Don't return variables to users that they should not be able to see; closes #2388
This commit is contained in:
parent
7968258004
commit
2182a15494
|
@ -2,15 +2,12 @@
|
|||
|
||||
namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
|
||||
|
||||
use Carbon\CarbonImmutable;
|
||||
use Pterodactyl\Models\Server;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Pterodactyl\Services\Servers\StartupCommandService;
|
||||
use Pterodactyl\Services\Servers\VariableValidatorService;
|
||||
use Pterodactyl\Repositories\Eloquent\ServerVariableRepository;
|
||||
use Pterodactyl\Transformers\Api\Client\EggVariableTransformer;
|
||||
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
|
||||
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
|
||||
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
||||
use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\GetStartupRequest;
|
||||
use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\UpdateStartupVariableRequest;
|
||||
|
@ -59,7 +56,9 @@ class StartupController extends ClientApiController
|
|||
{
|
||||
$startup = $this->startupCommandService->handle($server, false);
|
||||
|
||||
return $this->fractal->collection($server->variables)
|
||||
return $this->fractal->collection(
|
||||
$server->variables()->where('user_viewable', true)->get()
|
||||
)
|
||||
->transformWith($this->getTransformer(EggVariableTransformer::class))
|
||||
->addMeta([
|
||||
'startup_command' => $startup,
|
||||
|
@ -84,7 +83,7 @@ class StartupController extends ClientApiController
|
|||
/** @var \Pterodactyl\Models\EggVariable $variable */
|
||||
$variable = $server->variables()->where('env_variable', $request->input('key'))->first();
|
||||
|
||||
if (is_null($variable) || !$variable->user_viewable) {
|
||||
if (is_null($variable) || ! $variable->user_viewable) {
|
||||
throw new BadRequestHttpException(
|
||||
"The environment variable you are trying to edit does not exist."
|
||||
);
|
||||
|
|
|
@ -2,6 +2,8 @@
|
|||
|
||||
namespace Pterodactyl\Transformers\Api\Client;
|
||||
|
||||
use BadMethodCallException;
|
||||
use InvalidArgumentException;
|
||||
use Pterodactyl\Models\EggVariable;
|
||||
|
||||
class EggVariableTransformer extends BaseClientTransformer
|
||||
|
@ -20,6 +22,15 @@ class EggVariableTransformer extends BaseClientTransformer
|
|||
*/
|
||||
public function transform(EggVariable $variable)
|
||||
{
|
||||
// This guards against someone incorrectly retrieving variables (haha, me) and then passing
|
||||
// them into the transformer and along to the user. Just throw an exception and break the entire
|
||||
// pathway since you should never be exposing these types of variables to a client.
|
||||
if (!$variable->user_viewable) {
|
||||
throw new BadMethodCallException(
|
||||
'Cannot transform a hidden egg variable in a client transformer.'
|
||||
);
|
||||
}
|
||||
|
||||
return [
|
||||
'name' => $variable->name,
|
||||
'description' => $variable->description,
|
||||
|
|
Loading…
Reference in New Issue