fix(api/client): add validation for backup request body (#4704)

This commit is contained in:
Devonte W 2023-02-23 19:23:12 +00:00 committed by GitHub
parent aea5c474db
commit b746c3ead1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 5 deletions

View File

@ -18,6 +18,7 @@ use Pterodactyl\Transformers\Api\Client\BackupTransformer;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController; use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException; use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
use Pterodactyl\Http\Requests\Api\Client\Servers\Backups\StoreBackupRequest; use Pterodactyl\Http\Requests\Api\Client\Servers\Backups\StoreBackupRequest;
use Pterodactyl\Http\Requests\Api\Client\Servers\Backups\RestoreBackupRequest;
class BackupController extends ClientApiController class BackupController extends ClientApiController
{ {
@ -188,12 +189,8 @@ class BackupController extends ClientApiController
* *
* @throws \Throwable * @throws \Throwable
*/ */
public function restore(Request $request, Server $server, Backup $backup): JsonResponse public function restore(RestoreBackupRequest $request, Server $server, Backup $backup): JsonResponse
{ {
if (!$request->user()->can(Permission::ACTION_BACKUP_RESTORE, $server)) {
throw new AuthorizationException();
}
// Cannot restore a backup unless a server is fully installed and not currently // Cannot restore a backup unless a server is fully installed and not currently
// processing a different backup restoration request. // processing a different backup restoration request.
if (!is_null($server->status)) { if (!is_null($server->status)) {

View File

@ -0,0 +1,19 @@
<?php
namespace Pterodactyl\Http\Requests\Api\Client\Servers\Backups;
use Pterodactyl\Models\Permission;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
class RestoreBackupRequest extends ClientApiRequest
{
public function permission(): string
{
return Permission::ACTION_BACKUP_RESTORE;
}
public function rules(): array
{
return ['truncate' => 'required|boolean'];
}
}