Add basic logic to block actions to subusers after removing them from server

app/Http/Controllers/Api/Client/Servers/SubuserController.php

@@ -109,13 +109,16 @@ public function update(UpdateSubuserRequest $request, Server $server): array
         // Only update the database and hit up the Wings instance to invalidate JTI's if the permissions
         // have actually changed for the user.
         if ($permissions !== $current) {
-            $log->transaction(function ($instance) use ($request, $subuser, $server) {
+            $log->transaction(function ($instance) use ($request, $subuser, $server, $permissions, $current) {
                 $this->repository->update($subuser->id, [
                     'permissions' => $this->getDefaultPermissions($request),
                 ]);
 
                 try {
                     $this->serverRepository->setServer($server)->revokeUserJTI($subuser->user_id);
+                    if (in_array(Permission::ACTION_FILE_SFTP, $current) && !in_array(Permission::ACTION_FILE_SFTP, $permissions)) {
+                        $this->serverRepository->setServer($server)->disconnectSFTP($subuser->user->username);
+                    }
                 } catch (DaemonConnectionException $exception) {
                     // Don't block this request if we can't connect to the Wings instance. Chances are it is
                     // offline and the token will be invalid once Wings boots back.
@@ -151,6 +154,7 @@ public function delete(DeleteSubuserRequest $request, Server $server): JsonRespo
 
             try {
                 $this->serverRepository->setServer($server)->revokeUserJTI($subuser->user_id);
+                $this->serverRepository->setServer($server)->disconnectSFTP($subuser->user->username);
             } catch (DaemonConnectionException $exception) {
                 // Don't block this request if we can't connect to the Wings instance.
                 Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);

app/Repositories/Wings/DaemonServerRepository.php

@@ -8,10 +8,6 @@
 use GuzzleHttp\Exception\TransferException;
 use Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException;
 
-/**
- * @method \Pterodactyl\Repositories\Wings\DaemonServerRepository setNode(\Pterodactyl\Models\Node $node)
- * @method \Pterodactyl\Repositories\Wings\DaemonServerRepository setServer(\Pterodactyl\Models\Server $server)
- */
 class DaemonServerRepository extends DaemonRepository
 {
     /**
@@ -159,4 +155,24 @@ protected function revokeJTIs(array $jtis): void
             throw new DaemonConnectionException($exception);
         }
     }
+
+    /**
+     * Disconnect active SFTP sessions for a specific user on the server.
+     *
+     * @throws DaemonConnectionException
+     */
+    public function disconnectSFTP(string $username): void
+    {
+        Assert::isInstanceOf($this->server, Server::class);
+        $sftpUsername = $username . '.' . $this->server->uuidShort;
+
+        try {
+            $this->getHttpClient()
+                ->delete(sprintf('/api/servers/%s/sftp/disconnect', $this->server->uuid), [
+                    'json' => ['username' => $sftpUsername],
+                ]);
+        } catch (TransferException $exception) {
+            throw new DaemonConnectionException($exception);
+        }
+    }
 }

tests/Integration/Api/Client/Server/Subuser/DeleteSubuserTest.php

@@ -36,7 +36,7 @@ public function testCorrectSubuserIsDeletedFromServer()
         $uuid = $differentUser->id . substr($real, strlen((string) $differentUser->id));
 
         /** @var User $subuser */
-        $subuser = User::factory()->create(['uuid' => $uuid]);
+        $subuser = User::factory()->create(['uuid' => $uuid, 'username' => 'test']);
 
         Subuser::query()->forceCreate([
             'user_id' => $subuser->id,
@@ -45,14 +45,15 @@ public function testCorrectSubuserIsDeletedFromServer()
         ]);
 
         $mock->expects('setServer->revokeUserJTI')->with($subuser->id)->andReturnUndefined();
+        $mock->expects('setServer->disconnectSFTP')->with($subuser->username)->andReturnUndefined();
 
         $this->actingAs($user)->deleteJson($this->link($server) . "/users/$subuser->uuid")->assertNoContent();
 
         // Try the same test, but this time with a UUID that if cast to an int (shouldn't) line up with
         // anything in the database.
         $uuid = '18180000' . substr(Uuid::uuid4()->toString(), 8);
         /** @var User $subuser */
-        $subuser = User::factory()->create(['uuid' => $uuid]);
+        $subuser = User::factory()->create(['uuid' => $uuid, 'username' => 'test1']);
 
         Subuser::query()->forceCreate([
             'user_id' => $subuser->id,
@@ -61,6 +62,7 @@ public function testCorrectSubuserIsDeletedFromServer()
         ]);
 
         $mock->expects('setServer->revokeUserJTI')->with($subuser->id)->andReturnUndefined();
+        $mock->expects('setServer->disconnectSFTP')->with($subuser->username)->andReturnUndefined();
 
         $this->actingAs($user)->deleteJson($this->link($server) . "/users/$subuser->uuid")->assertNoContent();
     }

tests/Integration/Api/Client/Server/Subuser/SubuserAuthorizationTest.php

@@ -37,6 +37,7 @@ public function testUserCannotAccessResourceBelongingToOtherServers(string $meth
         $this->instance(DaemonServerRepository::class, $mock = \Mockery::mock(DaemonServerRepository::class));
         if ($method === 'DELETE') {
             $mock->expects('setServer->revokeUserJTI')->with($internal->id)->andReturnUndefined();
+            $mock->expects('setServer->disconnectSFTP')->with($internal->username)->andReturnUndefined();
         }
 
         // This route is acceptable since they're accessing a subuser on their own server.