Correctly validation API calls to mark a backup as completed

Also block modifying a backup that is already marked as completed via the endpoint

Author: DaneEveritt

app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php

@@ -7,6 +7,8 @@
 use Illuminate\Http\JsonResponse;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Repositories\Eloquent\BackupRepository;
+use Pterodactyl\Exceptions\Http\HttpForbiddenException;
+use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Pterodactyl\Http\Requests\Api\Remote\ReportBackupCompleteRequest;
 
 class BackupStatusController extends Controller
@@ -32,10 +34,21 @@ public function __construct(BackupRepository $repository)
      * @param \Pterodactyl\Http\Requests\Api\Remote\ReportBackupCompleteRequest $request
      * @param string $backup
      * @return \Illuminate\Http\JsonResponse
+     *
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
     public function __invoke(ReportBackupCompleteRequest $request, string $backup)
     {
-        $this->repository->updateWhere([['uuid', '=', $backup]], [
+        /** @var \Pterodactyl\Models\Backup $model */
+        $model = $this->repository->findFirstWhere([[ 'uuid', '=', $backup ]]);
+
+        if (!is_null($model->completed_at)) {
+            throw new BadRequestHttpException(
+                'Cannot update the status of a backup that is already marked as completed.'
+            );
+        }
+
+        $model->update([
             'is_successful' => $request->input('successful') ? true : false,
             'checksum' => $request->input('checksum_type') . ':' . $request->input('checksum'),
             'bytes' => $request->input('size'),

app/Http/Requests/Api/Remote/ReportBackupCompleteRequest.php

@@ -12,9 +12,9 @@ class ReportBackupCompleteRequest extends FormRequest
     public function rules()
     {
         return [
-            'successful' => 'boolean',
+            'successful' => 'present|boolean',
             'checksum' => 'nullable|string|required_if:successful,true',
-            'checksum_type' => 'string|required_if:successful,true',
+            'checksum_type' => 'nullable|string|required_if:successful,true',
             'size' => 'nullable|numeric|required_if:successful,true',
         ];
     }