[Security] Don't return all servers on the system when not a root admin and admin level servers are requested
Cleaned up the API endpoint by simplifying the logic and adds test case to cover this bug. If you ever need to list _all_ of the servers on the system you should be using the application API endpoint for the servers most likely.
This commit is contained in:
Dane Everitt
parent
24db6d9128
commit
f0ac0725b6
6 changed files with 84 additions and 88 deletions
|
|
@ -2,8 +2,6 @@
|
|||
|
||||
namespace Pterodactyl\Http\Requests\Api\Client;
|
||||
|
||||
use Pterodactyl\Models\User;
|
||||
|
||||
class GetServersRequest extends ClientApiRequest
|
||||
{
|
||||
/**
|
||||
|
|
@ -13,28 +11,4 @@ class GetServersRequest extends ClientApiRequest
|
|||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Return the filtering method for servers when the client base endpoint is requested.
|
||||
*
|
||||
* @return int
|
||||
*/
|
||||
public function getFilterLevel(): int
|
||||
{
|
||||
switch ($this->input('type')) {
|
||||
case 'all':
|
||||
return User::FILTER_LEVEL_ALL;
|
||||
break;
|
||||
case 'admin':
|
||||
return User::FILTER_LEVEL_ADMIN;
|
||||
break;
|
||||
case 'owner':
|
||||
return User::FILTER_LEVEL_OWNER;
|
||||
break;
|
||||
case 'subuser-of':
|
||||
default:
|
||||
return User::FILTER_LEVEL_SUBUSER;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Reference in a new issue