From 647d7ec123dd23f60a3123fc5c5ac193d9a5394c Mon Sep 17 00:00:00 2001
From: ildyria <beviguier@gmail.com>
Date: Wed, 20 Nov 2024 12:37:20 +0100
Subject: [PATCH] ensure config integrity

---
 app/Http/Kernel.php                     |  1 +
 app/Http/Middleware/ConfigIntegrity.php | 47 +++++++++++++++++++++++++
 routes/api_v1.php                       |  2 +-
 routes/api_v2.php                       |  2 +-
 4 files changed, 50 insertions(+), 2 deletions(-)
 create mode 100644 app/Http/Middleware/ConfigIntegrity.php

diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index 46c53d769e5..db7d6cf34a4 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -93,5 +93,6 @@ class Kernel extends HttpKernel
 		'login_required' => \App\Http\Middleware\LoginRequired::class,
 		'cache_control' => \App\Http\Middleware\CacheControl::class,
 		'support' => \LycheeVerify\Http\Middleware\VerifySupporterStatus::class,
+		'config_integrity' => \App\Http\Middleware\ConfigIntegrity::class,
 	];
 }
diff --git a/app/Http/Middleware/ConfigIntegrity.php b/app/Http/Middleware/ConfigIntegrity.php
new file mode 100644
index 00000000000..d2dc312f39a
--- /dev/null
+++ b/app/Http/Middleware/ConfigIntegrity.php
@@ -0,0 +1,47 @@
+<?php
+
+// app/Http/Middleware/CacheControlMiddleware.php
+
+namespace App\Http\Middleware;
+
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+
+/**
+ * Small update of the database to avoid sneaky people setting all the levels to 0 and thus skipping some checks...
+ */
+class ConfigIntegrity
+{
+	private const SE_FIELDS = [
+		'default_user_quota',
+		'timeline_photos_granularity',
+		'timeline_albums_granularity',
+		'timeline_left_border_enabled',
+		'timeline_photo_date_format_year',
+		'timeline_photo_date_format_month',
+		'timeline_photo_date_format_day',
+		'timeline_photo_date_format_hour',
+		'timeline_album_date_format_year',
+		'timeline_album_date_format_month',
+		'timeline_album_date_format_day',
+	];
+
+	/**
+	 * Handle an incoming request.
+	 *
+	 * @param \Illuminate\Http\Request                                                                          $request
+	 * @param \Closure(\Illuminate\Http\Request): (\Illuminate\Http\Response|\Illuminate\Http\RedirectResponse) $next
+	 *
+	 * @return \Illuminate\Http\Response|\Illuminate\Http\RedirectResponse
+	 */
+	public function handle(Request $request, \Closure $next)
+	{
+		try {
+			DB::table('configs')->whereIn('key', self::SE_FIELDS)->update(['level' => 1]);
+		} catch (\Exception $e) {
+			// Do nothing: we are not installed yet, so we fail silently.
+		}
+
+		return $next($request);
+	}
+}
\ No newline at end of file
diff --git a/routes/api_v1.php b/routes/api_v1.php
index c48f1e63b24..03c522fa8dc 100644
--- a/routes/api_v1.php
+++ b/routes/api_v1.php
@@ -174,7 +174,7 @@
 Route::post('/Settings::setCSS', [AdministrationSettingsController::class, 'setCSS']);
 Route::post('/Settings::setJS', [AdministrationSettingsController::class, 'setJS']);
 Route::post('/Settings::getAll', [AdministrationSettingsController::class, 'getAll']);
-Route::post('/Settings::saveAll', [AdministrationSettingsController::class, 'saveAll']);
+Route::post('/Settings::saveAll', [AdministrationSettingsController::class, 'saveAll'])->middleware(['config_integrity']);
 Route::post('/Settings::setAlbumDecoration', [AdministrationSettingsController::class, 'setAlbumDecoration']);
 Route::post('/Settings::setOverlayType', [AdministrationSettingsController::class, 'setImageOverlayType']);
 Route::post('/Settings::setNSFWVisible', [AdministrationSettingsController::class, 'setNSFWVisible']);
diff --git a/routes/api_v2.php b/routes/api_v2.php
index fb1ad1917af..0dfd606b1cf 100644
--- a/routes/api_v2.php
+++ b/routes/api_v2.php
@@ -186,7 +186,7 @@
  * SETTINGS.
  */
 Route::get('/Settings', [Admin\SettingsController::class, 'getAll']);
-Route::post('/Settings::setConfigs', [Admin\SettingsController::class, 'setConfigs']);
+Route::post('/Settings::setConfigs', [Admin\SettingsController::class, 'setConfigs'])->middleware(['config_integrity']);
 Route::get('/Settings::getLanguages', [Admin\SettingsController::class, 'getLanguages']);
 Route::post('/Settings::setCSS', [Admin\SettingsController::class, 'setCSS']);
 Route::post('/Settings::setJS', [Admin\SettingsController::class, 'setJS']);