From 34ffb96ae3b919e9e5deeb00be655adedadaf723 Mon Sep 17 00:00:00 2001
From: Bernd Bestel <bernd@berrnd.de>
Date: Fri, 2 Jul 2021 20:29:53 +0200
Subject: [PATCH] Enforce file groups

---
 controllers/FilesApiController.php | 24 +++++++++++++++++++++---
 grocy.openapi.json                 | 16 +++++++++++++---
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/controllers/FilesApiController.php b/controllers/FilesApiController.php
index c9aec10b..866bb70f 100644
--- a/controllers/FilesApiController.php
+++ b/controllers/FilesApiController.php
@@ -11,6 +11,11 @@ class FilesApiController extends BaseApiController
 	{
 		try
 		{
+			if(!in_array($args['group'], $this->getOpenApiSpec()->components->internalSchemas->FileGroups->enum))
+			{
+				throw new \Exception('Invalid file group');
+			}
+
 			if (IsValidFileName(base64_decode($args['fileName'])))
 			{
 				$fileName = base64_decode($args['fileName']);
@@ -39,8 +44,12 @@ class FilesApiController extends BaseApiController
 	{
 		try
 		{
-			$fileName = $this->checkFileName($args['fileName']);
+			if(!in_array($args['group'], $this->getOpenApiSpec()->components->internalSchemas->FileGroups->enum))
+			{
+				throw new \Exception('Invalid file group');
+			}
 
+			$fileName = $this->checkFileName($args['fileName']);
 			$filePath = $this->getFilePath($args['group'], $fileName, $request->getQueryParams());
 
 			if (file_exists($filePath))
@@ -65,9 +74,13 @@ class FilesApiController extends BaseApiController
 	{
 		try
 		{
+			if(!in_array($args['group'], $this->getOpenApiSpec()->components->internalSchemas->FileGroups->enum))
+			{
+				throw new \Exception('Invalid file group');
+			}
+
 			$fileInfo = explode('_', $args['fileName']);
 			$fileName = $this->checkFileName($fileInfo[1]);
-
 			$filePath = $this->getFilePath($args['group'], base64_decode($fileInfo[0]), $request->getQueryParams());
 
 			if (file_exists($filePath))
@@ -92,9 +105,14 @@ class FilesApiController extends BaseApiController
 	{
 		try
 		{
-			$fileName = $this->checkFileName($args['fileName']);
+			if(!in_array($args['group'], $this->getOpenApiSpec()->components->internalSchemas->FileGroups->enum))
+			{
+				throw new \Exception('Invalid file group');
+			}
 
+			$fileName = $this->checkFileName($args['fileName']);
 			$data = $request->getBody()->getContents();
+
 			file_put_contents($this->getFilesService()->GetFilePath($args['group'], $fileName), $data);
 
 			return $this->EmptyApiResponse($response);
diff --git a/grocy.openapi.json b/grocy.openapi.json
index da36158e..255ec003 100644
--- a/grocy.openapi.json
+++ b/grocy.openapi.json
@@ -734,7 +734,7 @@
 						"required": true,
 						"description": "The file group",
 						"schema": {
-							"type": "string"
+							"$ref": "#/components/internalSchemas/FileGroups"
 						}
 					},
 					{
@@ -814,7 +814,7 @@
 						"required": true,
 						"description": "The file group",
 						"schema": {
-							"type": "string"
+							"$ref": "#/components/internalSchemas/FileGroups"
 						}
 					},
 					{
@@ -865,7 +865,7 @@
 						"required": true,
 						"description": "The file group",
 						"schema": {
-							"type": "string"
+							"$ref": "#/components/internalSchemas/FileGroups"
 						}
 					},
 					{
@@ -4184,6 +4184,16 @@
 					"product-opened"
 				]
 			},
+			"FileGroups": {
+				"type": "string",
+				"enum": [
+					"equipmentmanuals",
+					"recipepictures",
+					"productpictures",
+					"userfiles",
+					"userpictures"
+				]
+			},
 			"StringEnumTemplate": {
 				"type": "string",
 				"enum": []