Don't return variables to users that they should not be able to see; closes #2388

app/Transformers/Api/Client/EggVariableTransformer.php

@@ -2,6 +2,8 @@
 
 namespace Pterodactyl\Transformers\Api\Client;
 
+use BadMethodCallException;
+use InvalidArgumentException;
 use Pterodactyl\Models\EggVariable;
 
 class EggVariableTransformer extends BaseClientTransformer
@@ -20,6 +22,15 @@ class EggVariableTransformer extends BaseClientTransformer
      */
     public function transform(EggVariable $variable)
     {
+        // This guards against someone incorrectly retrieving variables (haha, me) and then passing
+        // them into the transformer and along to the user. Just throw an exception and break the entire
+        // pathway since you should never be exposing these types of variables to a client.
+        if (!$variable->user_viewable) {
+            throw new BadMethodCallException(
+                'Cannot transform a hidden egg variable in a client transformer.'
+            );
+        }
+
         return [
             'name' => $variable->name,
             'description' => $variable->description,