From ca25ba5fab2a482f5f673495d9365b5a8fda17db Mon Sep 17 00:00:00 2001
From: Matthew Penner <me@matthewp.io>
Date: Tue, 3 Aug 2021 20:56:02 -0600
Subject: [PATCH] sftp: deny access if server is suspended (#100)

---
 sftp/handler.go | 16 ++++++++++++----
 sftp/server.go  |  2 +-
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/sftp/handler.go b/sftp/handler.go
index ba904f1..2f3f0b9 100644
--- a/sftp/handler.go
+++ b/sftp/handler.go
@@ -14,6 +14,7 @@ import (
 	"golang.org/x/crypto/ssh"
 
 	"github.com/pterodactyl/wings/config"
+	"github.com/pterodactyl/wings/server"
 	"github.com/pterodactyl/wings/server/filesystem"
 )
 
@@ -26,8 +27,10 @@ const (
 )
 
 type Handler struct {
+	mu sync.Mutex
+
 	permissions []string
-	mu          sync.Mutex
+	server      *server.Server
 	fs          *filesystem.Filesystem
 	logger      *log.Entry
 	ro          bool
@@ -35,11 +38,12 @@ type Handler struct {
 
 // Returns a new connection handler for the SFTP server. This allows a given user
 // to access the underlying filesystem.
-func NewHandler(sc *ssh.ServerConn, fs *filesystem.Filesystem) *Handler {
+func NewHandler(sc *ssh.ServerConn, srv *server.Server) *Handler {
 	return &Handler{
-		fs:          fs,
-		ro:          config.Get().System.Sftp.ReadOnly,
 		permissions: strings.Split(sc.Permissions.Extensions["permissions"], ","),
+		server:      srv,
+		fs:          srv.Filesystem(),
+		ro:          config.Get().System.Sftp.ReadOnly,
 		logger: log.WithFields(log.Fields{
 			"subsystem": "sftp",
 			"username":  sc.User(),
@@ -278,6 +282,10 @@ func (h *Handler) Filelist(request *sftp.Request) (sftp.ListerAt, error) {
 // Determines if a user has permission to perform a specific action on the SFTP server. These
 // permissions are defined and returned by the Panel API.
 func (h *Handler) can(permission string) bool {
+	if h.server.IsSuspended() {
+		return false
+	}
+
 	// SFTPServer owners and super admins have their permissions returned as '[*]' via the Panel
 	// API, so for the sake of speed do an initial check for that before iterating over the
 	// entire array of permissions.
diff --git a/sftp/server.go b/sftp/server.go
index fda47b7..a2d03f0 100644
--- a/sftp/server.go
+++ b/sftp/server.go
@@ -141,7 +141,7 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
 
 		// Spin up a SFTP server instance for the authenticated user's server allowing
 		// them access to the underlying filesystem.
-		handler := sftp.NewRequestServer(channel, NewHandler(sconn, srv.Filesystem()).Handlers())
+		handler := sftp.NewRequestServer(channel, NewHandler(sconn, srv).Handlers())
 		if err := handler.Serve(); err == io.EOF {
 			handler.Close()
 		}