From e1089e0b73dccd6373af9750fd909c137f598d20 Mon Sep 17 00:00:00 2001
From: Dane Everitt <dane@daneeveritt.com>
Date: Wed, 4 Aug 2021 21:36:57 -0700
Subject: [PATCH] Update calls to abstract class

---
 .../Controllers/Api/Client/ApiKeyController.php     |  5 +++--
 .../Api/Client/Servers/ScheduleTaskController.php   | 11 ++++++-----
 .../Api/Client/Servers/WebsocketController.php      | 12 ++++--------
 app/Http/Requests/Api/Client/AccountApiRequest.php  |  2 +-
 .../Requests/Api/Client/WebsocketTokenRequest.php   | 13 +++++++++++++
 5 files changed, 27 insertions(+), 16 deletions(-)
 create mode 100644 app/Http/Requests/Api/Client/WebsocketTokenRequest.php

diff --git a/app/Http/Controllers/Api/Client/ApiKeyController.php b/app/Http/Controllers/Api/Client/ApiKeyController.php
index a5c65c1c2..8f09a6162 100644
--- a/app/Http/Controllers/Api/Client/ApiKeyController.php
+++ b/app/Http/Controllers/Api/Client/ApiKeyController.php
@@ -5,6 +5,7 @@ namespace Pterodactyl\Http\Controllers\Api\Client;
 use Illuminate\Http\Response;
 use Pterodactyl\Exceptions\DisplayException;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
+use Pterodactyl\Http\Requests\Api\Client\AccountApiRequest;
 use Pterodactyl\Http\Requests\Api\Client\Account\StoreApiKeyRequest;
 use Pterodactyl\Transformers\Api\Client\PersonalAccessTokenTransformer;
 
@@ -15,7 +16,7 @@ class ApiKeyController extends ClientApiController
      *
      * @throws \Illuminate\Contracts\Container\BindingResolutionException
      */
-    public function index(ClientApiRequest $request): array
+    public function index(AccountApiRequest $request): array
     {
         return $this->fractal->collection($request->user()->tokens)
             ->transformWith($this->getTransformer(PersonalAccessTokenTransformer::class))
@@ -49,7 +50,7 @@ class ApiKeyController extends ClientApiController
     /**
      * Deletes a given API key.
      */
-    public function delete(ClientApiRequest $request, string $id): Response
+    public function delete(AccountApiRequest $request, string $id): Response
     {
         $request->user()->tokens()->where('token_id', $id)->delete();
 
diff --git a/app/Http/Controllers/Api/Client/Servers/ScheduleTaskController.php b/app/Http/Controllers/Api/Client/Servers/ScheduleTaskController.php
index f8379e5e5..4ae726429 100644
--- a/app/Http/Controllers/Api/Client/Servers/ScheduleTaskController.php
+++ b/app/Http/Controllers/Api/Client/Servers/ScheduleTaskController.php
@@ -15,6 +15,7 @@ use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
 use Pterodactyl\Exceptions\Service\ServiceLimitExceededException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Schedules\StoreTaskRequest;
+use Pterodactyl\Http\Requests\Api\Client\Servers\Schedules\UpdateScheduleRequest;
 
 class ScheduleTaskController extends ClientApiController
 {
@@ -101,18 +102,18 @@ class ScheduleTaskController extends ClientApiController
      * Delete a given task for a schedule. If there are subsequent tasks stored in the database
      * for this schedule their sequence IDs are decremented properly.
      *
+     * This uses the UpdateScheduleRequest intentionally -- there is no permission specific
+     * to deleting a given task on a schedule, so we'll assume if you have permission to edit
+     * a schedule that you can then remove a task from said schedule.
+     *
      * @throws \Exception
      */
-    public function delete(ClientApiRequest $request, Server $server, Schedule $schedule, Task $task): Response
+    public function delete(UpdateScheduleRequest $request, Server $server, Schedule $schedule, Task $task): Response
     {
         if ($task->schedule_id !== $schedule->id || $schedule->server_id !== $server->id) {
             throw new NotFoundHttpException();
         }
 
-        if (!$request->user()->can(Permission::ACTION_SCHEDULE_UPDATE, $server)) {
-            throw new HttpForbiddenException('You do not have permission to perform this action.');
-        }
-
         $schedule->tasks()->where('sequence_id', '>', $task->sequence_id)->update([
             'sequence_id' => $schedule->tasks()->getConnection()->raw('(sequence_id - 1)'),
         ]);
diff --git a/app/Http/Controllers/Api/Client/Servers/WebsocketController.php b/app/Http/Controllers/Api/Client/Servers/WebsocketController.php
index 4dc1f4026..72219c0a7 100644
--- a/app/Http/Controllers/Api/Client/Servers/WebsocketController.php
+++ b/app/Http/Controllers/Api/Client/Servers/WebsocketController.php
@@ -10,6 +10,7 @@ use Pterodactyl\Services\Nodes\NodeJWTService;
 use Pterodactyl\Exceptions\Http\HttpForbiddenException;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 use Pterodactyl\Services\Servers\GetUserPermissionsService;
+use Pterodactyl\Http\Requests\Api\Client\WebsocketTokenRequest;
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
 
 class WebsocketController extends ClientApiController
@@ -36,14 +37,9 @@ class WebsocketController extends ClientApiController
      * allows us to continually renew this token and avoid users maintaining sessions wrongly,
      * as well as ensure that user's only perform actions they're allowed to.
      */
-    public function __invoke(ClientApiRequest $request, Server $server): JsonResponse
+    public function __invoke(WebsocketTokenRequest $request, Server $server): JsonResponse
     {
-        $user = $request->user();
-        if ($user->cannot(Permission::ACTION_WEBSOCKET_CONNECT, $server)) {
-            throw new HttpForbiddenException('You do not have permission to connect to this server\'s websocket.');
-        }
-
-        $permissions = $this->permissionsService->handle($server, $user);
+        $permissions = $this->permissionsService->handle($server, $request->user());
 
         $node = $server->node;
         if (!is_null($server->transfer)) {
@@ -65,7 +61,7 @@ class WebsocketController extends ClientApiController
                 'server_uuid' => $server->uuid,
                 'permissions' => $permissions,
             ])
-            ->handle($node, $user->id . $server->uuid);
+            ->handle($node, $request->user()->id . $server->uuid);
 
         $socket = str_replace(['https://', 'http://'], ['wss://', 'ws://'], $node->getConnectionAddress());
 
diff --git a/app/Http/Requests/Api/Client/AccountApiRequest.php b/app/Http/Requests/Api/Client/AccountApiRequest.php
index f060f3f0a..5eb087b8e 100644
--- a/app/Http/Requests/Api/Client/AccountApiRequest.php
+++ b/app/Http/Requests/Api/Client/AccountApiRequest.php
@@ -2,7 +2,7 @@
 
 namespace Pterodactyl\Http\Requests\Api\Client;
 
-abstract class AccountApiRequest extends ClientApiRequest
+class AccountApiRequest extends ClientApiRequest
 {
     public function permission(): string
     {
diff --git a/app/Http/Requests/Api/Client/WebsocketTokenRequest.php b/app/Http/Requests/Api/Client/WebsocketTokenRequest.php
new file mode 100644
index 000000000..fad5bdc6e
--- /dev/null
+++ b/app/Http/Requests/Api/Client/WebsocketTokenRequest.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Api\Client;
+
+use Pterodactyl\Models\Permission;
+
+class WebsocketTokenRequest extends ClientApiRequest
+{
+    public function permission(): string
+    {
+        return Permission::ACTION_WEBSOCKET_CONNECT;
+    }
+}