ensure config integrity (#2716)

LycheeOrg · Nov 20, 2024 · 1a0673a · 1a0673a
1 parent 561a4d4
commit 1a0673a
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 2 deletions.
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -93,5 +93,6 @@ class Kernel extends HttpKernel
 		'login_required' => \App\Http\Middleware\LoginRequired::class,
 		'cache_control' => \App\Http\Middleware\CacheControl::class,
 		'support' => \LycheeVerify\Http\Middleware\VerifySupporterStatus::class,
+		'config_integrity' => \App\Http\Middleware\ConfigIntegrity::class,
 	];
 }
diff --git a/app/Http/Middleware/ConfigIntegrity.php b/app/Http/Middleware/ConfigIntegrity.php
@@ -0,0 +1,47 @@
+<?php
+
+// app/Http/Middleware/CacheControlMiddleware.php
+
+namespace App\Http\Middleware;
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Small update of the database to avoid sneaky people setting all the levels to 0 and thus skipping some checks...
+ */
+class ConfigIntegrity
+{
+	private const SE_FIELDS = [
+		'default_user_quota',
+		'timeline_photos_granularity',
+		'timeline_albums_granularity',
+		'timeline_left_border_enabled',
+		'timeline_photo_date_format_year',
+		'timeline_photo_date_format_month',
+		'timeline_photo_date_format_day',
+		'timeline_photo_date_format_hour',
+		'timeline_album_date_format_year',
+		'timeline_album_date_format_month',
+		'timeline_album_date_format_day',
+	];
+
+	/**
+	 * Handle an incoming request.
+	 *
+	 * @param \Illuminate\Http\Request                                                                          $request
+	 * @param \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse) $next
+	 *
+	 * @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
+	 */
+	public function handle(Request $request, \Closure $next)
+	{
+		try {
+			DB::table('configs')->whereIn('key', self::SE_FIELDS)->update(['level' => 1]);
+		} catch (\Exception $e) {
+			// Do nothing: we are not installed yet, so we fail silently.
+		}
+
+		return $next($request);
+	}
+}
diff --git a/routes/api_v1.php b/routes/api_v1.php
@@ -174,7 +174,7 @@
 Route::post('/Settings::setCSS', [AdministrationSettingsController::class, 'setCSS']);
 Route::post('/Settings::setJS', [AdministrationSettingsController::class, 'setJS']);
 Route::post('/Settings::getAll', [AdministrationSettingsController::class, 'getAll']);
-Route::post('/Settings::saveAll', [AdministrationSettingsController::class, 'saveAll']);
+Route::post('/Settings::saveAll', [AdministrationSettingsController::class, 'saveAll'])->middleware(['config_integrity']);
 Route::post('/Settings::setAlbumDecoration', [AdministrationSettingsController::class, 'setAlbumDecoration']);
 Route::post('/Settings::setOverlayType', [AdministrationSettingsController::class, 'setImageOverlayType']);
 Route::post('/Settings::setNSFWVisible', [AdministrationSettingsController::class, 'setNSFWVisible']);

diff --git a/routes/api_v2.php b/routes/api_v2.php
@@ -186,7 +186,7 @@
  * SETTINGS.
  */
 Route::get('/Settings', [Admin\SettingsController::class, 'getAll']);
-Route::post('/Settings::setConfigs', [Admin\SettingsController::class, 'setConfigs']);
+Route::post('/Settings::setConfigs', [Admin\SettingsController::class, 'setConfigs'])->middleware(['config_integrity']);
 Route::get('/Settings::getLanguages', [Admin\SettingsController::class, 'getLanguages']);
 Route::post('/Settings::setCSS', [Admin\SettingsController::class, 'setCSS']);
 Route::post('/Settings::setJS', [Admin\SettingsController::class, 'setJS']);