From 9c384e7869a971be8b714dfb70b42deb40b26ab4 Mon Sep 17 00:00:00 2001
From: Gauthier Roebroeck <gauthier.roebroeck@gmail.com>
Date: Mon, 23 Dec 2019 11:41:12 +0800
Subject: [PATCH] restrict filesystem endpoint to administrators

---
 .../komga/interfaces/web/rest/FileSystemController.kt |  2 ++
 .../interfaces/web/rest/FileSystemControllerTest.kt   | 11 +++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/komga/src/main/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemController.kt b/komga/src/main/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemController.kt
index 27e38ce70..42db710b1 100644
--- a/komga/src/main/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemController.kt
+++ b/komga/src/main/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemController.kt
@@ -3,6 +3,7 @@ package org.gotson.komga.interfaces.web.rest
 import com.fasterxml.jackson.annotation.JsonInclude
 import org.springframework.http.HttpStatus
 import org.springframework.http.MediaType
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RequestParam
@@ -15,6 +16,7 @@ import kotlin.streams.asSequence
 
 @RestController
 @RequestMapping("api/v1/filesystem", produces = [MediaType.APPLICATION_JSON_VALUE])
+@PreAuthorize("hasRole('ROLE_ADMIN')")
 class FileSystemController {
 
   private val fs = FileSystems.getDefault()
diff --git a/komga/src/test/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemControllerTest.kt b/komga/src/test/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemControllerTest.kt
index 111a82d05..bbc9f2cd3 100644
--- a/komga/src/test/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemControllerTest.kt
+++ b/komga/src/test/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemControllerTest.kt
@@ -28,7 +28,14 @@ class FileSystemControllerTest(
   }
 
   @Test
-  @WithMockUser(roles = ["USER"])
+  @WithMockUser
+  fun `given regular user when getDirectoryListing then return forbidden`() {
+    mockMvc.get(route)
+        .andExpect { status { isForbidden } }
+  }
+
+  @Test
+  @WithMockUser(roles = ["USER", "ADMIN"])
   fun `given relative path param when getDirectoryListing then return bad request`() {
     mockMvc.get(route) {
       param("path", ".")
@@ -36,7 +43,7 @@ class FileSystemControllerTest(
   }
 
   @Test
-  @WithMockUser(roles = ["USER"])
+  @WithMockUser(roles = ["USER", "ADMIN"])
   fun `given non-existent path param when getDirectoryListing then return bad request`() {
     val parent = Files.createTempDirectory(null)
     Files.delete(parent)