restrict filesystem endpoint to administrators

komga/src/main/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemController.kt

@@ -3,6 +3,7 @@ package org.gotson.komga.interfaces.web.rest
 import com.fasterxml.jackson.annotation.JsonInclude
 import org.springframework.http.HttpStatus
 import org.springframework.http.MediaType
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.RequestMapping
 import org.springframework.web.bind.annotation.RequestParam
@@ -15,6 +16,7 @@ import kotlin.streams.asSequence
 
 @RestController
 @RequestMapping("api/v1/filesystem", produces = [MediaType.APPLICATION_JSON_VALUE])
+@PreAuthorize("hasRole('ROLE_ADMIN')")
 class FileSystemController {
 
   private val fs = FileSystems.getDefault()

komga/src/test/kotlin/org/gotson/komga/interfaces/web/rest/FileSystemControllerTest.kt

@@ -28,7 +28,14 @@ class FileSystemControllerTest(
   }
 
   @Test
-  @WithMockUser(roles = ["USER"])
+  @WithMockUser
+  fun `given regular user when getDirectoryListing then return forbidden`() {
+    mockMvc.get(route)
+        .andExpect { status { isForbidden } }
+  }
+
+  @Test
+  @WithMockUser(roles = ["USER", "ADMIN"])
   fun `given relative path param when getDirectoryListing then return bad request`() {
     mockMvc.get(route) {
       param("path", ".")
@@ -36,7 +43,7 @@ class FileSystemControllerTest(
   }
 
   @Test
-  @WithMockUser(roles = ["USER"])
+  @WithMockUser(roles = ["USER", "ADMIN"])
   fun `given non-existent path param when getDirectoryListing then return bad request`() {
     val parent = Files.createTempDirectory(null)
     Files.delete(parent)