fix(api/client): add validation for backup request body (pterodactyl#4704)

devnote-dev · web-flow · commit b746c3ead1fc · 2023-02-23T12:23:12.000-07:00
diff --git a/app/Http/Controllers/Api/Client/Servers/BackupController.php b/app/Http/Controllers/Api/Client/Servers/BackupController.php
@@ -18,6 +18,7 @@
 use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Pterodactyl\Http\Requests\Api\Client\Servers\Backups\StoreBackupRequest;
+use Pterodactyl\Http\Requests\Api\Client\Servers\Backups\RestoreBackupRequest;
 
 class BackupController extends ClientApiController
 {
@@ -188,12 +189,8 @@ public function download(Request $request, Server $server, Backup $backup): Json
      *
      * @throws \Throwable
      */
-    public function restore(Request $request, Server $server, Backup $backup): JsonResponse
+    public function restore(RestoreBackupRequest $request, Server $server, Backup $backup): JsonResponse
     {
-        if (!$request->user()->can(Permission::ACTION_BACKUP_RESTORE, $server)) {
-            throw new AuthorizationException();
-        }
-
         // Cannot restore a backup unless a server is fully installed and not currently
         // processing a different backup restoration request.
         if (!is_null($server->status)) {
diff --git a/app/Http/Requests/Api/Client/Servers/Backups/RestoreBackupRequest.php b/app/Http/Requests/Api/Client/Servers/Backups/RestoreBackupRequest.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Api\Client\Servers\Backups;
+
+use Pterodactyl\Models\Permission;
+use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
+
+class RestoreBackupRequest extends ClientApiRequest
+{
+    public function permission(): string
+    {
+        return Permission::ACTION_BACKUP_RESTORE;
+    }
+
+    public function rules(): array
+    {
+        return ['truncate' => 'required|boolean'];
+    }
+}
