From 0afa568095ee71ac970571f6d0b816614ae932f4 Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Fri, 30 Dec 2016 16:28:43 -0500 Subject: [PATCH] Address two bugs in subuser system. 1.) Prevents adding the owner of a server as a subuser which could potentially break things. 2.) Prevents adding duplicate subusers for a server. --- CHANGELOG.md | 2 ++ app/Repositories/SubuserRepository.php | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 473b6b134..601888c4d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ This project follows [Semantic Versioning](http://semver.org) guidelines. * Fixes bug where assigning a variable a default value (or valid value) of `0` would cause the panel to reject the value thinking it did not exist. * Addresses potential for crash by limiting total ports that can be assigned per-range to 2000. * Fixes server names requiring at minimum 4 characters. Name can now be 1 to 200 characters long. :pencil2: +* Fixes bug that would allow adding the owner of a server as a subuser for that same server. +* Fixes bug that would allow creating multiple subusers with the same email address. ## v0.5.5 (Bodacious Boreopterus) ### Added diff --git a/app/Repositories/SubuserRepository.php b/app/Repositories/SubuserRepository.php index d7620732a..0f41eae09 100644 --- a/app/Repositories/SubuserRepository.php +++ b/app/Repositories/SubuserRepository.php @@ -117,6 +117,7 @@ class SubuserRepository public function create($sid, array $data) { $server = Models\Server::findOrFail($sid); + $validator = Validator::make($data, [ 'permissions' => 'required|array', 'email' => 'required|email', @@ -140,6 +141,10 @@ class SubuserRepository } catch (\Exception $ex) { throw $ex; } + } else if ($server->owner === $user->id) { + throw new DisplayException('You cannot add the owner of a server as a subuser.'); + } else if (Models\Subuser::select('id')->where('user_id', $user->id)->where('server_id', $server->id)->first()) { + throw new DisplayException('A subuser with that email already exists for this server.'); } $uuid = new UuidService; @@ -159,6 +164,7 @@ class SubuserRepository if (! is_null($this->permissions[$permission])) { array_push($daemonPermissions, $this->permissions[$permission]); } + $model = new Models\Permission; $model->fill([ 'user_id' => $user->id,