Fix bug allowing you to delete your own site directory

app/api.rb

@@ -48,6 +48,10 @@ post '/api/delete' do
       api_error 400, 'bad_filename', "#{path} is not a valid filename, canceled deleting"
     end
 
+    if current_site.files_path(path) == current_site.files_path
+      api_error 400, 'cannot_delete_site_directory', 'cannot delete the root directory of the site'
+    end
+
     if !current_site.file_exists?(path)
       api_error 400, 'missing_files', "#{path} was not found on your site, canceled deleting"
     end

models/site.rb

@@ -637,6 +637,7 @@ class Site < Sequel::Model
   end
 
   def delete_file(path)
+    return false if files_path(path) == files_path
     begin
       FileUtils.rm files_path(path)
     rescue Errno::EISDIR

tests/api_tests.rb

@@ -107,6 +107,27 @@ describe 'api delete' do
     res[:error_type].must_equal 'missing_files'
   end
 
+  it 'fails to delete site directory' do
+    create_site
+    basic_authorize @user, @pass
+    post '/api/delete', filenames: ['/']
+    res[:error_type].must_equal 'cannot_delete_site_directory'
+    File.exist?(@site.files_path).must_equal true
+  end
+
+  it 'fails to delete other directories' do
+    create_site
+    @other_site = @site
+    create_site
+    basic_authorize @user, @pass
+    post '/api/delete', filenames: ["../#{@other_site.username}"]
+    File.exist?(@other_site.base_files_path).must_equal true
+    res[:error_type].must_equal 'missing_files'
+    post '/api/delete', filenames: ["../#{@other_site.username}/index.html"]
+    File.exist?(@other_site.base_files_path+'/index.html').must_equal true
+    res[:error_type].must_equal 'missing_files'
+  end
+
   it 'succeeds with valid filenames' do
     create_site
     basic_authorize @user, @pass