Don't return variables to users that they should not be able to see; closes #2388

app/Http/Controllers/Api/Client/Servers/StartupController.php

@@ -2,15 +2,12 @@
 
 namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
 
-use Carbon\CarbonImmutable;
 use Pterodactyl\Models\Server;
-use Illuminate\Http\JsonResponse;
 use Pterodactyl\Services\Servers\StartupCommandService;
 use Pterodactyl\Services\Servers\VariableValidatorService;
 use Pterodactyl\Repositories\Eloquent\ServerVariableRepository;
 use Pterodactyl\Transformers\Api\Client\EggVariableTransformer;
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
-use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\GetStartupRequest;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Startup\UpdateStartupVariableRequest;
@@ -59,7 +56,9 @@ class StartupController extends ClientApiController
     {
         $startup = $this->startupCommandService->handle($server, false);
 
-        return $this->fractal->collection($server->variables)
+        return $this->fractal->collection(
+            $server->variables()->where('user_viewable', true)->get()
+        )
             ->transformWith($this->getTransformer(EggVariableTransformer::class))
             ->addMeta([
                 'startup_command' => $startup,
@@ -84,7 +83,7 @@ class StartupController extends ClientApiController
         /** @var \Pterodactyl\Models\EggVariable $variable */
         $variable = $server->variables()->where('env_variable', $request->input('key'))->first();
 
-        if (is_null($variable) || !$variable->user_viewable) {
+        if (is_null($variable) || ! $variable->user_viewable) {
             throw new BadRequestHttpException(
                 "The environment variable you are trying to edit does not exist."
             );