From f91e4c511ec7061050f41997674d9d83dda11b1b Mon Sep 17 00:00:00 2001 From: Dane Everitt Date: Sat, 18 Feb 2017 21:45:11 -0500 Subject: [PATCH] Attach user to cache to prevent showing servers they can't access. --- CHANGELOG.md | 4 ++++ app/Models/Server.php | 2 +- app/Observers/ServerObserver.php | 5 +++-- 3 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3c186e143..d90ec523e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,10 @@ This file is a running track of new features and fixes to each version of the pa This project follows [Semantic Versioning](http://semver.org) guidelines. +## v0.6.0-pre.4 (Courageous Carniadactylus) +### Fixed +* `[pre.3]` — Fixes bug in cache handler that doesn't cache against the user making the request. Would have allowed for users to access servers not belonging to themselves in production. + ## v0.6.0-pre.3 (Courageous Carniadactylus) ### Fixed * `[pre.2]` — Fixes bug where servers could not be manually deployed to nodes due to a broken SQL call. diff --git a/app/Models/Server.php b/app/Models/Server.php index 8527e6a14..7c69c763f 100644 --- a/app/Models/Server.php +++ b/app/Models/Server.php @@ -96,7 +96,7 @@ class Server extends Model public static function byUuid($uuid) { // Results are cached because we call this functions a few times on page load. - $result = Cache::remember('Server.byUuid.' . $uuid, 60, function () use ($uuid) { + $result = Cache::remember('Server.byUuid.' . $uuid . Auth::user()->uuid, 60, function () use ($uuid) { $query = self::with('service', 'node')->where(function ($q) use ($uuid) { $q->where('uuidShort', $uuid)->orWhere('uuid', $uuid); }); diff --git a/app/Observers/ServerObserver.php b/app/Observers/ServerObserver.php index 556d1c165..5d919a559 100644 --- a/app/Observers/ServerObserver.php +++ b/app/Observers/ServerObserver.php @@ -24,6 +24,7 @@ namespace Pterodactyl\Observers; +use Auth; use Cache; use Carbon; use Pterodactyl\Events; @@ -141,8 +142,8 @@ class ServerObserver public function updated(Server $server) { // Clear Caches - Cache::forget('Server.byUuid.' . $server->uuid); - Cache::forget('Server.byUuid.' . $server->uuidShort); + Cache::forget('Server.byUuid.' . $server->uuid . Auth::user()->uuid); + Cache::forget('Server.byUuid.' . $server->uuidShort . Auth::user()->uuid); event(new Events\Server\Updated($server)); }