fix: Update player retrieval filter to use UsernameAndGuid and enhance player link security in RconPlayers

frasermolyneux · frasermolyneux · commit beb9b345de2e · 2026-06-03T18:58:25.000+01:00
diff --git a/src/XtremeIdiots.Portal.Web/Controllers/ServerAdminController.cs b/src/XtremeIdiots.Portal.Web/Controllers/ServerAdminController.cs
@@ -325,7 +325,7 @@ private async Task<object> EnrichRconPlayerDataAsync(dynamic rconPlayer, GameTyp
             {
                 // Search for player by GUID using GetPlayers with filter
                 var playerResponse = await repositoryApiClient.Players.V1.GetPlayers(
-                    gameType, null, guid, 0, 1, PlayersOrder.LastSeenDesc, PlayerEntityOptions.None).ConfigureAwait(false);
+                    gameType, PlayersFilter.UsernameAndGuid, guid, 0, 1, PlayersOrder.LastSeenDesc, PlayerEntityOptions.None).ConfigureAwait(false);
 
                 if (playerResponse.IsSuccess && playerResponse.Result?.Data?.Items?.Any() == true)
                 {
@@ -1509,7 +1509,7 @@ private async Task CreateAdminActionForRconOperationAsync(
         {
             // Try to find existing player profile by searching with GUID
             var playerResponse = await repositoryApiClient.Players.V1.GetPlayers(
-                gameType, null, playerGuidStr, 0, 1, PlayersOrder.LastSeenDesc, PlayerEntityOptions.None).ConfigureAwait(false);
+                gameType, PlayersFilter.UsernameAndGuid, playerGuidStr, 0, 1, PlayersOrder.LastSeenDesc, PlayerEntityOptions.None).ConfigureAwait(false);
 
             if (!playerResponse.IsSuccess || playerResponse.Result?.Data?.Items?.Any() != true)
             {
diff --git a/src/XtremeIdiots.Portal.Web/wwwroot/js/rcon-players.js b/src/XtremeIdiots.Portal.Web/wwwroot/js/rcon-players.js
@@ -65,7 +65,7 @@ var RconPlayers = (function () {
                     data: 'name', name: 'name',
                     render: function (data, type, row) {
                         if (row.playerId) {
-                            return '<a href="/Players/Details/' + row.playerId + '">' + CodColors.renderSafe(row.name) + '</a>';
+                            return '<a href="/Players/Details/' + row.playerId + '" target="_blank" rel="noopener noreferrer">' + CodColors.renderSafe(row.name) + '</a>';
                         }
                         return CodColors.renderSafe(row.name);
                     }

Original file line number	Diff line number	Diff line change
`@@ -325,7 +325,7 @@ private async Task<object> EnrichRconPlayerDataAsync(dynamic rconPlayer, GameTyp`
`325`	`325`	`{`
`326`	`326`	`// Search for player by GUID using GetPlayers with filter`
`327`	`327`	`var playerResponse = await repositoryApiClient.Players.V1.GetPlayers(`
`328`		`- gameType, null, guid, 0, 1, PlayersOrder.LastSeenDesc, PlayerEntityOptions.None).ConfigureAwait(false);`
	`328`	`+ gameType, PlayersFilter.UsernameAndGuid, guid, 0, 1, PlayersOrder.LastSeenDesc, PlayerEntityOptions.None).ConfigureAwait(false);`
`329`	`329`
`330`	`330`	`if (playerResponse.IsSuccess && playerResponse.Result?.Data?.Items?.Any() == true)`
`331`	`331`	`{`
`@@ -1509,7 +1509,7 @@ private async Task CreateAdminActionForRconOperationAsync(`
`1509`	`1509`	`{`
`1510`	`1510`	`// Try to find existing player profile by searching with GUID`
`1511`	`1511`	`var playerResponse = await repositoryApiClient.Players.V1.GetPlayers(`
`1512`		`- gameType, null, playerGuidStr, 0, 1, PlayersOrder.LastSeenDesc, PlayerEntityOptions.None).ConfigureAwait(false);`
	`1512`	`+ gameType, PlayersFilter.UsernameAndGuid, playerGuidStr, 0, 1, PlayersOrder.LastSeenDesc, PlayerEntityOptions.None).ConfigureAwait(false);`
`1513`	`1513`
`1514`	`1514`	`if (!playerResponse.IsSuccess \|\| playerResponse.Result?.Data?.Items?.Any() != true)`
`1515`	`1515`	`{`
Original file line number	Diff line number	Diff line change
`@@ -65,7 +65,7 @@ var RconPlayers = (function () {`
`65`	`65`	`data: 'name', name: 'name',`
`66`	`66`	`render: function (data, type, row) {`
`67`	`67`	`if (row.playerId) {`
`68`		`- return '<a href="/Players/Details/' + row.playerId + '">' + CodColors.renderSafe(row.name) + '</a>';`
	`68`	`+ return '<a href="/Players/Details/' + row.playerId + '" target="_blank" rel="noopener noreferrer">' + CodColors.renderSafe(row.name) + '</a>';`
`69`	`69`	`}`
`70`	`70`	`return CodColors.renderSafe(row.name);`
`71`	`71`	`}`