+* `[pre.3]` — Fixes bug in cache handler that doesn't cache against the user making the request. Would have allowed for users to access servers not belonging to themselves in production.
+
 ## v0.6.0-pre.3 (Courageous Carniadactylus)
 ### Fixed
 * `[pre.2]` — Fixes bug where servers could not be manually deployed to nodes due to a broken SQL call.

app/Models/Server.php

@@ -96,7 +96,7 @@ class Server extends Model
     public static function byUuid($uuid)
     {
         // Results are cached because we call this functions a few times on page load.
-        $result = Cache::remember('Server.byUuid.' . $uuid, 60, function () use ($uuid) {
+        $result = Cache::remember('Server.byUuid.' . $uuid . Auth::user()->uuid, 60, function () use ($uuid) {
             $query = self::with('service', 'node')->where(function ($q) use ($uuid) {
                 $q->where('uuidShort', $uuid)->orWhere('uuid', $uuid);
             });

app/Observers/ServerObserver.php

@@ -24,6 +24,7 @@
 
 namespace Pterodactyl\Observers;
 
+use Auth;
 use Cache;
 use Carbon;
 use Pterodactyl\Events;
@@ -141,8 +142,8 @@ public function updating(Server $server)
     public function updated(Server $server)
     {
         // Clear Caches
-        Cache::forget('Server.byUuid.' . $server->uuid);
-        Cache::forget('Server.byUuid.' . $server->uuidShort);
+        Cache::forget('Server.byUuid.' . $server->uuid . Auth::user()->uuid);
+        Cache::forget('Server.byUuid.' . $server->uuidShort . Auth::user()->uuid);
 
         event(new Events\Server\Updated($server));
     }